]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-2.2.2-2.6.32.48-201111181902.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-2.2.2-2.6.32.48-201111181902.patch
CommitLineData
e291ad5d
PK		 1diff -urNp linux-2.6.32.48/arch/alpha/include/asm/elf.h linux-2.6.32.48/arch/alpha/include/asm/elf.h
2--- linux-2.6.32.48/arch/alpha/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
3+++ linux-2.6.32.48/arch/alpha/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
4@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
5
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
7
8+#ifdef CONFIG_PAX_ASLR
9+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
10+
11+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
13+#endif
14+
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18diff -urNp linux-2.6.32.48/arch/alpha/include/asm/pgtable.h linux-2.6.32.48/arch/alpha/include/asm/pgtable.h
19--- linux-2.6.32.48/arch/alpha/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
20+++ linux-2.6.32.48/arch/alpha/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
21@@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
25+
26+#ifdef CONFIG_PAX_PAGEEXEC
27+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
30+#else
31+# define PAGE_SHARED_NOEXEC PAGE_SHARED
32+# define PAGE_COPY_NOEXEC PAGE_COPY
33+# define PAGE_READONLY_NOEXEC PAGE_READONLY
34+#endif
35+
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
37
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39diff -urNp linux-2.6.32.48/arch/alpha/kernel/module.c linux-2.6.32.48/arch/alpha/kernel/module.c
40--- linux-2.6.32.48/arch/alpha/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
41+++ linux-2.6.32.48/arch/alpha/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
42@@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
43
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46- gp = (u64)me->module_core + me->core_size - 0x8000;
47+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
49
50 for (i = 0; i < n; i++) {
51diff -urNp linux-2.6.32.48/arch/alpha/kernel/osf_sys.c linux-2.6.32.48/arch/alpha/kernel/osf_sys.c
52--- linux-2.6.32.48/arch/alpha/kernel/osf_sys.c 2011-11-08 19:02:43.000000000 -0500
53+++ linux-2.6.32.48/arch/alpha/kernel/osf_sys.c 2011-11-15 19:59:42.000000000 -0500
54@@ -1172,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
55 /* At this point: (!vma || addr < vma->vm_end). */
56 if (limit - len < addr)
57 return -ENOMEM;
58- if (!vma || addr + len <= vma->vm_start)
59+ if (check_heap_stack_gap(vma, addr, len))
60 return addr;
61 addr = vma->vm_end;
62 vma = vma->vm_next;
63@@ -1208,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
64 merely specific addresses, but regions of memory -- perhaps
65 this feature should be incorporated into all ports? */
66
67+#ifdef CONFIG_PAX_RANDMMAP
68+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
69+#endif
70+
71 if (addr) {
72 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
73 if (addr != (unsigned long) -ENOMEM)
74@@ -1215,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
75 }
76
77 /* Next, try allocating at TASK_UNMAPPED_BASE. */
78- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
79- len, limit);
80+ addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
81+
82 if (addr != (unsigned long) -ENOMEM)
83 return addr;
84
85diff -urNp linux-2.6.32.48/arch/alpha/mm/fault.c linux-2.6.32.48/arch/alpha/mm/fault.c
86--- linux-2.6.32.48/arch/alpha/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
87+++ linux-2.6.32.48/arch/alpha/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
88@@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
89 __reload_thread(pcb);
90 }
91
92+#ifdef CONFIG_PAX_PAGEEXEC
93+/*
94+ * PaX: decide what to do with offenders (regs->pc = fault address)
95+ *
96+ * returns 1 when task should be killed
97+ * 2 when patched PLT trampoline was detected
98+ * 3 when unpatched PLT trampoline was detected
99+ */
100+static int pax_handle_fetch_fault(struct pt_regs *regs)
101+{
102+
103+#ifdef CONFIG_PAX_EMUPLT
104+ int err;
105+
106+ do { /* PaX: patched PLT emulation #1 */
107+ unsigned int ldah, ldq, jmp;
108+
109+ err = get_user(ldah, (unsigned int *)regs->pc);
110+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
111+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
112+
113+ if (err)
114+ break;
115+
116+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
117+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
118+ jmp == 0x6BFB0000U)
119+ {
120+ unsigned long r27, addr;
121+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
122+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
123+
124+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
125+ err = get_user(r27, (unsigned long *)addr);
126+ if (err)
127+ break;
128+
129+ regs->r27 = r27;
130+ regs->pc = r27;
131+ return 2;
132+ }
133+ } while (0);
134+
135+ do { /* PaX: patched PLT emulation #2 */
136+ unsigned int ldah, lda, br;
137+
138+ err = get_user(ldah, (unsigned int *)regs->pc);
139+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
140+ err |= get_user(br, (unsigned int *)(regs->pc+8));
141+
142+ if (err)
143+ break;
144+
145+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
146+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
147+ (br & 0xFFE00000U) == 0xC3E00000U)
148+ {
149+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
150+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
151+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
152+
153+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
154+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
155+ return 2;
156+ }
157+ } while (0);
158+
159+ do { /* PaX: unpatched PLT emulation */
160+ unsigned int br;
161+
162+ err = get_user(br, (unsigned int *)regs->pc);
163+
164+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
165+ unsigned int br2, ldq, nop, jmp;
166+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
167+
168+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
169+ err = get_user(br2, (unsigned int *)addr);
170+ err |= get_user(ldq, (unsigned int *)(addr+4));
171+ err |= get_user(nop, (unsigned int *)(addr+8));
172+ err |= get_user(jmp, (unsigned int *)(addr+12));
173+ err |= get_user(resolver, (unsigned long *)(addr+16));
174+
175+ if (err)
176+ break;
177+
178+ if (br2 == 0xC3600000U &&
179+ ldq == 0xA77B000CU &&
180+ nop == 0x47FF041FU &&
181+ jmp == 0x6B7B0000U)
182+ {
183+ regs->r28 = regs->pc+4;
184+ regs->r27 = addr+16;
185+ regs->pc = resolver;
186+ return 3;
187+ }
188+ }
189+ } while (0);
190+#endif
191+
192+ return 1;
193+}
194+
195+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
196+{
197+ unsigned long i;
198+
199+ printk(KERN_ERR "PAX: bytes at PC: ");
200+ for (i = 0; i < 5; i++) {
201+ unsigned int c;
202+ if (get_user(c, (unsigned int *)pc+i))
203+ printk(KERN_CONT "???????? ");
204+ else
205+ printk(KERN_CONT "%08x ", c);
206+ }
207+ printk("\n");
208+}
209+#endif
210
211 /*
212 * This routine handles page faults. It determines the address,
213@@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
214 good_area:
215 si_code = SEGV_ACCERR;
216 if (cause < 0) {
217- if (!(vma->vm_flags & VM_EXEC))
218+ if (!(vma->vm_flags & VM_EXEC)) {
219+
220+#ifdef CONFIG_PAX_PAGEEXEC
221+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
222+ goto bad_area;
223+
224+ up_read(&mm->mmap_sem);
225+ switch (pax_handle_fetch_fault(regs)) {
226+
227+#ifdef CONFIG_PAX_EMUPLT
228+ case 2:
229+ case 3:
230+ return;
231+#endif
232+
233+ }
234+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
235+ do_group_exit(SIGKILL);
236+#else
237 goto bad_area;
238+#endif
239+
240+ }
241 } else if (!cause) {
242 /* Allow reads even for write-only mappings */
243 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
244diff -urNp linux-2.6.32.48/arch/arm/include/asm/elf.h linux-2.6.32.48/arch/arm/include/asm/elf.h
245--- linux-2.6.32.48/arch/arm/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
246+++ linux-2.6.32.48/arch/arm/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
247@@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
248 the loader. We need to make sure that it is out of the way of the program
249 that it will "exec", and that there is sufficient room for the brk. */
250
251-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
252+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
253+
254+#ifdef CONFIG_PAX_ASLR
255+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
256+
257+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
258+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
259+#endif
260
261 /* When the program starts, a1 contains a pointer to a function to be
262 registered with atexit, as per the SVR4 ABI. A value of 0 means we
263diff -urNp linux-2.6.32.48/arch/arm/include/asm/kmap_types.h linux-2.6.32.48/arch/arm/include/asm/kmap_types.h
264--- linux-2.6.32.48/arch/arm/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
265+++ linux-2.6.32.48/arch/arm/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
266@@ -19,6 +19,7 @@ enum km_type {
267 KM_SOFTIRQ0,
268 KM_SOFTIRQ1,
269 KM_L2_CACHE,
270+ KM_CLEARPAGE,
271 KM_TYPE_NR
272 };
273
274diff -urNp linux-2.6.32.48/arch/arm/include/asm/uaccess.h linux-2.6.32.48/arch/arm/include/asm/uaccess.h
275--- linux-2.6.32.48/arch/arm/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
276+++ linux-2.6.32.48/arch/arm/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
277@@ -22,6 +22,8 @@
278 #define VERIFY_READ 0
279 #define VERIFY_WRITE 1
280
281+extern void check_object_size(const void *ptr, unsigned long n, bool to);
282+
283 /*
284 * The exception table consists of pairs of addresses: the first is the
285 * address of an instruction that is allowed to fault, and the second is
286@@ -387,8 +389,23 @@ do { \
287
288
289 #ifdef CONFIG_MMU
290-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
291-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
292+extern unsigned long __must_check ___copy_from_user(void *to, const void __user *from, unsigned long n);
293+extern unsigned long __must_check ___copy_to_user(void __user *to, const void *from, unsigned long n);
294+
295+static inline unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n)
296+{
297+ if (!__builtin_constant_p(n))
298+ check_object_size(to, n, false);
299+ return ___copy_from_user(to, from, n);
300+}
301+
302+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
303+{
304+ if (!__builtin_constant_p(n))
305+ check_object_size(from, n, true);
306+ return ___copy_to_user(to, from, n);
307+}
308+
309 extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
310 extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
311 extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
312@@ -403,6 +420,9 @@ extern unsigned long __must_check __strn
313
314 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
315 {
316+ if ((long)n < 0)
317+ return n;
318+
319 if (access_ok(VERIFY_READ, from, n))
320 n = __copy_from_user(to, from, n);
321 else /* security hole - plug it */
322@@ -412,6 +432,9 @@ static inline unsigned long __must_check
323
324 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
325 {
326+ if ((long)n < 0)
327+ return n;
328+
329 if (access_ok(VERIFY_WRITE, to, n))
330 n = __copy_to_user(to, from, n);
331 return n;
332diff -urNp linux-2.6.32.48/arch/arm/kernel/armksyms.c linux-2.6.32.48/arch/arm/kernel/armksyms.c
333--- linux-2.6.32.48/arch/arm/kernel/armksyms.c 2011-11-08 19:02:43.000000000 -0500
334+++ linux-2.6.32.48/arch/arm/kernel/armksyms.c 2011-11-15 19:59:42.000000000 -0500
335@@ -118,8 +118,8 @@ EXPORT_SYMBOL(__strncpy_from_user);
336 #ifdef CONFIG_MMU
337 EXPORT_SYMBOL(copy_page);
338
339-EXPORT_SYMBOL(__copy_from_user);
340-EXPORT_SYMBOL(__copy_to_user);
341+EXPORT_SYMBOL(___copy_from_user);
342+EXPORT_SYMBOL(___copy_to_user);
343 EXPORT_SYMBOL(__clear_user);
344
345 EXPORT_SYMBOL(__get_user_1);
346diff -urNp linux-2.6.32.48/arch/arm/kernel/kgdb.c linux-2.6.32.48/arch/arm/kernel/kgdb.c
347--- linux-2.6.32.48/arch/arm/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
348+++ linux-2.6.32.48/arch/arm/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
349@@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
350 * and we handle the normal undef case within the do_undefinstr
351 * handler.
352 */
353-struct kgdb_arch arch_kgdb_ops = {
354+const struct kgdb_arch arch_kgdb_ops = {
355 #ifndef __ARMEB__
356 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
357 #else /* ! __ARMEB__ */
358diff -urNp linux-2.6.32.48/arch/arm/kernel/traps.c linux-2.6.32.48/arch/arm/kernel/traps.c
359--- linux-2.6.32.48/arch/arm/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
360+++ linux-2.6.32.48/arch/arm/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
361@@ -247,6 +247,8 @@ static void __die(const char *str, int e
362
363 DEFINE_SPINLOCK(die_lock);
364
365+extern void gr_handle_kernel_exploit(void);
366+
367 /*
368 * This function is protected against re-entrancy.
369 */
370@@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
371 if (panic_on_oops)
372 panic("Fatal exception");
373
374+ gr_handle_kernel_exploit();
375+
376 do_exit(SIGSEGV);
377 }
378
379diff -urNp linux-2.6.32.48/arch/arm/lib/copy_from_user.S linux-2.6.32.48/arch/arm/lib/copy_from_user.S
380--- linux-2.6.32.48/arch/arm/lib/copy_from_user.S 2011-11-08 19:02:43.000000000 -0500
381+++ linux-2.6.32.48/arch/arm/lib/copy_from_user.S 2011-11-15 19:59:42.000000000 -0500
382@@ -16,7 +16,7 @@
383 /*
384 * Prototype:
385 *
386- * size_t __copy_from_user(void *to, const void *from, size_t n)
387+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
388 *
389 * Purpose:
390 *
391@@ -84,11 +84,11 @@
392
393 .text
394
395-ENTRY(__copy_from_user)
396+ENTRY(___copy_from_user)
397
398 #include "copy_template.S"
399
400-ENDPROC(__copy_from_user)
401+ENDPROC(___copy_from_user)
402
403 .section .fixup,"ax"
404 .align 0
405diff -urNp linux-2.6.32.48/arch/arm/lib/copy_to_user.S linux-2.6.32.48/arch/arm/lib/copy_to_user.S
406--- linux-2.6.32.48/arch/arm/lib/copy_to_user.S 2011-11-08 19:02:43.000000000 -0500
407+++ linux-2.6.32.48/arch/arm/lib/copy_to_user.S 2011-11-15 19:59:42.000000000 -0500
408@@ -16,7 +16,7 @@
409 /*
410 * Prototype:
411 *
412- * size_t __copy_to_user(void *to, const void *from, size_t n)
413+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
414 *
415 * Purpose:
416 *
417@@ -88,11 +88,11 @@
418 .text
419
420 ENTRY(__copy_to_user_std)
421-WEAK(__copy_to_user)
422+WEAK(___copy_to_user)
423
424 #include "copy_template.S"
425
426-ENDPROC(__copy_to_user)
427+ENDPROC(___copy_to_user)
428
429 .section .fixup,"ax"
430 .align 0
431diff -urNp linux-2.6.32.48/arch/arm/lib/uaccess.S linux-2.6.32.48/arch/arm/lib/uaccess.S
432--- linux-2.6.32.48/arch/arm/lib/uaccess.S 2011-11-08 19:02:43.000000000 -0500
433+++ linux-2.6.32.48/arch/arm/lib/uaccess.S 2011-11-15 19:59:42.000000000 -0500
434@@ -19,7 +19,7 @@
435
436 #define PAGE_SHIFT 12
437
438-/* Prototype: int __copy_to_user(void *to, const char *from, size_t n)
439+/* Prototype: int ___copy_to_user(void *to, const char *from, size_t n)
440 * Purpose : copy a block to user memory from kernel memory
441 * Params : to - user memory
442 * : from - kernel memory
443@@ -39,7 +39,7 @@ USER( strgtbt r3, [r0], #1) @ May fau
444 sub r2, r2, ip
445 b .Lc2u_dest_aligned
446
447-ENTRY(__copy_to_user)
448+ENTRY(___copy_to_user)
449 stmfd sp!, {r2, r4 - r7, lr}
450 cmp r2, #4
451 blt .Lc2u_not_enough
452@@ -277,14 +277,14 @@ USER( strgebt r3, [r0], #1) @ May fau
453 ldrgtb r3, [r1], #0
454 USER( strgtbt r3, [r0], #1) @ May fault
455 b .Lc2u_finished
456-ENDPROC(__copy_to_user)
457+ENDPROC(___copy_to_user)
458
459 .section .fixup,"ax"
460 .align 0
461 9001: ldmfd sp!, {r0, r4 - r7, pc}
462 .previous
463
464-/* Prototype: unsigned long __copy_from_user(void *to,const void *from,unsigned long n);
465+/* Prototype: unsigned long ___copy_from_user(void *to,const void *from,unsigned long n);
466 * Purpose : copy a block from user memory to kernel memory
467 * Params : to - kernel memory
468 * : from - user memory
469@@ -303,7 +303,7 @@ USER( ldrgtbt r3, [r1], #1) @ May fau
470 sub r2, r2, ip
471 b .Lcfu_dest_aligned
472
473-ENTRY(__copy_from_user)
474+ENTRY(___copy_from_user)
475 stmfd sp!, {r0, r2, r4 - r7, lr}
476 cmp r2, #4
477 blt .Lcfu_not_enough
478@@ -543,7 +543,7 @@ USER( ldrgebt r3, [r1], #1) @ May fau
479 USER( ldrgtbt r3, [r1], #1) @ May fault
480 strgtb r3, [r0], #1
481 b .Lcfu_finished
482-ENDPROC(__copy_from_user)
483+ENDPROC(___copy_from_user)
484
485 .section .fixup,"ax"
486 .align 0
487diff -urNp linux-2.6.32.48/arch/arm/lib/uaccess_with_memcpy.c linux-2.6.32.48/arch/arm/lib/uaccess_with_memcpy.c
488--- linux-2.6.32.48/arch/arm/lib/uaccess_with_memcpy.c 2011-11-08 19:02:43.000000000 -0500
489+++ linux-2.6.32.48/arch/arm/lib/uaccess_with_memcpy.c 2011-11-15 19:59:42.000000000 -0500
490@@ -97,7 +97,7 @@ out:
491 }
492
493 unsigned long
494-__copy_to_user(void __user *to, const void *from, unsigned long n)
495+___copy_to_user(void __user *to, const void *from, unsigned long n)
496 {
497 /*
498 * This test is stubbed out of the main function above to keep
499diff -urNp linux-2.6.32.48/arch/arm/mach-at91/pm.c linux-2.6.32.48/arch/arm/mach-at91/pm.c
500--- linux-2.6.32.48/arch/arm/mach-at91/pm.c 2011-11-08 19:02:43.000000000 -0500
501+++ linux-2.6.32.48/arch/arm/mach-at91/pm.c 2011-11-15 19:59:42.000000000 -0500
502@@ -348,7 +348,7 @@ static void at91_pm_end(void)
503 }
504
505
506-static struct platform_suspend_ops at91_pm_ops ={
507+static const struct platform_suspend_ops at91_pm_ops ={
508 .valid = at91_pm_valid_state,
509 .begin = at91_pm_begin,
510 .enter = at91_pm_enter,
511diff -urNp linux-2.6.32.48/arch/arm/mach-omap1/pm.c linux-2.6.32.48/arch/arm/mach-omap1/pm.c
512--- linux-2.6.32.48/arch/arm/mach-omap1/pm.c 2011-11-08 19:02:43.000000000 -0500
513+++ linux-2.6.32.48/arch/arm/mach-omap1/pm.c 2011-11-15 19:59:42.000000000 -0500
514@@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
515
516
517
518-static struct platform_suspend_ops omap_pm_ops ={
519+static const struct platform_suspend_ops omap_pm_ops ={
520 .prepare = omap_pm_prepare,
521 .enter = omap_pm_enter,
522 .finish = omap_pm_finish,
523diff -urNp linux-2.6.32.48/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.48/arch/arm/mach-omap2/pm24xx.c
524--- linux-2.6.32.48/arch/arm/mach-omap2/pm24xx.c 2011-11-08 19:02:43.000000000 -0500
525+++ linux-2.6.32.48/arch/arm/mach-omap2/pm24xx.c 2011-11-15 19:59:42.000000000 -0500
526@@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
527 enable_hlt();
528 }
529
530-static struct platform_suspend_ops omap_pm_ops = {
531+static const struct platform_suspend_ops omap_pm_ops = {
532 .prepare = omap2_pm_prepare,
533 .enter = omap2_pm_enter,
534 .finish = omap2_pm_finish,
535diff -urNp linux-2.6.32.48/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.48/arch/arm/mach-omap2/pm34xx.c
536--- linux-2.6.32.48/arch/arm/mach-omap2/pm34xx.c 2011-11-08 19:02:43.000000000 -0500
537+++ linux-2.6.32.48/arch/arm/mach-omap2/pm34xx.c 2011-11-15 19:59:42.000000000 -0500
538@@ -401,7 +401,7 @@ static void omap3_pm_end(void)
539 return;
540 }
541
542-static struct platform_suspend_ops omap_pm_ops = {
543+static const struct platform_suspend_ops omap_pm_ops = {
544 .begin = omap3_pm_begin,
545 .end = omap3_pm_end,
546 .prepare = omap3_pm_prepare,
547diff -urNp linux-2.6.32.48/arch/arm/mach-pnx4008/pm.c linux-2.6.32.48/arch/arm/mach-pnx4008/pm.c
548--- linux-2.6.32.48/arch/arm/mach-pnx4008/pm.c 2011-11-08 19:02:43.000000000 -0500
549+++ linux-2.6.32.48/arch/arm/mach-pnx4008/pm.c 2011-11-15 19:59:42.000000000 -0500
550@@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
551 (state == PM_SUSPEND_MEM);
552 }
553
554-static struct platform_suspend_ops pnx4008_pm_ops = {
555+static const struct platform_suspend_ops pnx4008_pm_ops = {
556 .enter = pnx4008_pm_enter,
557 .valid = pnx4008_pm_valid,
558 };
559diff -urNp linux-2.6.32.48/arch/arm/mach-pxa/pm.c linux-2.6.32.48/arch/arm/mach-pxa/pm.c
560--- linux-2.6.32.48/arch/arm/mach-pxa/pm.c 2011-11-08 19:02:43.000000000 -0500
561+++ linux-2.6.32.48/arch/arm/mach-pxa/pm.c 2011-11-15 19:59:42.000000000 -0500
562@@ -95,7 +95,7 @@ void pxa_pm_finish(void)
563 pxa_cpu_pm_fns->finish();
564 }
565
566-static struct platform_suspend_ops pxa_pm_ops = {
567+static const struct platform_suspend_ops pxa_pm_ops = {
568 .valid = pxa_pm_valid,
569 .enter = pxa_pm_enter,
570 .prepare = pxa_pm_prepare,
571diff -urNp linux-2.6.32.48/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.48/arch/arm/mach-pxa/sharpsl_pm.c
572--- linux-2.6.32.48/arch/arm/mach-pxa/sharpsl_pm.c 2011-11-08 19:02:43.000000000 -0500
573+++ linux-2.6.32.48/arch/arm/mach-pxa/sharpsl_pm.c 2011-11-15 19:59:42.000000000 -0500
574@@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
575 }
576
577 #ifdef CONFIG_PM
578-static struct platform_suspend_ops sharpsl_pm_ops = {
579+static const struct platform_suspend_ops sharpsl_pm_ops = {
580 .prepare = pxa_pm_prepare,
581 .finish = pxa_pm_finish,
582 .enter = corgi_pxa_pm_enter,
583diff -urNp linux-2.6.32.48/arch/arm/mach-sa1100/pm.c linux-2.6.32.48/arch/arm/mach-sa1100/pm.c
584--- linux-2.6.32.48/arch/arm/mach-sa1100/pm.c 2011-11-08 19:02:43.000000000 -0500
585+++ linux-2.6.32.48/arch/arm/mach-sa1100/pm.c 2011-11-15 19:59:42.000000000 -0500
586@@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
587 return virt_to_phys(sp);
588 }
589
590-static struct platform_suspend_ops sa11x0_pm_ops = {
591+static const struct platform_suspend_ops sa11x0_pm_ops = {
592 .enter = sa11x0_pm_enter,
593 .valid = suspend_valid_only_mem,
594 };
595diff -urNp linux-2.6.32.48/arch/arm/mm/fault.c linux-2.6.32.48/arch/arm/mm/fault.c
596--- linux-2.6.32.48/arch/arm/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
597+++ linux-2.6.32.48/arch/arm/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
598@@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
599 }
600 #endif
601
602+#ifdef CONFIG_PAX_PAGEEXEC
603+ if (fsr & FSR_LNX_PF) {
604+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
605+ do_group_exit(SIGKILL);
606+ }
607+#endif
608+
609 tsk->thread.address = addr;
610 tsk->thread.error_code = fsr;
611 tsk->thread.trap_no = 14;
612@@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
613 }
614 #endif /* CONFIG_MMU */
615
616+#ifdef CONFIG_PAX_PAGEEXEC
617+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
618+{
619+ long i;
620+
621+ printk(KERN_ERR "PAX: bytes at PC: ");
622+ for (i = 0; i < 20; i++) {
623+ unsigned char c;
624+ if (get_user(c, (__force unsigned char __user *)pc+i))
625+ printk(KERN_CONT "?? ");
626+ else
627+ printk(KERN_CONT "%02x ", c);
628+ }
629+ printk("\n");
630+
631+ printk(KERN_ERR "PAX: bytes at SP-4: ");
632+ for (i = -1; i < 20; i++) {
633+ unsigned long c;
634+ if (get_user(c, (__force unsigned long __user *)sp+i))
635+ printk(KERN_CONT "???????? ");
636+ else
637+ printk(KERN_CONT "%08lx ", c);
638+ }
639+ printk("\n");
640+}
641+#endif
642+
643 /*
644 * First Level Translation Fault Handler
645 *
646diff -urNp linux-2.6.32.48/arch/arm/mm/mmap.c linux-2.6.32.48/arch/arm/mm/mmap.c
647--- linux-2.6.32.48/arch/arm/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
648+++ linux-2.6.32.48/arch/arm/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
649@@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
650 if (len > TASK_SIZE)
651 return -ENOMEM;
652
653+#ifdef CONFIG_PAX_RANDMMAP
654+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
655+#endif
656+
657 if (addr) {
658 if (do_align)
659 addr = COLOUR_ALIGN(addr, pgoff);
660@@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
661 addr = PAGE_ALIGN(addr);
662
663 vma = find_vma(mm, addr);
664- if (TASK_SIZE - len >= addr &&
665- (!vma || addr + len <= vma->vm_start))
666+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
667 return addr;
668 }
669 if (len > mm->cached_hole_size) {
670- start_addr = addr = mm->free_area_cache;
671+ start_addr = addr = mm->free_area_cache;
672 } else {
673- start_addr = addr = TASK_UNMAPPED_BASE;
674- mm->cached_hole_size = 0;
675+ start_addr = addr = mm->mmap_base;
676+ mm->cached_hole_size = 0;
677 }
678
679 full_search:
680@@ -94,14 +97,14 @@ full_search:
681 * Start a new search - just in case we missed
682 * some holes.
683 */
684- if (start_addr != TASK_UNMAPPED_BASE) {
685- start_addr = addr = TASK_UNMAPPED_BASE;
686+ if (start_addr != mm->mmap_base) {
687+ start_addr = addr = mm->mmap_base;
688 mm->cached_hole_size = 0;
689 goto full_search;
690 }
691 return -ENOMEM;
692 }
693- if (!vma || addr + len <= vma->vm_start) {
694+ if (check_heap_stack_gap(vma, addr, len)) {
695 /*
696 * Remember the place where we stopped the search:
697 */
698diff -urNp linux-2.6.32.48/arch/arm/plat-s3c/pm.c linux-2.6.32.48/arch/arm/plat-s3c/pm.c
699--- linux-2.6.32.48/arch/arm/plat-s3c/pm.c 2011-11-08 19:02:43.000000000 -0500
700+++ linux-2.6.32.48/arch/arm/plat-s3c/pm.c 2011-11-15 19:59:42.000000000 -0500
701@@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
702 s3c_pm_check_cleanup();
703 }
704
705-static struct platform_suspend_ops s3c_pm_ops = {
706+static const struct platform_suspend_ops s3c_pm_ops = {
707 .enter = s3c_pm_enter,
708 .prepare = s3c_pm_prepare,
709 .finish = s3c_pm_finish,
710diff -urNp linux-2.6.32.48/arch/avr32/include/asm/elf.h linux-2.6.32.48/arch/avr32/include/asm/elf.h
711--- linux-2.6.32.48/arch/avr32/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
712+++ linux-2.6.32.48/arch/avr32/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
713@@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
714 the loader. We need to make sure that it is out of the way of the program
715 that it will "exec", and that there is sufficient room for the brk. */
716
717-#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
718+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
719
720+#ifdef CONFIG_PAX_ASLR
721+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
722+
723+#define PAX_DELTA_MMAP_LEN 15
724+#define PAX_DELTA_STACK_LEN 15
725+#endif
726
727 /* This yields a mask that user programs can use to figure out what
728 instruction set this CPU supports. This could be done in user space,
729diff -urNp linux-2.6.32.48/arch/avr32/include/asm/kmap_types.h linux-2.6.32.48/arch/avr32/include/asm/kmap_types.h
730--- linux-2.6.32.48/arch/avr32/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
731+++ linux-2.6.32.48/arch/avr32/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
732@@ -22,7 +22,8 @@ D(10) KM_IRQ0,
733 D(11) KM_IRQ1,
734 D(12) KM_SOFTIRQ0,
735 D(13) KM_SOFTIRQ1,
736-D(14) KM_TYPE_NR
737+D(14) KM_CLEARPAGE,
738+D(15) KM_TYPE_NR
739 };
740
741 #undef D
742diff -urNp linux-2.6.32.48/arch/avr32/mach-at32ap/pm.c linux-2.6.32.48/arch/avr32/mach-at32ap/pm.c
743--- linux-2.6.32.48/arch/avr32/mach-at32ap/pm.c 2011-11-08 19:02:43.000000000 -0500
744+++ linux-2.6.32.48/arch/avr32/mach-at32ap/pm.c 2011-11-15 19:59:42.000000000 -0500
745@@ -176,7 +176,7 @@ out:
746 return 0;
747 }
748
749-static struct platform_suspend_ops avr32_pm_ops = {
750+static const struct platform_suspend_ops avr32_pm_ops = {
751 .valid = avr32_pm_valid_state,
752 .enter = avr32_pm_enter,
753 };
754diff -urNp linux-2.6.32.48/arch/avr32/mm/fault.c linux-2.6.32.48/arch/avr32/mm/fault.c
755--- linux-2.6.32.48/arch/avr32/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
756+++ linux-2.6.32.48/arch/avr32/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
757@@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
758
759 int exception_trace = 1;
760
761+#ifdef CONFIG_PAX_PAGEEXEC
762+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
763+{
764+ unsigned long i;
765+
766+ printk(KERN_ERR "PAX: bytes at PC: ");
767+ for (i = 0; i < 20; i++) {
768+ unsigned char c;
769+ if (get_user(c, (unsigned char *)pc+i))
770+ printk(KERN_CONT "???????? ");
771+ else
772+ printk(KERN_CONT "%02x ", c);
773+ }
774+ printk("\n");
775+}
776+#endif
777+
778 /*
779 * This routine handles page faults. It determines the address and the
780 * problem, and then passes it off to one of the appropriate routines.
781@@ -157,6 +174,16 @@ bad_area:
782 up_read(&mm->mmap_sem);
783
784 if (user_mode(regs)) {
785+
786+#ifdef CONFIG_PAX_PAGEEXEC
787+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
788+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
789+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
790+ do_group_exit(SIGKILL);
791+ }
792+ }
793+#endif
794+
795 if (exception_trace && printk_ratelimit())
796 printk("%s%s[%d]: segfault at %08lx pc %08lx "
797 "sp %08lx ecr %lu\n",
798diff -urNp linux-2.6.32.48/arch/blackfin/kernel/kgdb.c linux-2.6.32.48/arch/blackfin/kernel/kgdb.c
799--- linux-2.6.32.48/arch/blackfin/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
800+++ linux-2.6.32.48/arch/blackfin/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
801@@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
802 return -1; /* this means that we do not want to exit from the handler */
803 }
804
805-struct kgdb_arch arch_kgdb_ops = {
806+const struct kgdb_arch arch_kgdb_ops = {
807 .gdb_bpt_instr = {0xa1},
808 #ifdef CONFIG_SMP
809 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
810diff -urNp linux-2.6.32.48/arch/blackfin/mach-common/pm.c linux-2.6.32.48/arch/blackfin/mach-common/pm.c
811--- linux-2.6.32.48/arch/blackfin/mach-common/pm.c 2011-11-08 19:02:43.000000000 -0500
812+++ linux-2.6.32.48/arch/blackfin/mach-common/pm.c 2011-11-15 19:59:42.000000000 -0500
813@@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
814 return 0;
815 }
816
817-struct platform_suspend_ops bfin_pm_ops = {
818+const struct platform_suspend_ops bfin_pm_ops = {
819 .enter = bfin_pm_enter,
820 .valid = bfin_pm_valid,
821 };
822diff -urNp linux-2.6.32.48/arch/frv/include/asm/kmap_types.h linux-2.6.32.48/arch/frv/include/asm/kmap_types.h
823--- linux-2.6.32.48/arch/frv/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
824+++ linux-2.6.32.48/arch/frv/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
825@@ -23,6 +23,7 @@ enum km_type {
826 KM_IRQ1,
827 KM_SOFTIRQ0,
828 KM_SOFTIRQ1,
829+ KM_CLEARPAGE,
830 KM_TYPE_NR
831 };
832
833diff -urNp linux-2.6.32.48/arch/frv/mm/elf-fdpic.c linux-2.6.32.48/arch/frv/mm/elf-fdpic.c
834--- linux-2.6.32.48/arch/frv/mm/elf-fdpic.c 2011-11-08 19:02:43.000000000 -0500
835+++ linux-2.6.32.48/arch/frv/mm/elf-fdpic.c 2011-11-15 19:59:42.000000000 -0500
836@@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
837 if (addr) {
838 addr = PAGE_ALIGN(addr);
839 vma = find_vma(current->mm, addr);
840- if (TASK_SIZE - len >= addr &&
841- (!vma || addr + len <= vma->vm_start))
842+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
843 goto success;
844 }
845
846@@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
847 for (; vma; vma = vma->vm_next) {
848 if (addr > limit)
849 break;
850- if (addr + len <= vma->vm_start)
851+ if (check_heap_stack_gap(vma, addr, len))
852 goto success;
853 addr = vma->vm_end;
854 }
855@@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
856 for (; vma; vma = vma->vm_next) {
857 if (addr > limit)
858 break;
859- if (addr + len <= vma->vm_start)
860+ if (check_heap_stack_gap(vma, addr, len))
861 goto success;
862 addr = vma->vm_end;
863 }
864diff -urNp linux-2.6.32.48/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.48/arch/ia64/hp/common/hwsw_iommu.c
865--- linux-2.6.32.48/arch/ia64/hp/common/hwsw_iommu.c 2011-11-08 19:02:43.000000000 -0500
866+++ linux-2.6.32.48/arch/ia64/hp/common/hwsw_iommu.c 2011-11-15 19:59:42.000000000 -0500
867@@ -17,7 +17,7 @@
868 #include <linux/swiotlb.h>
869 #include <asm/machvec.h>
870
871-extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
872+extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
873
874 /* swiotlb declarations & definitions: */
875 extern int swiotlb_late_init_with_default_size (size_t size);
876@@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
877 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
878 }
879
880-struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
881+const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
882 {
883 if (use_swiotlb(dev))
884 return &swiotlb_dma_ops;
885diff -urNp linux-2.6.32.48/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.48/arch/ia64/hp/common/sba_iommu.c
886--- linux-2.6.32.48/arch/ia64/hp/common/sba_iommu.c 2011-11-08 19:02:43.000000000 -0500
887+++ linux-2.6.32.48/arch/ia64/hp/common/sba_iommu.c 2011-11-15 19:59:42.000000000 -0500
888@@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
889 },
890 };
891
892-extern struct dma_map_ops swiotlb_dma_ops;
893+extern const struct dma_map_ops swiotlb_dma_ops;
894
895 static int __init
896 sba_init(void)
897@@ -2211,7 +2211,7 @@ sba_page_override(char *str)
898
899 __setup("sbapagesize=",sba_page_override);
900
901-struct dma_map_ops sba_dma_ops = {
902+const struct dma_map_ops sba_dma_ops = {
903 .alloc_coherent = sba_alloc_coherent,
904 .free_coherent = sba_free_coherent,
905 .map_page = sba_map_page,
906diff -urNp linux-2.6.32.48/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.48/arch/ia64/ia32/binfmt_elf32.c
907--- linux-2.6.32.48/arch/ia64/ia32/binfmt_elf32.c 2011-11-08 19:02:43.000000000 -0500
908+++ linux-2.6.32.48/arch/ia64/ia32/binfmt_elf32.c 2011-11-15 19:59:42.000000000 -0500
909@@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
910
911 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
912
913+#ifdef CONFIG_PAX_ASLR
914+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
915+
916+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
917+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
918+#endif
919+
920 /* Ugly but avoids duplication */
921 #include "../../../fs/binfmt_elf.c"
922
923diff -urNp linux-2.6.32.48/arch/ia64/ia32/ia32priv.h linux-2.6.32.48/arch/ia64/ia32/ia32priv.h
924--- linux-2.6.32.48/arch/ia64/ia32/ia32priv.h 2011-11-08 19:02:43.000000000 -0500
925+++ linux-2.6.32.48/arch/ia64/ia32/ia32priv.h 2011-11-15 19:59:42.000000000 -0500
926@@ -296,7 +296,14 @@ typedef struct compat_siginfo {
927 #define ELF_DATA ELFDATA2LSB
928 #define ELF_ARCH EM_386
929
930-#define IA32_STACK_TOP IA32_PAGE_OFFSET
931+#ifdef CONFIG_PAX_RANDUSTACK
932+#define __IA32_DELTA_STACK (current->mm->delta_stack)
933+#else
934+#define __IA32_DELTA_STACK 0UL
935+#endif
936+
937+#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
938+
939 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
940 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
941
942diff -urNp linux-2.6.32.48/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.48/arch/ia64/include/asm/dma-mapping.h
943--- linux-2.6.32.48/arch/ia64/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
944+++ linux-2.6.32.48/arch/ia64/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
945@@ -12,7 +12,7 @@
946
947 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
948
949-extern struct dma_map_ops *dma_ops;
950+extern const struct dma_map_ops *dma_ops;
951 extern struct ia64_machine_vector ia64_mv;
952 extern void set_iommu_machvec(void);
953
954@@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
955 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
956 dma_addr_t *daddr, gfp_t gfp)
957 {
958- struct dma_map_ops *ops = platform_dma_get_ops(dev);
959+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
960 void *caddr;
961
962 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
963@@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
964 static inline void dma_free_coherent(struct device *dev, size_t size,
965 void *caddr, dma_addr_t daddr)
966 {
967- struct dma_map_ops *ops = platform_dma_get_ops(dev);
968+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
969 debug_dma_free_coherent(dev, size, caddr, daddr);
970 ops->free_coherent(dev, size, caddr, daddr);
971 }
972@@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
973
974 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
975 {
976- struct dma_map_ops *ops = platform_dma_get_ops(dev);
977+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
978 return ops->mapping_error(dev, daddr);
979 }
980
981 static inline int dma_supported(struct device *dev, u64 mask)
982 {
983- struct dma_map_ops *ops = platform_dma_get_ops(dev);
984+ const struct dma_map_ops *ops = platform_dma_get_ops(dev);
985 return ops->dma_supported(dev, mask);
986 }
987
988diff -urNp linux-2.6.32.48/arch/ia64/include/asm/elf.h linux-2.6.32.48/arch/ia64/include/asm/elf.h
989--- linux-2.6.32.48/arch/ia64/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
990+++ linux-2.6.32.48/arch/ia64/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
991@@ -43,6 +43,13 @@
992 */
993 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
994
995+#ifdef CONFIG_PAX_ASLR
996+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
997+
998+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
999+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
1000+#endif
1001+
1002 #define PT_IA_64_UNWIND 0x70000001
1003
1004 /* IA-64 relocations: */
1005diff -urNp linux-2.6.32.48/arch/ia64/include/asm/machvec.h linux-2.6.32.48/arch/ia64/include/asm/machvec.h
1006--- linux-2.6.32.48/arch/ia64/include/asm/machvec.h 2011-11-08 19:02:43.000000000 -0500
1007+++ linux-2.6.32.48/arch/ia64/include/asm/machvec.h 2011-11-15 19:59:42.000000000 -0500
1008@@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
1009 /* DMA-mapping interface: */
1010 typedef void ia64_mv_dma_init (void);
1011 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
1012-typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1013+typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
1014
1015 /*
1016 * WARNING: The legacy I/O space is _architected_. Platforms are
1017@@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
1018 # endif /* CONFIG_IA64_GENERIC */
1019
1020 extern void swiotlb_dma_init(void);
1021-extern struct dma_map_ops *dma_get_ops(struct device *);
1022+extern const struct dma_map_ops *dma_get_ops(struct device *);
1023
1024 /*
1025 * Define default versions so we can extend machvec for new platforms without having
1026diff -urNp linux-2.6.32.48/arch/ia64/include/asm/pgtable.h linux-2.6.32.48/arch/ia64/include/asm/pgtable.h
1027--- linux-2.6.32.48/arch/ia64/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
1028+++ linux-2.6.32.48/arch/ia64/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
1029@@ -12,7 +12,7 @@
1030 * David Mosberger-Tang <davidm@hpl.hp.com>
1031 */
1032
1033-
1034+#include <linux/const.h>
1035 #include <asm/mman.h>
1036 #include <asm/page.h>
1037 #include <asm/processor.h>
1038@@ -143,6 +143,17 @@
1039 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1040 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1041 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
1042+
1043+#ifdef CONFIG_PAX_PAGEEXEC
1044+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
1045+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1046+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
1047+#else
1048+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1049+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1050+# define PAGE_COPY_NOEXEC PAGE_COPY
1051+#endif
1052+
1053 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
1054 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
1055 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
1056diff -urNp linux-2.6.32.48/arch/ia64/include/asm/spinlock.h linux-2.6.32.48/arch/ia64/include/asm/spinlock.h
1057--- linux-2.6.32.48/arch/ia64/include/asm/spinlock.h 2011-11-08 19:02:43.000000000 -0500
1058+++ linux-2.6.32.48/arch/ia64/include/asm/spinlock.h 2011-11-15 19:59:42.000000000 -0500
1059@@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
1060 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
1061
1062 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
1063- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
1064+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
1065 }
1066
1067 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
1068diff -urNp linux-2.6.32.48/arch/ia64/include/asm/uaccess.h linux-2.6.32.48/arch/ia64/include/asm/uaccess.h
1069--- linux-2.6.32.48/arch/ia64/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
1070+++ linux-2.6.32.48/arch/ia64/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
1071@@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
1072 const void *__cu_from = (from); \
1073 long __cu_len = (n); \
1074 \
1075- if (__access_ok(__cu_to, __cu_len, get_fs())) \
1076+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
1077 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
1078 __cu_len; \
1079 })
1080@@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
1081 long __cu_len = (n); \
1082 \
1083 __chk_user_ptr(__cu_from); \
1084- if (__access_ok(__cu_from, __cu_len, get_fs())) \
1085+ if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
1086 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
1087 __cu_len; \
1088 })
1089diff -urNp linux-2.6.32.48/arch/ia64/kernel/dma-mapping.c linux-2.6.32.48/arch/ia64/kernel/dma-mapping.c
1090--- linux-2.6.32.48/arch/ia64/kernel/dma-mapping.c 2011-11-08 19:02:43.000000000 -0500
1091+++ linux-2.6.32.48/arch/ia64/kernel/dma-mapping.c 2011-11-15 19:59:42.000000000 -0500
1092@@ -3,7 +3,7 @@
1093 /* Set this to 1 if there is a HW IOMMU in the system */
1094 int iommu_detected __read_mostly;
1095
1096-struct dma_map_ops *dma_ops;
1097+const struct dma_map_ops *dma_ops;
1098 EXPORT_SYMBOL(dma_ops);
1099
1100 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1101@@ -16,7 +16,7 @@ static int __init dma_init(void)
1102 }
1103 fs_initcall(dma_init);
1104
1105-struct dma_map_ops *dma_get_ops(struct device *dev)
1106+const struct dma_map_ops *dma_get_ops(struct device *dev)
1107 {
1108 return dma_ops;
1109 }
1110diff -urNp linux-2.6.32.48/arch/ia64/kernel/module.c linux-2.6.32.48/arch/ia64/kernel/module.c
1111--- linux-2.6.32.48/arch/ia64/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
1112+++ linux-2.6.32.48/arch/ia64/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
1113@@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1114 void
1115 module_free (struct module *mod, void *module_region)
1116 {
1117- if (mod && mod->arch.init_unw_table &&
1118- module_region == mod->module_init) {
1119+ if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1120 unw_remove_unwind_table(mod->arch.init_unw_table);
1121 mod->arch.init_unw_table = NULL;
1122 }
1123@@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1124 }
1125
1126 static inline int
1127+in_init_rx (const struct module *mod, uint64_t addr)
1128+{
1129+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1130+}
1131+
1132+static inline int
1133+in_init_rw (const struct module *mod, uint64_t addr)
1134+{
1135+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1136+}
1137+
1138+static inline int
1139 in_init (const struct module *mod, uint64_t addr)
1140 {
1141- return addr - (uint64_t) mod->module_init < mod->init_size;
1142+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1143+}
1144+
1145+static inline int
1146+in_core_rx (const struct module *mod, uint64_t addr)
1147+{
1148+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1149+}
1150+
1151+static inline int
1152+in_core_rw (const struct module *mod, uint64_t addr)
1153+{
1154+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1155 }
1156
1157 static inline int
1158 in_core (const struct module *mod, uint64_t addr)
1159 {
1160- return addr - (uint64_t) mod->module_core < mod->core_size;
1161+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1162 }
1163
1164 static inline int
1165@@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1166 break;
1167
1168 case RV_BDREL:
1169- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1170+ if (in_init_rx(mod, val))
1171+ val -= (uint64_t) mod->module_init_rx;
1172+ else if (in_init_rw(mod, val))
1173+ val -= (uint64_t) mod->module_init_rw;
1174+ else if (in_core_rx(mod, val))
1175+ val -= (uint64_t) mod->module_core_rx;
1176+ else if (in_core_rw(mod, val))
1177+ val -= (uint64_t) mod->module_core_rw;
1178 break;
1179
1180 case RV_LTV:
1181@@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1182 * addresses have been selected...
1183 */
1184 uint64_t gp;
1185- if (mod->core_size > MAX_LTOFF)
1186+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1187 /*
1188 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1189 * at the end of the module.
1190 */
1191- gp = mod->core_size - MAX_LTOFF / 2;
1192+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1193 else
1194- gp = mod->core_size / 2;
1195- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1196+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1197+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1198 mod->arch.gp = gp;
1199 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1200 }
1201diff -urNp linux-2.6.32.48/arch/ia64/kernel/pci-dma.c linux-2.6.32.48/arch/ia64/kernel/pci-dma.c
1202--- linux-2.6.32.48/arch/ia64/kernel/pci-dma.c 2011-11-08 19:02:43.000000000 -0500
1203+++ linux-2.6.32.48/arch/ia64/kernel/pci-dma.c 2011-11-15 19:59:42.000000000 -0500
1204@@ -43,7 +43,7 @@ struct device fallback_dev = {
1205 .dma_mask = &fallback_dev.coherent_dma_mask,
1206 };
1207
1208-extern struct dma_map_ops intel_dma_ops;
1209+extern const struct dma_map_ops intel_dma_ops;
1210
1211 static int __init pci_iommu_init(void)
1212 {
1213@@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1214 }
1215 EXPORT_SYMBOL(iommu_dma_supported);
1216
1217+extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1218+extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1219+extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1220+extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1221+extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1222+extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1223+extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1224+
1225+static const struct dma_map_ops intel_iommu_dma_ops = {
1226+ /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1227+ .alloc_coherent = intel_alloc_coherent,
1228+ .free_coherent = intel_free_coherent,
1229+ .map_sg = intel_map_sg,
1230+ .unmap_sg = intel_unmap_sg,
1231+ .map_page = intel_map_page,
1232+ .unmap_page = intel_unmap_page,
1233+ .mapping_error = intel_mapping_error,
1234+
1235+ .sync_single_for_cpu = machvec_dma_sync_single,
1236+ .sync_sg_for_cpu = machvec_dma_sync_sg,
1237+ .sync_single_for_device = machvec_dma_sync_single,
1238+ .sync_sg_for_device = machvec_dma_sync_sg,
1239+ .dma_supported = iommu_dma_supported,
1240+};
1241+
1242 void __init pci_iommu_alloc(void)
1243 {
1244- dma_ops = &intel_dma_ops;
1245-
1246- dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1247- dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1248- dma_ops->sync_single_for_device = machvec_dma_sync_single;
1249- dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1250- dma_ops->dma_supported = iommu_dma_supported;
1251+ dma_ops = &intel_iommu_dma_ops;
1252
1253 /*
1254 * The order of these functions is important for
1255diff -urNp linux-2.6.32.48/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.48/arch/ia64/kernel/pci-swiotlb.c
1256--- linux-2.6.32.48/arch/ia64/kernel/pci-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
1257+++ linux-2.6.32.48/arch/ia64/kernel/pci-swiotlb.c 2011-11-15 19:59:42.000000000 -0500
1258@@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1259 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1260 }
1261
1262-struct dma_map_ops swiotlb_dma_ops = {
1263+const struct dma_map_ops swiotlb_dma_ops = {
1264 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1265 .free_coherent = swiotlb_free_coherent,
1266 .map_page = swiotlb_map_page,
1267diff -urNp linux-2.6.32.48/arch/ia64/kernel/sys_ia64.c linux-2.6.32.48/arch/ia64/kernel/sys_ia64.c
1268--- linux-2.6.32.48/arch/ia64/kernel/sys_ia64.c 2011-11-08 19:02:43.000000000 -0500
1269+++ linux-2.6.32.48/arch/ia64/kernel/sys_ia64.c 2011-11-15 19:59:42.000000000 -0500
1270@@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1271 if (REGION_NUMBER(addr) == RGN_HPAGE)
1272 addr = 0;
1273 #endif
1274+
1275+#ifdef CONFIG_PAX_RANDMMAP
1276+ if (mm->pax_flags & MF_PAX_RANDMMAP)
1277+ addr = mm->free_area_cache;
1278+ else
1279+#endif
1280+
1281 if (!addr)
1282 addr = mm->free_area_cache;
1283
1284@@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1285 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1286 /* At this point: (!vma || addr < vma->vm_end). */
1287 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1288- if (start_addr != TASK_UNMAPPED_BASE) {
1289+ if (start_addr != mm->mmap_base) {
1290 /* Start a new search --- just in case we missed some holes. */
1291- addr = TASK_UNMAPPED_BASE;
1292+ addr = mm->mmap_base;
1293 goto full_search;
1294 }
1295 return -ENOMEM;
1296 }
1297- if (!vma || addr + len <= vma->vm_start) {
1298+ if (check_heap_stack_gap(vma, addr, len)) {
1299 /* Remember the address where we stopped this search: */
1300 mm->free_area_cache = addr + len;
1301 return addr;
1302diff -urNp linux-2.6.32.48/arch/ia64/kernel/topology.c linux-2.6.32.48/arch/ia64/kernel/topology.c
1303--- linux-2.6.32.48/arch/ia64/kernel/topology.c 2011-11-08 19:02:43.000000000 -0500
1304+++ linux-2.6.32.48/arch/ia64/kernel/topology.c 2011-11-15 19:59:42.000000000 -0500
1305@@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1306 return ret;
1307 }
1308
1309-static struct sysfs_ops cache_sysfs_ops = {
1310+static const struct sysfs_ops cache_sysfs_ops = {
1311 .show = cache_show
1312 };
1313
1314diff -urNp linux-2.6.32.48/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.48/arch/ia64/kernel/vmlinux.lds.S
1315--- linux-2.6.32.48/arch/ia64/kernel/vmlinux.lds.S 2011-11-08 19:02:43.000000000 -0500
1316+++ linux-2.6.32.48/arch/ia64/kernel/vmlinux.lds.S 2011-11-15 19:59:42.000000000 -0500
1317@@ -190,7 +190,7 @@ SECTIONS
1318 /* Per-cpu data: */
1319 . = ALIGN(PERCPU_PAGE_SIZE);
1320 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1321- __phys_per_cpu_start = __per_cpu_load;
1322+ __phys_per_cpu_start = per_cpu_load;
1323 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1324 * into percpu page size
1325 */
1326diff -urNp linux-2.6.32.48/arch/ia64/mm/fault.c linux-2.6.32.48/arch/ia64/mm/fault.c
1327--- linux-2.6.32.48/arch/ia64/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1328+++ linux-2.6.32.48/arch/ia64/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1329@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1330 return pte_present(pte);
1331 }
1332
1333+#ifdef CONFIG_PAX_PAGEEXEC
1334+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1335+{
1336+ unsigned long i;
1337+
1338+ printk(KERN_ERR "PAX: bytes at PC: ");
1339+ for (i = 0; i < 8; i++) {
1340+ unsigned int c;
1341+ if (get_user(c, (unsigned int *)pc+i))
1342+ printk(KERN_CONT "???????? ");
1343+ else
1344+ printk(KERN_CONT "%08x ", c);
1345+ }
1346+ printk("\n");
1347+}
1348+#endif
1349+
1350 void __kprobes
1351 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1352 {
1353@@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1354 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1355 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1356
1357- if ((vma->vm_flags & mask) != mask)
1358+ if ((vma->vm_flags & mask) != mask) {
1359+
1360+#ifdef CONFIG_PAX_PAGEEXEC
1361+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1362+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1363+ goto bad_area;
1364+
1365+ up_read(&mm->mmap_sem);
1366+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1367+ do_group_exit(SIGKILL);
1368+ }
1369+#endif
1370+
1371 goto bad_area;
1372
1373+ }
1374+
1375 survive:
1376 /*
1377 * If for any reason at all we couldn't handle the fault, make
1378diff -urNp linux-2.6.32.48/arch/ia64/mm/hugetlbpage.c linux-2.6.32.48/arch/ia64/mm/hugetlbpage.c
1379--- linux-2.6.32.48/arch/ia64/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
1380+++ linux-2.6.32.48/arch/ia64/mm/hugetlbpage.c 2011-11-15 19:59:42.000000000 -0500
1381@@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1382 /* At this point: (!vmm || addr < vmm->vm_end). */
1383 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1384 return -ENOMEM;
1385- if (!vmm || (addr + len) <= vmm->vm_start)
1386+ if (check_heap_stack_gap(vmm, addr, len))
1387 return addr;
1388 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1389 }
1390diff -urNp linux-2.6.32.48/arch/ia64/mm/init.c linux-2.6.32.48/arch/ia64/mm/init.c
1391--- linux-2.6.32.48/arch/ia64/mm/init.c 2011-11-08 19:02:43.000000000 -0500
1392+++ linux-2.6.32.48/arch/ia64/mm/init.c 2011-11-15 19:59:42.000000000 -0500
1393@@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1394 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1395 vma->vm_end = vma->vm_start + PAGE_SIZE;
1396 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1397+
1398+#ifdef CONFIG_PAX_PAGEEXEC
1399+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1400+ vma->vm_flags &= ~VM_EXEC;
1401+
1402+#ifdef CONFIG_PAX_MPROTECT
1403+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
1404+ vma->vm_flags &= ~VM_MAYEXEC;
1405+#endif
1406+
1407+ }
1408+#endif
1409+
1410 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1411 down_write(&current->mm->mmap_sem);
1412 if (insert_vm_struct(current->mm, vma)) {
1413diff -urNp linux-2.6.32.48/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.48/arch/ia64/sn/pci/pci_dma.c
1414--- linux-2.6.32.48/arch/ia64/sn/pci/pci_dma.c 2011-11-08 19:02:43.000000000 -0500
1415+++ linux-2.6.32.48/arch/ia64/sn/pci/pci_dma.c 2011-11-15 19:59:42.000000000 -0500
1416@@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1417 return ret;
1418 }
1419
1420-static struct dma_map_ops sn_dma_ops = {
1421+static const struct dma_map_ops sn_dma_ops = {
1422 .alloc_coherent = sn_dma_alloc_coherent,
1423 .free_coherent = sn_dma_free_coherent,
1424 .map_page = sn_dma_map_page,
1425diff -urNp linux-2.6.32.48/arch/m32r/lib/usercopy.c linux-2.6.32.48/arch/m32r/lib/usercopy.c
1426--- linux-2.6.32.48/arch/m32r/lib/usercopy.c 2011-11-08 19:02:43.000000000 -0500
1427+++ linux-2.6.32.48/arch/m32r/lib/usercopy.c 2011-11-15 19:59:42.000000000 -0500
1428@@ -14,6 +14,9 @@
1429 unsigned long
1430 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1431 {
1432+ if ((long)n < 0)
1433+ return n;
1434+
1435 prefetch(from);
1436 if (access_ok(VERIFY_WRITE, to, n))
1437 __copy_user(to,from,n);
1438@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1439 unsigned long
1440 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1441 {
1442+ if ((long)n < 0)
1443+ return n;
1444+
1445 prefetchw(to);
1446 if (access_ok(VERIFY_READ, from, n))
1447 __copy_user_zeroing(to,from,n);
1448diff -urNp linux-2.6.32.48/arch/mips/alchemy/devboards/pm.c linux-2.6.32.48/arch/mips/alchemy/devboards/pm.c
1449--- linux-2.6.32.48/arch/mips/alchemy/devboards/pm.c 2011-11-08 19:02:43.000000000 -0500
1450+++ linux-2.6.32.48/arch/mips/alchemy/devboards/pm.c 2011-11-15 19:59:42.000000000 -0500
1451@@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1452
1453 }
1454
1455-static struct platform_suspend_ops db1x_pm_ops = {
1456+static const struct platform_suspend_ops db1x_pm_ops = {
1457 .valid = suspend_valid_only_mem,
1458 .begin = db1x_pm_begin,
1459 .enter = db1x_pm_enter,
1460diff -urNp linux-2.6.32.48/arch/mips/include/asm/elf.h linux-2.6.32.48/arch/mips/include/asm/elf.h
1461--- linux-2.6.32.48/arch/mips/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
1462+++ linux-2.6.32.48/arch/mips/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
1463@@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1464 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1465 #endif
1466
1467+#ifdef CONFIG_PAX_ASLR
1468+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1469+
1470+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1472+#endif
1473+
1474 #endif /* _ASM_ELF_H */
1475diff -urNp linux-2.6.32.48/arch/mips/include/asm/page.h linux-2.6.32.48/arch/mips/include/asm/page.h
1476--- linux-2.6.32.48/arch/mips/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
1477+++ linux-2.6.32.48/arch/mips/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
1478@@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1479 #ifdef CONFIG_CPU_MIPS32
1480 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1481 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1482- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1483+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1484 #else
1485 typedef struct { unsigned long long pte; } pte_t;
1486 #define pte_val(x) ((x).pte)
1487diff -urNp linux-2.6.32.48/arch/mips/include/asm/reboot.h linux-2.6.32.48/arch/mips/include/asm/reboot.h
1488--- linux-2.6.32.48/arch/mips/include/asm/reboot.h 2011-11-08 19:02:43.000000000 -0500
1489+++ linux-2.6.32.48/arch/mips/include/asm/reboot.h 2011-11-15 19:59:42.000000000 -0500
1490@@ -9,7 +9,7 @@
1491 #ifndef _ASM_REBOOT_H
1492 #define _ASM_REBOOT_H
1493
1494-extern void (*_machine_restart)(char *command);
1495-extern void (*_machine_halt)(void);
1496+extern void (*__noreturn _machine_restart)(char *command);
1497+extern void (*__noreturn _machine_halt)(void);
1498
1499 #endif /* _ASM_REBOOT_H */
1500diff -urNp linux-2.6.32.48/arch/mips/include/asm/system.h linux-2.6.32.48/arch/mips/include/asm/system.h
1501--- linux-2.6.32.48/arch/mips/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
1502+++ linux-2.6.32.48/arch/mips/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
1503@@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1504 */
1505 #define __ARCH_WANT_UNLOCKED_CTXSW
1506
1507-extern unsigned long arch_align_stack(unsigned long sp);
1508+#define arch_align_stack(x) ((x) & ~0xfUL)
1509
1510 #endif /* _ASM_SYSTEM_H */
1511diff -urNp linux-2.6.32.48/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.48/arch/mips/kernel/binfmt_elfn32.c
1512--- linux-2.6.32.48/arch/mips/kernel/binfmt_elfn32.c 2011-11-08 19:02:43.000000000 -0500
1513+++ linux-2.6.32.48/arch/mips/kernel/binfmt_elfn32.c 2011-11-15 19:59:42.000000000 -0500
1514@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1515 #undef ELF_ET_DYN_BASE
1516 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1517
1518+#ifdef CONFIG_PAX_ASLR
1519+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1520+
1521+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1522+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1523+#endif
1524+
1525 #include <asm/processor.h>
1526 #include <linux/module.h>
1527 #include <linux/elfcore.h>
1528diff -urNp linux-2.6.32.48/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.48/arch/mips/kernel/binfmt_elfo32.c
1529--- linux-2.6.32.48/arch/mips/kernel/binfmt_elfo32.c 2011-11-08 19:02:43.000000000 -0500
1530+++ linux-2.6.32.48/arch/mips/kernel/binfmt_elfo32.c 2011-11-15 19:59:42.000000000 -0500
1531@@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1532 #undef ELF_ET_DYN_BASE
1533 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1534
1535+#ifdef CONFIG_PAX_ASLR
1536+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1537+
1538+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1539+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1540+#endif
1541+
1542 #include <asm/processor.h>
1543
1544 /*
1545diff -urNp linux-2.6.32.48/arch/mips/kernel/kgdb.c linux-2.6.32.48/arch/mips/kernel/kgdb.c
1546--- linux-2.6.32.48/arch/mips/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
1547+++ linux-2.6.32.48/arch/mips/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
1548@@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1549 return -1;
1550 }
1551
1552+/* cannot be const */
1553 struct kgdb_arch arch_kgdb_ops;
1554
1555 /*
1556diff -urNp linux-2.6.32.48/arch/mips/kernel/process.c linux-2.6.32.48/arch/mips/kernel/process.c
1557--- linux-2.6.32.48/arch/mips/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
1558+++ linux-2.6.32.48/arch/mips/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
1559@@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1560 out:
1561 return pc;
1562 }
1563-
1564-/*
1565- * Don't forget that the stack pointer must be aligned on a 8 bytes
1566- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1567- */
1568-unsigned long arch_align_stack(unsigned long sp)
1569-{
1570- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1571- sp -= get_random_int() & ~PAGE_MASK;
1572-
1573- return sp & ALMASK;
1574-}
1575diff -urNp linux-2.6.32.48/arch/mips/kernel/reset.c linux-2.6.32.48/arch/mips/kernel/reset.c
1576--- linux-2.6.32.48/arch/mips/kernel/reset.c 2011-11-08 19:02:43.000000000 -0500
1577+++ linux-2.6.32.48/arch/mips/kernel/reset.c 2011-11-15 19:59:42.000000000 -0500
1578@@ -19,8 +19,8 @@
1579 * So handle all using function pointers to machine specific
1580 * functions.
1581 */
1582-void (*_machine_restart)(char *command);
1583-void (*_machine_halt)(void);
1584+void (*__noreturn _machine_restart)(char *command);
1585+void (*__noreturn _machine_halt)(void);
1586 void (*pm_power_off)(void);
1587
1588 EXPORT_SYMBOL(pm_power_off);
1589@@ -29,16 +29,19 @@ void machine_restart(char *command)
1590 {
1591 if (_machine_restart)
1592 _machine_restart(command);
1593+ BUG();
1594 }
1595
1596 void machine_halt(void)
1597 {
1598 if (_machine_halt)
1599 _machine_halt();
1600+ BUG();
1601 }
1602
1603 void machine_power_off(void)
1604 {
1605 if (pm_power_off)
1606 pm_power_off();
1607+ BUG();
1608 }
1609diff -urNp linux-2.6.32.48/arch/mips/kernel/syscall.c linux-2.6.32.48/arch/mips/kernel/syscall.c
1610--- linux-2.6.32.48/arch/mips/kernel/syscall.c 2011-11-08 19:02:43.000000000 -0500
1611+++ linux-2.6.32.48/arch/mips/kernel/syscall.c 2011-11-15 19:59:42.000000000 -0500
1612@@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1613 do_color_align = 0;
1614 if (filp || (flags & MAP_SHARED))
1615 do_color_align = 1;
1616+
1617+#ifdef CONFIG_PAX_RANDMMAP
1618+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1619+#endif
1620+
1621 if (addr) {
1622 if (do_color_align)
1623 addr = COLOUR_ALIGN(addr, pgoff);
1624 else
1625 addr = PAGE_ALIGN(addr);
1626 vmm = find_vma(current->mm, addr);
1627- if (task_size - len >= addr &&
1628- (!vmm || addr + len <= vmm->vm_start))
1629+ if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1630 return addr;
1631 }
1632- addr = TASK_UNMAPPED_BASE;
1633+ addr = current->mm->mmap_base;
1634 if (do_color_align)
1635 addr = COLOUR_ALIGN(addr, pgoff);
1636 else
1637@@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1638 /* At this point: (!vmm || addr < vmm->vm_end). */
1639 if (task_size - len < addr)
1640 return -ENOMEM;
1641- if (!vmm || addr + len <= vmm->vm_start)
1642+ if (check_heap_stack_gap(vmm, addr, len))
1643 return addr;
1644 addr = vmm->vm_end;
1645 if (do_color_align)
1646diff -urNp linux-2.6.32.48/arch/mips/Makefile linux-2.6.32.48/arch/mips/Makefile
1647--- linux-2.6.32.48/arch/mips/Makefile 2011-11-08 19:02:43.000000000 -0500
1648+++ linux-2.6.32.48/arch/mips/Makefile 2011-11-15 19:59:42.000000000 -0500
1649@@ -51,6 +51,8 @@ endif
1650 cflags-y := -ffunction-sections
1651 cflags-y += $(call cc-option, -mno-check-zero-division)
1652
1653+cflags-y += -Wno-sign-compare -Wno-extra
1654+
1655 ifdef CONFIG_32BIT
1656 ld-emul = $(32bit-emul)
1657 vmlinux-32 = vmlinux
1658diff -urNp linux-2.6.32.48/arch/mips/mm/fault.c linux-2.6.32.48/arch/mips/mm/fault.c
1659--- linux-2.6.32.48/arch/mips/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1660+++ linux-2.6.32.48/arch/mips/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1661@@ -26,6 +26,23 @@
1662 #include <asm/ptrace.h>
1663 #include <asm/highmem.h> /* For VMALLOC_END */
1664
1665+#ifdef CONFIG_PAX_PAGEEXEC
1666+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1667+{
1668+ unsigned long i;
1669+
1670+ printk(KERN_ERR "PAX: bytes at PC: ");
1671+ for (i = 0; i < 5; i++) {
1672+ unsigned int c;
1673+ if (get_user(c, (unsigned int *)pc+i))
1674+ printk(KERN_CONT "???????? ");
1675+ else
1676+ printk(KERN_CONT "%08x ", c);
1677+ }
1678+ printk("\n");
1679+}
1680+#endif
1681+
1682 /*
1683 * This routine handles page faults. It determines the address,
1684 * and the problem, and then passes it off to one of the appropriate
1685diff -urNp linux-2.6.32.48/arch/parisc/include/asm/elf.h linux-2.6.32.48/arch/parisc/include/asm/elf.h
1686--- linux-2.6.32.48/arch/parisc/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
1687+++ linux-2.6.32.48/arch/parisc/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
1688@@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1689
1690 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1691
1692+#ifdef CONFIG_PAX_ASLR
1693+#define PAX_ELF_ET_DYN_BASE 0x10000UL
1694+
1695+#define PAX_DELTA_MMAP_LEN 16
1696+#define PAX_DELTA_STACK_LEN 16
1697+#endif
1698+
1699 /* This yields a mask that user programs can use to figure out what
1700 instruction set this CPU supports. This could be done in user space,
1701 but it's not easy, and we've already done it here. */
1702diff -urNp linux-2.6.32.48/arch/parisc/include/asm/pgtable.h linux-2.6.32.48/arch/parisc/include/asm/pgtable.h
1703--- linux-2.6.32.48/arch/parisc/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
1704+++ linux-2.6.32.48/arch/parisc/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
1705@@ -207,6 +207,17 @@
1706 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1707 #define PAGE_COPY PAGE_EXECREAD
1708 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1709+
1710+#ifdef CONFIG_PAX_PAGEEXEC
1711+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1712+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1713+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1714+#else
1715+# define PAGE_SHARED_NOEXEC PAGE_SHARED
1716+# define PAGE_COPY_NOEXEC PAGE_COPY
1717+# define PAGE_READONLY_NOEXEC PAGE_READONLY
1718+#endif
1719+
1720 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1721 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1722 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1723diff -urNp linux-2.6.32.48/arch/parisc/kernel/module.c linux-2.6.32.48/arch/parisc/kernel/module.c
1724--- linux-2.6.32.48/arch/parisc/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
1725+++ linux-2.6.32.48/arch/parisc/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
1726@@ -95,16 +95,38 @@
1727
1728 /* three functions to determine where in the module core
1729 * or init pieces the location is */
1730+static inline int in_init_rx(struct module *me, void *loc)
1731+{
1732+ return (loc >= me->module_init_rx &&
1733+ loc < (me->module_init_rx + me->init_size_rx));
1734+}
1735+
1736+static inline int in_init_rw(struct module *me, void *loc)
1737+{
1738+ return (loc >= me->module_init_rw &&
1739+ loc < (me->module_init_rw + me->init_size_rw));
1740+}
1741+
1742 static inline int in_init(struct module *me, void *loc)
1743 {
1744- return (loc >= me->module_init &&
1745- loc <= (me->module_init + me->init_size));
1746+ return in_init_rx(me, loc) || in_init_rw(me, loc);
1747+}
1748+
1749+static inline int in_core_rx(struct module *me, void *loc)
1750+{
1751+ return (loc >= me->module_core_rx &&
1752+ loc < (me->module_core_rx + me->core_size_rx));
1753+}
1754+
1755+static inline int in_core_rw(struct module *me, void *loc)
1756+{
1757+ return (loc >= me->module_core_rw &&
1758+ loc < (me->module_core_rw + me->core_size_rw));
1759 }
1760
1761 static inline int in_core(struct module *me, void *loc)
1762 {
1763- return (loc >= me->module_core &&
1764- loc <= (me->module_core + me->core_size));
1765+ return in_core_rx(me, loc) || in_core_rw(me, loc);
1766 }
1767
1768 static inline int in_local(struct module *me, void *loc)
1769@@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1770 }
1771
1772 /* align things a bit */
1773- me->core_size = ALIGN(me->core_size, 16);
1774- me->arch.got_offset = me->core_size;
1775- me->core_size += gots * sizeof(struct got_entry);
1776-
1777- me->core_size = ALIGN(me->core_size, 16);
1778- me->arch.fdesc_offset = me->core_size;
1779- me->core_size += fdescs * sizeof(Elf_Fdesc);
1780+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1781+ me->arch.got_offset = me->core_size_rw;
1782+ me->core_size_rw += gots * sizeof(struct got_entry);
1783+
1784+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
1785+ me->arch.fdesc_offset = me->core_size_rw;
1786+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1787
1788 me->arch.got_max = gots;
1789 me->arch.fdesc_max = fdescs;
1790@@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1791
1792 BUG_ON(value == 0);
1793
1794- got = me->module_core + me->arch.got_offset;
1795+ got = me->module_core_rw + me->arch.got_offset;
1796 for (i = 0; got[i].addr; i++)
1797 if (got[i].addr == value)
1798 goto out;
1799@@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1800 #ifdef CONFIG_64BIT
1801 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1802 {
1803- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1804+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1805
1806 if (!value) {
1807 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1808@@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1809
1810 /* Create new one */
1811 fdesc->addr = value;
1812- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1813+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1814 return (Elf_Addr)fdesc;
1815 }
1816 #endif /* CONFIG_64BIT */
1817@@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1818
1819 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1820 end = table + sechdrs[me->arch.unwind_section].sh_size;
1821- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1822+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1823
1824 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1825 me->arch.unwind_section, table, end, gp);
1826diff -urNp linux-2.6.32.48/arch/parisc/kernel/sys_parisc.c linux-2.6.32.48/arch/parisc/kernel/sys_parisc.c
1827--- linux-2.6.32.48/arch/parisc/kernel/sys_parisc.c 2011-11-08 19:02:43.000000000 -0500
1828+++ linux-2.6.32.48/arch/parisc/kernel/sys_parisc.c 2011-11-15 19:59:42.000000000 -0500
1829@@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1830 /* At this point: (!vma || addr < vma->vm_end). */
1831 if (TASK_SIZE - len < addr)
1832 return -ENOMEM;
1833- if (!vma || addr + len <= vma->vm_start)
1834+ if (check_heap_stack_gap(vma, addr, len))
1835 return addr;
1836 addr = vma->vm_end;
1837 }
1838@@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1839 /* At this point: (!vma || addr < vma->vm_end). */
1840 if (TASK_SIZE - len < addr)
1841 return -ENOMEM;
1842- if (!vma || addr + len <= vma->vm_start)
1843+ if (check_heap_stack_gap(vma, addr, len))
1844 return addr;
1845 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1846 if (addr < vma->vm_end) /* handle wraparound */
1847@@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1848 if (flags & MAP_FIXED)
1849 return addr;
1850 if (!addr)
1851- addr = TASK_UNMAPPED_BASE;
1852+ addr = current->mm->mmap_base;
1853
1854 if (filp) {
1855 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1856diff -urNp linux-2.6.32.48/arch/parisc/kernel/traps.c linux-2.6.32.48/arch/parisc/kernel/traps.c
1857--- linux-2.6.32.48/arch/parisc/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
1858+++ linux-2.6.32.48/arch/parisc/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
1859@@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1860
1861 down_read(&current->mm->mmap_sem);
1862 vma = find_vma(current->mm,regs->iaoq[0]);
1863- if (vma && (regs->iaoq[0] >= vma->vm_start)
1864- && (vma->vm_flags & VM_EXEC)) {
1865-
1866+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1867 fault_address = regs->iaoq[0];
1868 fault_space = regs->iasq[0];
1869
1870diff -urNp linux-2.6.32.48/arch/parisc/mm/fault.c linux-2.6.32.48/arch/parisc/mm/fault.c
1871--- linux-2.6.32.48/arch/parisc/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
1872+++ linux-2.6.32.48/arch/parisc/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
1873@@ -15,6 +15,7 @@
1874 #include <linux/sched.h>
1875 #include <linux/interrupt.h>
1876 #include <linux/module.h>
1877+#include <linux/unistd.h>
1878
1879 #include <asm/uaccess.h>
1880 #include <asm/traps.h>
1881@@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1882 static unsigned long
1883 parisc_acctyp(unsigned long code, unsigned int inst)
1884 {
1885- if (code == 6 || code == 16)
1886+ if (code == 6 || code == 7 || code == 16)
1887 return VM_EXEC;
1888
1889 switch (inst & 0xf0000000) {
1890@@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1891 }
1892 #endif
1893
1894+#ifdef CONFIG_PAX_PAGEEXEC
1895+/*
1896+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1897+ *
1898+ * returns 1 when task should be killed
1899+ * 2 when rt_sigreturn trampoline was detected
1900+ * 3 when unpatched PLT trampoline was detected
1901+ */
1902+static int pax_handle_fetch_fault(struct pt_regs *regs)
1903+{
1904+
1905+#ifdef CONFIG_PAX_EMUPLT
1906+ int err;
1907+
1908+ do { /* PaX: unpatched PLT emulation */
1909+ unsigned int bl, depwi;
1910+
1911+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1912+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1913+
1914+ if (err)
1915+ break;
1916+
1917+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1918+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1919+
1920+ err = get_user(ldw, (unsigned int *)addr);
1921+ err |= get_user(bv, (unsigned int *)(addr+4));
1922+ err |= get_user(ldw2, (unsigned int *)(addr+8));
1923+
1924+ if (err)
1925+ break;
1926+
1927+ if (ldw == 0x0E801096U &&
1928+ bv == 0xEAC0C000U &&
1929+ ldw2 == 0x0E881095U)
1930+ {
1931+ unsigned int resolver, map;
1932+
1933+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1934+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1935+ if (err)
1936+ break;
1937+
1938+ regs->gr[20] = instruction_pointer(regs)+8;
1939+ regs->gr[21] = map;
1940+ regs->gr[22] = resolver;
1941+ regs->iaoq[0] = resolver | 3UL;
1942+ regs->iaoq[1] = regs->iaoq[0] + 4;
1943+ return 3;
1944+ }
1945+ }
1946+ } while (0);
1947+#endif
1948+
1949+#ifdef CONFIG_PAX_EMUTRAMP
1950+
1951+#ifndef CONFIG_PAX_EMUSIGRT
1952+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1953+ return 1;
1954+#endif
1955+
1956+ do { /* PaX: rt_sigreturn emulation */
1957+ unsigned int ldi1, ldi2, bel, nop;
1958+
1959+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1960+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1961+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1962+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1963+
1964+ if (err)
1965+ break;
1966+
1967+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1968+ ldi2 == 0x3414015AU &&
1969+ bel == 0xE4008200U &&
1970+ nop == 0x08000240U)
1971+ {
1972+ regs->gr[25] = (ldi1 & 2) >> 1;
1973+ regs->gr[20] = __NR_rt_sigreturn;
1974+ regs->gr[31] = regs->iaoq[1] + 16;
1975+ regs->sr[0] = regs->iasq[1];
1976+ regs->iaoq[0] = 0x100UL;
1977+ regs->iaoq[1] = regs->iaoq[0] + 4;
1978+ regs->iasq[0] = regs->sr[2];
1979+ regs->iasq[1] = regs->sr[2];
1980+ return 2;
1981+ }
1982+ } while (0);
1983+#endif
1984+
1985+ return 1;
1986+}
1987+
1988+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
1989+{
1990+ unsigned long i;
1991+
1992+ printk(KERN_ERR "PAX: bytes at PC: ");
1993+ for (i = 0; i < 5; i++) {
1994+ unsigned int c;
1995+ if (get_user(c, (unsigned int *)pc+i))
1996+ printk(KERN_CONT "???????? ");
1997+ else
1998+ printk(KERN_CONT "%08x ", c);
1999+ }
2000+ printk("\n");
2001+}
2002+#endif
2003+
2004 int fixup_exception(struct pt_regs *regs)
2005 {
2006 const struct exception_table_entry *fix;
2007@@ -192,8 +303,33 @@ good_area:
2008
2009 acc_type = parisc_acctyp(code,regs->iir);
2010
2011- if ((vma->vm_flags & acc_type) != acc_type)
2012+ if ((vma->vm_flags & acc_type) != acc_type) {
2013+
2014+#ifdef CONFIG_PAX_PAGEEXEC
2015+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
2016+ (address & ~3UL) == instruction_pointer(regs))
2017+ {
2018+ up_read(&mm->mmap_sem);
2019+ switch (pax_handle_fetch_fault(regs)) {
2020+
2021+#ifdef CONFIG_PAX_EMUPLT
2022+ case 3:
2023+ return;
2024+#endif
2025+
2026+#ifdef CONFIG_PAX_EMUTRAMP
2027+ case 2:
2028+ return;
2029+#endif
2030+
2031+ }
2032+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
2033+ do_group_exit(SIGKILL);
2034+ }
2035+#endif
2036+
2037 goto bad_area;
2038+ }
2039
2040 /*
2041 * If for any reason at all we couldn't handle the fault, make
2042diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/device.h linux-2.6.32.48/arch/powerpc/include/asm/device.h
2043--- linux-2.6.32.48/arch/powerpc/include/asm/device.h 2011-11-08 19:02:43.000000000 -0500
2044+++ linux-2.6.32.48/arch/powerpc/include/asm/device.h 2011-11-15 19:59:42.000000000 -0500
2045@@ -14,7 +14,7 @@ struct dev_archdata {
2046 struct device_node *of_node;
2047
2048 /* DMA operations on that device */
2049- struct dma_map_ops *dma_ops;
2050+ const struct dma_map_ops *dma_ops;
2051
2052 /*
2053 * When an iommu is in use, dma_data is used as a ptr to the base of the
2054diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.48/arch/powerpc/include/asm/dma-mapping.h
2055--- linux-2.6.32.48/arch/powerpc/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
2056+++ linux-2.6.32.48/arch/powerpc/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
2057@@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
2058 #ifdef CONFIG_PPC64
2059 extern struct dma_map_ops dma_iommu_ops;
2060 #endif
2061-extern struct dma_map_ops dma_direct_ops;
2062+extern const struct dma_map_ops dma_direct_ops;
2063
2064-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2065+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2066 {
2067 /* We don't handle the NULL dev case for ISA for now. We could
2068 * do it via an out of line call but it is not needed for now. The
2069@@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
2070 return dev->archdata.dma_ops;
2071 }
2072
2073-static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2074+static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2075 {
2076 dev->archdata.dma_ops = ops;
2077 }
2078@@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
2079
2080 static inline int dma_supported(struct device *dev, u64 mask)
2081 {
2082- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2083+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2084
2085 if (unlikely(dma_ops == NULL))
2086 return 0;
2087@@ -132,7 +132,7 @@ static inline int dma_supported(struct d
2088
2089 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2090 {
2091- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2092+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2093
2094 if (unlikely(dma_ops == NULL))
2095 return -EIO;
2096@@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
2097 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2098 dma_addr_t *dma_handle, gfp_t flag)
2099 {
2100- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2101+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2102 void *cpu_addr;
2103
2104 BUG_ON(!dma_ops);
2105@@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
2106 static inline void dma_free_coherent(struct device *dev, size_t size,
2107 void *cpu_addr, dma_addr_t dma_handle)
2108 {
2109- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2110+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2111
2112 BUG_ON(!dma_ops);
2113
2114@@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
2115
2116 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2117 {
2118- struct dma_map_ops *dma_ops = get_dma_ops(dev);
2119+ const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2120
2121 if (dma_ops->mapping_error)
2122 return dma_ops->mapping_error(dev, dma_addr);
2123diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/elf.h linux-2.6.32.48/arch/powerpc/include/asm/elf.h
2124--- linux-2.6.32.48/arch/powerpc/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
2125+++ linux-2.6.32.48/arch/powerpc/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
2126@@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2127 the loader. We need to make sure that it is out of the way of the program
2128 that it will "exec", and that there is sufficient room for the brk. */
2129
2130-extern unsigned long randomize_et_dyn(unsigned long base);
2131-#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2132+#define ELF_ET_DYN_BASE (0x20000000)
2133+
2134+#ifdef CONFIG_PAX_ASLR
2135+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2136+
2137+#ifdef __powerpc64__
2138+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2139+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2140+#else
2141+#define PAX_DELTA_MMAP_LEN 15
2142+#define PAX_DELTA_STACK_LEN 15
2143+#endif
2144+#endif
2145
2146 /*
2147 * Our registers are always unsigned longs, whether we're a 32 bit
2148@@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
2149 (0x7ff >> (PAGE_SHIFT - 12)) : \
2150 (0x3ffff >> (PAGE_SHIFT - 12)))
2151
2152-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2153-#define arch_randomize_brk arch_randomize_brk
2154-
2155 #endif /* __KERNEL__ */
2156
2157 /*
2158diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/iommu.h linux-2.6.32.48/arch/powerpc/include/asm/iommu.h
2159--- linux-2.6.32.48/arch/powerpc/include/asm/iommu.h 2011-11-08 19:02:43.000000000 -0500
2160+++ linux-2.6.32.48/arch/powerpc/include/asm/iommu.h 2011-11-15 19:59:42.000000000 -0500
2161@@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2162 extern void iommu_init_early_dart(void);
2163 extern void iommu_init_early_pasemi(void);
2164
2165+/* dma-iommu.c */
2166+extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2167+
2168 #ifdef CONFIG_PCI
2169 extern void pci_iommu_init(void);
2170 extern void pci_direct_iommu_init(void);
2171diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.48/arch/powerpc/include/asm/kmap_types.h
2172--- linux-2.6.32.48/arch/powerpc/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
2173+++ linux-2.6.32.48/arch/powerpc/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
2174@@ -26,6 +26,7 @@ enum km_type {
2175 KM_SOFTIRQ1,
2176 KM_PPC_SYNC_PAGE,
2177 KM_PPC_SYNC_ICACHE,
2178+ KM_CLEARPAGE,
2179 KM_TYPE_NR
2180 };
2181
2182diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/page_64.h linux-2.6.32.48/arch/powerpc/include/asm/page_64.h
2183--- linux-2.6.32.48/arch/powerpc/include/asm/page_64.h 2011-11-08 19:02:43.000000000 -0500
2184+++ linux-2.6.32.48/arch/powerpc/include/asm/page_64.h 2011-11-15 19:59:42.000000000 -0500
2185@@ -180,15 +180,18 @@ do { \
2186 * stack by default, so in the absense of a PT_GNU_STACK program header
2187 * we turn execute permission off.
2188 */
2189-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2190- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2191+#define VM_STACK_DEFAULT_FLAGS32 \
2192+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2193+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2194
2195 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2196 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2197
2198+#ifndef CONFIG_PAX_PAGEEXEC
2199 #define VM_STACK_DEFAULT_FLAGS \
2200 (test_thread_flag(TIF_32BIT) ? \
2201 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2202+#endif
2203
2204 #include <asm-generic/getorder.h>
2205
2206diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/page.h linux-2.6.32.48/arch/powerpc/include/asm/page.h
2207--- linux-2.6.32.48/arch/powerpc/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
2208+++ linux-2.6.32.48/arch/powerpc/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
2209@@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2210 * and needs to be executable. This means the whole heap ends
2211 * up being executable.
2212 */
2213-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2214- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2215+#define VM_DATA_DEFAULT_FLAGS32 \
2216+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2217+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2218
2219 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2220 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2221@@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2222 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2223 #endif
2224
2225+#define ktla_ktva(addr) (addr)
2226+#define ktva_ktla(addr) (addr)
2227+
2228 #ifndef __ASSEMBLY__
2229
2230 #undef STRICT_MM_TYPECHECKS
2231diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/pci.h linux-2.6.32.48/arch/powerpc/include/asm/pci.h
2232--- linux-2.6.32.48/arch/powerpc/include/asm/pci.h 2011-11-08 19:02:43.000000000 -0500
2233+++ linux-2.6.32.48/arch/powerpc/include/asm/pci.h 2011-11-15 19:59:42.000000000 -0500
2234@@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2235 }
2236
2237 #ifdef CONFIG_PCI
2238-extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2239-extern struct dma_map_ops *get_pci_dma_ops(void);
2240+extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2241+extern const struct dma_map_ops *get_pci_dma_ops(void);
2242 #else /* CONFIG_PCI */
2243 #define set_pci_dma_ops(d)
2244 #define get_pci_dma_ops() NULL
2245diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/pgtable.h linux-2.6.32.48/arch/powerpc/include/asm/pgtable.h
2246--- linux-2.6.32.48/arch/powerpc/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
2247+++ linux-2.6.32.48/arch/powerpc/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
2248@@ -2,6 +2,7 @@
2249 #define _ASM_POWERPC_PGTABLE_H
2250 #ifdef __KERNEL__
2251
2252+#include <linux/const.h>
2253 #ifndef __ASSEMBLY__
2254 #include <asm/processor.h> /* For TASK_SIZE */
2255 #include <asm/mmu.h>
2256diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.48/arch/powerpc/include/asm/pte-hash32.h
2257--- linux-2.6.32.48/arch/powerpc/include/asm/pte-hash32.h 2011-11-08 19:02:43.000000000 -0500
2258+++ linux-2.6.32.48/arch/powerpc/include/asm/pte-hash32.h 2011-11-15 19:59:42.000000000 -0500
2259@@ -21,6 +21,7 @@
2260 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2261 #define _PAGE_USER 0x004 /* usermode access allowed */
2262 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2263+#define _PAGE_EXEC _PAGE_GUARDED
2264 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2265 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2266 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2267diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/ptrace.h linux-2.6.32.48/arch/powerpc/include/asm/ptrace.h
2268--- linux-2.6.32.48/arch/powerpc/include/asm/ptrace.h 2011-11-08 19:02:43.000000000 -0500
2269+++ linux-2.6.32.48/arch/powerpc/include/asm/ptrace.h 2011-11-15 19:59:42.000000000 -0500
2270@@ -103,7 +103,7 @@ extern unsigned long profile_pc(struct p
2271 } while(0)
2272
2273 struct task_struct;
2274-extern unsigned long ptrace_get_reg(struct task_struct *task, int regno);
2275+extern unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno);
2276 extern int ptrace_put_reg(struct task_struct *task, int regno,
2277 unsigned long data);
2278
2279diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/reg.h linux-2.6.32.48/arch/powerpc/include/asm/reg.h
2280--- linux-2.6.32.48/arch/powerpc/include/asm/reg.h 2011-11-08 19:02:43.000000000 -0500
2281+++ linux-2.6.32.48/arch/powerpc/include/asm/reg.h 2011-11-15 19:59:42.000000000 -0500
2282@@ -191,6 +191,7 @@
2283 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2284 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2285 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2286+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2287 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2288 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2289 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2290diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.48/arch/powerpc/include/asm/swiotlb.h
2291--- linux-2.6.32.48/arch/powerpc/include/asm/swiotlb.h 2011-11-08 19:02:43.000000000 -0500
2292+++ linux-2.6.32.48/arch/powerpc/include/asm/swiotlb.h 2011-11-15 19:59:42.000000000 -0500
2293@@ -13,7 +13,7 @@
2294
2295 #include <linux/swiotlb.h>
2296
2297-extern struct dma_map_ops swiotlb_dma_ops;
2298+extern const struct dma_map_ops swiotlb_dma_ops;
2299
2300 static inline void dma_mark_clean(void *addr, size_t size) {}
2301
2302diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/system.h linux-2.6.32.48/arch/powerpc/include/asm/system.h
2303--- linux-2.6.32.48/arch/powerpc/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
2304+++ linux-2.6.32.48/arch/powerpc/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
2305@@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2306 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2307 #endif
2308
2309-extern unsigned long arch_align_stack(unsigned long sp);
2310+#define arch_align_stack(x) ((x) & ~0xfUL)
2311
2312 /* Used in very early kernel initialization. */
2313 extern unsigned long reloc_offset(void);
2314diff -urNp linux-2.6.32.48/arch/powerpc/include/asm/uaccess.h linux-2.6.32.48/arch/powerpc/include/asm/uaccess.h
2315--- linux-2.6.32.48/arch/powerpc/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
2316+++ linux-2.6.32.48/arch/powerpc/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
2317@@ -13,6 +13,8 @@
2318 #define VERIFY_READ 0
2319 #define VERIFY_WRITE 1
2320
2321+extern void check_object_size(const void *ptr, unsigned long n, bool to);
2322+
2323 /*
2324 * The fs value determines whether argument validity checking should be
2325 * performed or not. If get_fs() == USER_DS, checking is performed, with
2326@@ -327,52 +329,6 @@ do { \
2327 extern unsigned long __copy_tofrom_user(void __user *to,
2328 const void __user *from, unsigned long size);
2329
2330-#ifndef __powerpc64__
2331-
2332-static inline unsigned long copy_from_user(void *to,
2333- const void __user *from, unsigned long n)
2334-{
2335- unsigned long over;
2336-
2337- if (access_ok(VERIFY_READ, from, n))
2338- return __copy_tofrom_user((__force void __user *)to, from, n);
2339- if ((unsigned long)from < TASK_SIZE) {
2340- over = (unsigned long)from + n - TASK_SIZE;
2341- return __copy_tofrom_user((__force void __user *)to, from,
2342- n - over) + over;
2343- }
2344- return n;
2345-}
2346-
2347-static inline unsigned long copy_to_user(void __user *to,
2348- const void *from, unsigned long n)
2349-{
2350- unsigned long over;
2351-
2352- if (access_ok(VERIFY_WRITE, to, n))
2353- return __copy_tofrom_user(to, (__force void __user *)from, n);
2354- if ((unsigned long)to < TASK_SIZE) {
2355- over = (unsigned long)to + n - TASK_SIZE;
2356- return __copy_tofrom_user(to, (__force void __user *)from,
2357- n - over) + over;
2358- }
2359- return n;
2360-}
2361-
2362-#else /* __powerpc64__ */
2363-
2364-#define __copy_in_user(to, from, size) \
2365- __copy_tofrom_user((to), (from), (size))
2366-
2367-extern unsigned long copy_from_user(void *to, const void __user *from,
2368- unsigned long n);
2369-extern unsigned long copy_to_user(void __user *to, const void *from,
2370- unsigned long n);
2371-extern unsigned long copy_in_user(void __user *to, const void __user *from,
2372- unsigned long n);
2373-
2374-#endif /* __powerpc64__ */
2375-
2376 static inline unsigned long __copy_from_user_inatomic(void *to,
2377 const void __user *from, unsigned long n)
2378 {
2379@@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2380 if (ret == 0)
2381 return 0;
2382 }
2383+
2384+ if (!__builtin_constant_p(n))
2385+ check_object_size(to, n, false);
2386+
2387 return __copy_tofrom_user((__force void __user *)to, from, n);
2388 }
2389
2390@@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2391 if (ret == 0)
2392 return 0;
2393 }
2394+
2395+ if (!__builtin_constant_p(n))
2396+ check_object_size(from, n, true);
2397+
2398 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2399 }
2400
2401@@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2402 return __copy_to_user_inatomic(to, from, size);
2403 }
2404
2405+#ifndef __powerpc64__
2406+
2407+static inline unsigned long __must_check copy_from_user(void *to,
2408+ const void __user *from, unsigned long n)
2409+{
2410+ unsigned long over;
2411+
2412+ if ((long)n < 0)
2413+ return n;
2414+
2415+ if (access_ok(VERIFY_READ, from, n)) {
2416+ if (!__builtin_constant_p(n))
2417+ check_object_size(to, n, false);
2418+ return __copy_tofrom_user((__force void __user *)to, from, n);
2419+ }
2420+ if ((unsigned long)from < TASK_SIZE) {
2421+ over = (unsigned long)from + n - TASK_SIZE;
2422+ if (!__builtin_constant_p(n - over))
2423+ check_object_size(to, n - over, false);
2424+ return __copy_tofrom_user((__force void __user *)to, from,
2425+ n - over) + over;
2426+ }
2427+ return n;
2428+}
2429+
2430+static inline unsigned long __must_check copy_to_user(void __user *to,
2431+ const void *from, unsigned long n)
2432+{
2433+ unsigned long over;
2434+
2435+ if ((long)n < 0)
2436+ return n;
2437+
2438+ if (access_ok(VERIFY_WRITE, to, n)) {
2439+ if (!__builtin_constant_p(n))
2440+ check_object_size(from, n, true);
2441+ return __copy_tofrom_user(to, (__force void __user *)from, n);
2442+ }
2443+ if ((unsigned long)to < TASK_SIZE) {
2444+ over = (unsigned long)to + n - TASK_SIZE;
2445+ if (!__builtin_constant_p(n))
2446+ check_object_size(from, n - over, true);
2447+ return __copy_tofrom_user(to, (__force void __user *)from,
2448+ n - over) + over;
2449+ }
2450+ return n;
2451+}
2452+
2453+#else /* __powerpc64__ */
2454+
2455+#define __copy_in_user(to, from, size) \
2456+ __copy_tofrom_user((to), (from), (size))
2457+
2458+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2459+{
2460+ if ((long)n < 0 || n > INT_MAX)
2461+ return n;
2462+
2463+ if (!__builtin_constant_p(n))
2464+ check_object_size(to, n, false);
2465+
2466+ if (likely(access_ok(VERIFY_READ, from, n)))
2467+ n = __copy_from_user(to, from, n);
2468+ else
2469+ memset(to, 0, n);
2470+ return n;
2471+}
2472+
2473+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2474+{
2475+ if ((long)n < 0 || n > INT_MAX)
2476+ return n;
2477+
2478+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
2479+ if (!__builtin_constant_p(n))
2480+ check_object_size(from, n, true);
2481+ n = __copy_to_user(to, from, n);
2482+ }
2483+ return n;
2484+}
2485+
2486+extern unsigned long copy_in_user(void __user *to, const void __user *from,
2487+ unsigned long n);
2488+
2489+#endif /* __powerpc64__ */
2490+
2491 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2492
2493 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2494diff -urNp linux-2.6.32.48/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.48/arch/powerpc/kernel/cacheinfo.c
2495--- linux-2.6.32.48/arch/powerpc/kernel/cacheinfo.c 2011-11-08 19:02:43.000000000 -0500
2496+++ linux-2.6.32.48/arch/powerpc/kernel/cacheinfo.c 2011-11-15 19:59:42.000000000 -0500
2497@@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2498 &cache_assoc_attr,
2499 };
2500
2501-static struct sysfs_ops cache_index_ops = {
2502+static const struct sysfs_ops cache_index_ops = {
2503 .show = cache_index_show,
2504 };
2505
2506diff -urNp linux-2.6.32.48/arch/powerpc/kernel/dma.c linux-2.6.32.48/arch/powerpc/kernel/dma.c
2507--- linux-2.6.32.48/arch/powerpc/kernel/dma.c 2011-11-08 19:02:43.000000000 -0500
2508+++ linux-2.6.32.48/arch/powerpc/kernel/dma.c 2011-11-15 19:59:42.000000000 -0500
2509@@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2510 }
2511 #endif
2512
2513-struct dma_map_ops dma_direct_ops = {
2514+const struct dma_map_ops dma_direct_ops = {
2515 .alloc_coherent = dma_direct_alloc_coherent,
2516 .free_coherent = dma_direct_free_coherent,
2517 .map_sg = dma_direct_map_sg,
2518diff -urNp linux-2.6.32.48/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.48/arch/powerpc/kernel/dma-iommu.c
2519--- linux-2.6.32.48/arch/powerpc/kernel/dma-iommu.c 2011-11-08 19:02:43.000000000 -0500
2520+++ linux-2.6.32.48/arch/powerpc/kernel/dma-iommu.c 2011-11-15 19:59:42.000000000 -0500
2521@@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2522 }
2523
2524 /* We support DMA to/from any memory page via the iommu */
2525-static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2526+int dma_iommu_dma_supported(struct device *dev, u64 mask)
2527 {
2528 struct iommu_table *tbl = get_iommu_table_base(dev);
2529
2530diff -urNp linux-2.6.32.48/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.48/arch/powerpc/kernel/dma-swiotlb.c
2531--- linux-2.6.32.48/arch/powerpc/kernel/dma-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
2532+++ linux-2.6.32.48/arch/powerpc/kernel/dma-swiotlb.c 2011-11-15 19:59:42.000000000 -0500
2533@@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2534 * map_page, and unmap_page on highmem, use normal dma_ops
2535 * for everything else.
2536 */
2537-struct dma_map_ops swiotlb_dma_ops = {
2538+const struct dma_map_ops swiotlb_dma_ops = {
2539 .alloc_coherent = dma_direct_alloc_coherent,
2540 .free_coherent = dma_direct_free_coherent,
2541 .map_sg = swiotlb_map_sg_attrs,
2542diff -urNp linux-2.6.32.48/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.48/arch/powerpc/kernel/exceptions-64e.S
2543--- linux-2.6.32.48/arch/powerpc/kernel/exceptions-64e.S 2011-11-08 19:02:43.000000000 -0500
2544+++ linux-2.6.32.48/arch/powerpc/kernel/exceptions-64e.S 2011-11-15 19:59:42.000000000 -0500
2545@@ -455,6 +455,7 @@ storage_fault_common:
2546 std r14,_DAR(r1)
2547 std r15,_DSISR(r1)
2548 addi r3,r1,STACK_FRAME_OVERHEAD
2549+ bl .save_nvgprs
2550 mr r4,r14
2551 mr r5,r15
2552 ld r14,PACA_EXGEN+EX_R14(r13)
2553@@ -464,8 +465,7 @@ storage_fault_common:
2554 cmpdi r3,0
2555 bne- 1f
2556 b .ret_from_except_lite
2557-1: bl .save_nvgprs
2558- mr r5,r3
2559+1: mr r5,r3
2560 addi r3,r1,STACK_FRAME_OVERHEAD
2561 ld r4,_DAR(r1)
2562 bl .bad_page_fault
2563diff -urNp linux-2.6.32.48/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.48/arch/powerpc/kernel/exceptions-64s.S
2564--- linux-2.6.32.48/arch/powerpc/kernel/exceptions-64s.S 2011-11-08 19:02:43.000000000 -0500
2565+++ linux-2.6.32.48/arch/powerpc/kernel/exceptions-64s.S 2011-11-15 19:59:42.000000000 -0500
2566@@ -818,10 +818,10 @@ handle_page_fault:
2567 11: ld r4,_DAR(r1)
2568 ld r5,_DSISR(r1)
2569 addi r3,r1,STACK_FRAME_OVERHEAD
2570+ bl .save_nvgprs
2571 bl .do_page_fault
2572 cmpdi r3,0
2573 beq+ 13f
2574- bl .save_nvgprs
2575 mr r5,r3
2576 addi r3,r1,STACK_FRAME_OVERHEAD
2577 lwz r4,_DAR(r1)
2578diff -urNp linux-2.6.32.48/arch/powerpc/kernel/ibmebus.c linux-2.6.32.48/arch/powerpc/kernel/ibmebus.c
2579--- linux-2.6.32.48/arch/powerpc/kernel/ibmebus.c 2011-11-08 19:02:43.000000000 -0500
2580+++ linux-2.6.32.48/arch/powerpc/kernel/ibmebus.c 2011-11-15 19:59:42.000000000 -0500
2581@@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2582 return 1;
2583 }
2584
2585-static struct dma_map_ops ibmebus_dma_ops = {
2586+static const struct dma_map_ops ibmebus_dma_ops = {
2587 .alloc_coherent = ibmebus_alloc_coherent,
2588 .free_coherent = ibmebus_free_coherent,
2589 .map_sg = ibmebus_map_sg,
2590diff -urNp linux-2.6.32.48/arch/powerpc/kernel/kgdb.c linux-2.6.32.48/arch/powerpc/kernel/kgdb.c
2591--- linux-2.6.32.48/arch/powerpc/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
2592+++ linux-2.6.32.48/arch/powerpc/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
2593@@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2594 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2595 return 0;
2596
2597- if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2598+ if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2599 regs->nip += 4;
2600
2601 return 1;
2602@@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2603 /*
2604 * Global data
2605 */
2606-struct kgdb_arch arch_kgdb_ops = {
2607+const struct kgdb_arch arch_kgdb_ops = {
2608 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2609 };
2610
2611diff -urNp linux-2.6.32.48/arch/powerpc/kernel/module_32.c linux-2.6.32.48/arch/powerpc/kernel/module_32.c
2612--- linux-2.6.32.48/arch/powerpc/kernel/module_32.c 2011-11-08 19:02:43.000000000 -0500
2613+++ linux-2.6.32.48/arch/powerpc/kernel/module_32.c 2011-11-15 19:59:42.000000000 -0500
2614@@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2615 me->arch.core_plt_section = i;
2616 }
2617 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2618- printk("Module doesn't contain .plt or .init.plt sections.\n");
2619+ printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2620 return -ENOEXEC;
2621 }
2622
2623@@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2624
2625 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2626 /* Init, or core PLT? */
2627- if (location >= mod->module_core
2628- && location < mod->module_core + mod->core_size)
2629+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2630+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2631 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2632- else
2633+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2634+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2635 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2636+ else {
2637+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2638+ return ~0UL;
2639+ }
2640
2641 /* Find this entry, or if that fails, the next avail. entry */
2642 while (entry->jump[0]) {
2643diff -urNp linux-2.6.32.48/arch/powerpc/kernel/module.c linux-2.6.32.48/arch/powerpc/kernel/module.c
2644--- linux-2.6.32.48/arch/powerpc/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
2645+++ linux-2.6.32.48/arch/powerpc/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
2646@@ -31,11 +31,24 @@
2647
2648 LIST_HEAD(module_bug_list);
2649
2650+#ifdef CONFIG_PAX_KERNEXEC
2651 void *module_alloc(unsigned long size)
2652 {
2653 if (size == 0)
2654 return NULL;
2655
2656+ return vmalloc(size);
2657+}
2658+
2659+void *module_alloc_exec(unsigned long size)
2660+#else
2661+void *module_alloc(unsigned long size)
2662+#endif
2663+
2664+{
2665+ if (size == 0)
2666+ return NULL;
2667+
2668 return vmalloc_exec(size);
2669 }
2670
2671@@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2672 vfree(module_region);
2673 }
2674
2675+#ifdef CONFIG_PAX_KERNEXEC
2676+void module_free_exec(struct module *mod, void *module_region)
2677+{
2678+ module_free(mod, module_region);
2679+}
2680+#endif
2681+
2682 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2683 const Elf_Shdr *sechdrs,
2684 const char *name)
2685diff -urNp linux-2.6.32.48/arch/powerpc/kernel/pci-common.c linux-2.6.32.48/arch/powerpc/kernel/pci-common.c
2686--- linux-2.6.32.48/arch/powerpc/kernel/pci-common.c 2011-11-08 19:02:43.000000000 -0500
2687+++ linux-2.6.32.48/arch/powerpc/kernel/pci-common.c 2011-11-15 19:59:42.000000000 -0500
2688@@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2689 unsigned int ppc_pci_flags = 0;
2690
2691
2692-static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2693+static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2694
2695-void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2696+void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2697 {
2698 pci_dma_ops = dma_ops;
2699 }
2700
2701-struct dma_map_ops *get_pci_dma_ops(void)
2702+const struct dma_map_ops *get_pci_dma_ops(void)
2703 {
2704 return pci_dma_ops;
2705 }
2706diff -urNp linux-2.6.32.48/arch/powerpc/kernel/process.c linux-2.6.32.48/arch/powerpc/kernel/process.c
2707--- linux-2.6.32.48/arch/powerpc/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
2708+++ linux-2.6.32.48/arch/powerpc/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
2709@@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2710 * Lookup NIP late so we have the best change of getting the
2711 * above info out without failing
2712 */
2713- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2714- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2715+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2716+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2717 #endif
2718 show_stack(current, (unsigned long *) regs->gpr[1]);
2719 if (!user_mode(regs))
2720@@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2721 newsp = stack[0];
2722 ip = stack[STACK_FRAME_LR_SAVE];
2723 if (!firstframe || ip != lr) {
2724- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2725+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2726 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2727 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2728- printk(" (%pS)",
2729+ printk(" (%pA)",
2730 (void *)current->ret_stack[curr_frame].ret);
2731 curr_frame--;
2732 }
2733@@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2734 struct pt_regs *regs = (struct pt_regs *)
2735 (sp + STACK_FRAME_OVERHEAD);
2736 lr = regs->link;
2737- printk("--- Exception: %lx at %pS\n LR = %pS\n",
2738+ printk("--- Exception: %lx at %pA\n LR = %pA\n",
2739 regs->trap, (void *)regs->nip, (void *)lr);
2740 firstframe = 1;
2741 }
2742@@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2743 }
2744
2745 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2746-
2747-unsigned long arch_align_stack(unsigned long sp)
2748-{
2749- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2750- sp -= get_random_int() & ~PAGE_MASK;
2751- return sp & ~0xf;
2752-}
2753-
2754-static inline unsigned long brk_rnd(void)
2755-{
2756- unsigned long rnd = 0;
2757-
2758- /* 8MB for 32bit, 1GB for 64bit */
2759- if (is_32bit_task())
2760- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2761- else
2762- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2763-
2764- return rnd << PAGE_SHIFT;
2765-}
2766-
2767-unsigned long arch_randomize_brk(struct mm_struct *mm)
2768-{
2769- unsigned long base = mm->brk;
2770- unsigned long ret;
2771-
2772-#ifdef CONFIG_PPC_STD_MMU_64
2773- /*
2774- * If we are using 1TB segments and we are allowed to randomise
2775- * the heap, we can put it above 1TB so it is backed by a 1TB
2776- * segment. Otherwise the heap will be in the bottom 1TB
2777- * which always uses 256MB segments and this may result in a
2778- * performance penalty.
2779- */
2780- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2781- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2782-#endif
2783-
2784- ret = PAGE_ALIGN(base + brk_rnd());
2785-
2786- if (ret < mm->brk)
2787- return mm->brk;
2788-
2789- return ret;
2790-}
2791-
2792-unsigned long randomize_et_dyn(unsigned long base)
2793-{
2794- unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2795-
2796- if (ret < base)
2797- return base;
2798-
2799- return ret;
2800-}
2801diff -urNp linux-2.6.32.48/arch/powerpc/kernel/ptrace.c linux-2.6.32.48/arch/powerpc/kernel/ptrace.c
2802--- linux-2.6.32.48/arch/powerpc/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
2803+++ linux-2.6.32.48/arch/powerpc/kernel/ptrace.c 2011-11-15 19:59:42.000000000 -0500
2804@@ -86,7 +86,7 @@ static int set_user_trap(struct task_str
2805 /*
2806 * Get contents of register REGNO in task TASK.
2807 */
2808-unsigned long ptrace_get_reg(struct task_struct *task, int regno)
2809+unsigned long ptrace_get_reg(struct task_struct *task, unsigned int regno)
2810 {
2811 if (task->thread.regs == NULL)
2812 return -EIO;
2813@@ -894,7 +894,7 @@ long arch_ptrace(struct task_struct *chi
2814
2815 CHECK_FULL_REGS(child->thread.regs);
2816 if (index < PT_FPR0) {
2817- tmp = ptrace_get_reg(child, (int) index);
2818+ tmp = ptrace_get_reg(child, index);
2819 } else {
2820 flush_fp_to_thread(child);
2821 tmp = ((unsigned long *)child->thread.fpr)
2822diff -urNp linux-2.6.32.48/arch/powerpc/kernel/signal_32.c linux-2.6.32.48/arch/powerpc/kernel/signal_32.c
2823--- linux-2.6.32.48/arch/powerpc/kernel/signal_32.c 2011-11-08 19:02:43.000000000 -0500
2824+++ linux-2.6.32.48/arch/powerpc/kernel/signal_32.c 2011-11-15 19:59:42.000000000 -0500
2825@@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2826 /* Save user registers on the stack */
2827 frame = &rt_sf->uc.uc_mcontext;
2828 addr = frame;
2829- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2830+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2831 if (save_user_regs(regs, frame, 0, 1))
2832 goto badframe;
2833 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2834diff -urNp linux-2.6.32.48/arch/powerpc/kernel/signal_64.c linux-2.6.32.48/arch/powerpc/kernel/signal_64.c
2835--- linux-2.6.32.48/arch/powerpc/kernel/signal_64.c 2011-11-08 19:02:43.000000000 -0500
2836+++ linux-2.6.32.48/arch/powerpc/kernel/signal_64.c 2011-11-15 19:59:42.000000000 -0500
2837@@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2838 current->thread.fpscr.val = 0;
2839
2840 /* Set up to return from userspace. */
2841- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2842+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2843 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2844 } else {
2845 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2846diff -urNp linux-2.6.32.48/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.48/arch/powerpc/kernel/sys_ppc32.c
2847--- linux-2.6.32.48/arch/powerpc/kernel/sys_ppc32.c 2011-11-08 19:02:43.000000000 -0500
2848+++ linux-2.6.32.48/arch/powerpc/kernel/sys_ppc32.c 2011-11-15 19:59:42.000000000 -0500
2849@@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2850 if (oldlenp) {
2851 if (!error) {
2852 if (get_user(oldlen, oldlenp) ||
2853- put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2854+ put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2855+ copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2856 error = -EFAULT;
2857 }
2858- copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2859 }
2860 return error;
2861 }
2862diff -urNp linux-2.6.32.48/arch/powerpc/kernel/traps.c linux-2.6.32.48/arch/powerpc/kernel/traps.c
2863--- linux-2.6.32.48/arch/powerpc/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
2864+++ linux-2.6.32.48/arch/powerpc/kernel/traps.c 2011-11-15 19:59:42.000000000 -0500
2865@@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2866 static inline void pmac_backlight_unblank(void) { }
2867 #endif
2868
2869+extern void gr_handle_kernel_exploit(void);
2870+
2871 int die(const char *str, struct pt_regs *regs, long err)
2872 {
2873 static struct {
2874@@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2875 if (panic_on_oops)
2876 panic("Fatal exception");
2877
2878+ gr_handle_kernel_exploit();
2879+
2880 oops_exit();
2881 do_exit(err);
2882
2883diff -urNp linux-2.6.32.48/arch/powerpc/kernel/vdso.c linux-2.6.32.48/arch/powerpc/kernel/vdso.c
2884--- linux-2.6.32.48/arch/powerpc/kernel/vdso.c 2011-11-08 19:02:43.000000000 -0500
2885+++ linux-2.6.32.48/arch/powerpc/kernel/vdso.c 2011-11-15 19:59:42.000000000 -0500
2886@@ -36,6 +36,7 @@
2887 #include <asm/firmware.h>
2888 #include <asm/vdso.h>
2889 #include <asm/vdso_datapage.h>
2890+#include <asm/mman.h>
2891
2892 #include "setup.h"
2893
2894@@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2895 vdso_base = VDSO32_MBASE;
2896 #endif
2897
2898- current->mm->context.vdso_base = 0;
2899+ current->mm->context.vdso_base = ~0UL;
2900
2901 /* vDSO has a problem and was disabled, just don't "enable" it for the
2902 * process
2903@@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2904 vdso_base = get_unmapped_area(NULL, vdso_base,
2905 (vdso_pages << PAGE_SHIFT) +
2906 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2907- 0, 0);
2908+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
2909 if (IS_ERR_VALUE(vdso_base)) {
2910 rc = vdso_base;
2911 goto fail_mmapsem;
2912diff -urNp linux-2.6.32.48/arch/powerpc/kernel/vio.c linux-2.6.32.48/arch/powerpc/kernel/vio.c
2913--- linux-2.6.32.48/arch/powerpc/kernel/vio.c 2011-11-08 19:02:43.000000000 -0500
2914+++ linux-2.6.32.48/arch/powerpc/kernel/vio.c 2011-11-15 19:59:42.000000000 -0500
2915@@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2916 vio_cmo_dealloc(viodev, alloc_size);
2917 }
2918
2919-struct dma_map_ops vio_dma_mapping_ops = {
2920+static const struct dma_map_ops vio_dma_mapping_ops = {
2921 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2922 .free_coherent = vio_dma_iommu_free_coherent,
2923 .map_sg = vio_dma_iommu_map_sg,
2924 .unmap_sg = vio_dma_iommu_unmap_sg,
2925+ .dma_supported = dma_iommu_dma_supported,
2926 .map_page = vio_dma_iommu_map_page,
2927 .unmap_page = vio_dma_iommu_unmap_page,
2928
2929@@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2930
2931 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2932 {
2933- vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2934 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2935 }
2936
2937diff -urNp linux-2.6.32.48/arch/powerpc/lib/usercopy_64.c linux-2.6.32.48/arch/powerpc/lib/usercopy_64.c
2938--- linux-2.6.32.48/arch/powerpc/lib/usercopy_64.c 2011-11-08 19:02:43.000000000 -0500
2939+++ linux-2.6.32.48/arch/powerpc/lib/usercopy_64.c 2011-11-15 19:59:42.000000000 -0500
2940@@ -9,22 +9,6 @@
2941 #include <linux/module.h>
2942 #include <asm/uaccess.h>
2943
2944-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2945-{
2946- if (likely(access_ok(VERIFY_READ, from, n)))
2947- n = __copy_from_user(to, from, n);
2948- else
2949- memset(to, 0, n);
2950- return n;
2951-}
2952-
2953-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2954-{
2955- if (likely(access_ok(VERIFY_WRITE, to, n)))
2956- n = __copy_to_user(to, from, n);
2957- return n;
2958-}
2959-
2960 unsigned long copy_in_user(void __user *to, const void __user *from,
2961 unsigned long n)
2962 {
2963@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2964 return n;
2965 }
2966
2967-EXPORT_SYMBOL(copy_from_user);
2968-EXPORT_SYMBOL(copy_to_user);
2969 EXPORT_SYMBOL(copy_in_user);
2970
2971diff -urNp linux-2.6.32.48/arch/powerpc/Makefile linux-2.6.32.48/arch/powerpc/Makefile
2972--- linux-2.6.32.48/arch/powerpc/Makefile 2011-11-08 19:02:43.000000000 -0500
2973+++ linux-2.6.32.48/arch/powerpc/Makefile 2011-11-15 19:59:42.000000000 -0500
2974@@ -74,6 +74,8 @@ KBUILD_AFLAGS += -Iarch/$(ARCH)
2975 KBUILD_CFLAGS += -msoft-float -pipe -Iarch/$(ARCH) $(CFLAGS-y)
2976 CPP = $(CC) -E $(KBUILD_CFLAGS)
2977
2978+cflags-y += -Wno-sign-compare -Wno-extra
2979+
2980 CHECKFLAGS += -m$(CONFIG_WORD_SIZE) -D__powerpc__ -D__powerpc$(CONFIG_WORD_SIZE)__
2981
2982 ifeq ($(CONFIG_PPC64),y)
2983diff -urNp linux-2.6.32.48/arch/powerpc/mm/fault.c linux-2.6.32.48/arch/powerpc/mm/fault.c
2984--- linux-2.6.32.48/arch/powerpc/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
2985+++ linux-2.6.32.48/arch/powerpc/mm/fault.c 2011-11-18 18:01:52.000000000 -0500
2986@@ -30,6 +30,10 @@
2987 #include <linux/kprobes.h>
2988 #include <linux/kdebug.h>
2989 #include <linux/perf_event.h>
2990+#include <linux/slab.h>
2991+#include <linux/pagemap.h>
2992+#include <linux/compiler.h>
2993+#include <linux/unistd.h>
2994
2995 #include <asm/firmware.h>
2996 #include <asm/page.h>
2997@@ -40,6 +44,7 @@
2998 #include <asm/uaccess.h>
2999 #include <asm/tlbflush.h>
3000 #include <asm/siginfo.h>
3001+#include <asm/ptrace.h>
3002
3003
3004 #ifdef CONFIG_KPROBES
3005@@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
3006 }
3007 #endif
3008
3009+#ifdef CONFIG_PAX_PAGEEXEC
3010+/*
3011+ * PaX: decide what to do with offenders (regs->nip = fault address)
3012+ *
3013+ * returns 1 when task should be killed
3014+ */
3015+static int pax_handle_fetch_fault(struct pt_regs *regs)
3016+{
3017+ return 1;
3018+}
3019+
3020+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
3021+{
3022+ unsigned long i;
3023+
3024+ printk(KERN_ERR "PAX: bytes at PC: ");
3025+ for (i = 0; i < 5; i++) {
3026+ unsigned int c;
3027+ if (get_user(c, (unsigned int __user *)pc+i))
3028+ printk(KERN_CONT "???????? ");
3029+ else
3030+ printk(KERN_CONT "%08x ", c);
3031+ }
3032+ printk("\n");
3033+}
3034+#endif
3035+
3036 /*
3037 * Check whether the instruction at regs->nip is a store using
3038 * an update addressing form which will update r1.
3039@@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
3040 * indicate errors in DSISR but can validly be set in SRR1.
3041 */
3042 if (trap == 0x400)
3043- error_code &= 0x48200000;
3044+ error_code &= 0x58200000;
3045 else
3046 is_write = error_code & DSISR_ISSTORE;
3047 #else
3048@@ -250,7 +282,7 @@ good_area:
3049 * "undefined". Of those that can be set, this is the only
3050 * one which seems bad.
3051 */
3052- if (error_code & 0x10000000)
3053+ if (error_code & DSISR_GUARDED)
3054 /* Guarded storage error. */
3055 goto bad_area;
3056 #endif /* CONFIG_8xx */
3057@@ -265,7 +297,7 @@ good_area:
3058 * processors use the same I/D cache coherency mechanism
3059 * as embedded.
3060 */
3061- if (error_code & DSISR_PROTFAULT)
3062+ if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
3063 goto bad_area;
3064 #endif /* CONFIG_PPC_STD_MMU */
3065
3066@@ -335,6 +367,23 @@ bad_area:
3067 bad_area_nosemaphore:
3068 /* User mode accesses cause a SIGSEGV */
3069 if (user_mode(regs)) {
3070+
3071+#ifdef CONFIG_PAX_PAGEEXEC
3072+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
3073+#ifdef CONFIG_PPC_STD_MMU
3074+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
3075+#else
3076+ if (is_exec && regs->nip == address) {
3077+#endif
3078+ switch (pax_handle_fetch_fault(regs)) {
3079+ }
3080+
3081+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
3082+ do_group_exit(SIGKILL);
3083+ }
3084+ }
3085+#endif
3086+
3087 _exception(SIGSEGV, regs, code, address);
3088 return 0;
3089 }
3090diff -urNp linux-2.6.32.48/arch/powerpc/mm/mem.c linux-2.6.32.48/arch/powerpc/mm/mem.c
3091--- linux-2.6.32.48/arch/powerpc/mm/mem.c 2011-11-08 19:02:43.000000000 -0500
3092+++ linux-2.6.32.48/arch/powerpc/mm/mem.c 2011-11-15 19:59:42.000000000 -0500
3093@@ -250,7 +250,7 @@ static int __init mark_nonram_nosave(voi
3094 {
3095 unsigned long lmb_next_region_start_pfn,
3096 lmb_region_max_pfn;
3097- int i;
3098+ unsigned int i;
3099
3100 for (i = 0; i < lmb.memory.cnt - 1; i++) {
3101 lmb_region_max_pfn =
3102diff -urNp linux-2.6.32.48/arch/powerpc/mm/mmap_64.c linux-2.6.32.48/arch/powerpc/mm/mmap_64.c
3103--- linux-2.6.32.48/arch/powerpc/mm/mmap_64.c 2011-11-08 19:02:43.000000000 -0500
3104+++ linux-2.6.32.48/arch/powerpc/mm/mmap_64.c 2011-11-15 19:59:42.000000000 -0500
3105@@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
3106 */
3107 if (mmap_is_legacy()) {
3108 mm->mmap_base = TASK_UNMAPPED_BASE;
3109+
3110+#ifdef CONFIG_PAX_RANDMMAP
3111+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3112+ mm->mmap_base += mm->delta_mmap;
3113+#endif
3114+
3115 mm->get_unmapped_area = arch_get_unmapped_area;
3116 mm->unmap_area = arch_unmap_area;
3117 } else {
3118 mm->mmap_base = mmap_base();
3119+
3120+#ifdef CONFIG_PAX_RANDMMAP
3121+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3122+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3123+#endif
3124+
3125 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3126 mm->unmap_area = arch_unmap_area_topdown;
3127 }
3128diff -urNp linux-2.6.32.48/arch/powerpc/mm/slice.c linux-2.6.32.48/arch/powerpc/mm/slice.c
3129--- linux-2.6.32.48/arch/powerpc/mm/slice.c 2011-11-08 19:02:43.000000000 -0500
3130+++ linux-2.6.32.48/arch/powerpc/mm/slice.c 2011-11-15 19:59:42.000000000 -0500
3131@@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
3132 if ((mm->task_size - len) < addr)
3133 return 0;
3134 vma = find_vma(mm, addr);
3135- return (!vma || (addr + len) <= vma->vm_start);
3136+ return check_heap_stack_gap(vma, addr, len);
3137 }
3138
3139 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
3140@@ -256,7 +256,7 @@ full_search:
3141 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
3142 continue;
3143 }
3144- if (!vma || addr + len <= vma->vm_start) {
3145+ if (check_heap_stack_gap(vma, addr, len)) {
3146 /*
3147 * Remember the place where we stopped the search:
3148 */
3149@@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
3150 }
3151 }
3152
3153- addr = mm->mmap_base;
3154- while (addr > len) {
3155+ if (mm->mmap_base < len)
3156+ addr = -ENOMEM;
3157+ else
3158+ addr = mm->mmap_base - len;
3159+
3160+ while (!IS_ERR_VALUE(addr)) {
3161 /* Go down by chunk size */
3162- addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3163+ addr = _ALIGN_DOWN(addr, 1ul << pshift);
3164
3165 /* Check for hit with different page size */
3166 mask = slice_range_to_mask(addr, len);
3167@@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3168 * return with success:
3169 */
3170 vma = find_vma(mm, addr);
3171- if (!vma || (addr + len) <= vma->vm_start) {
3172+ if (check_heap_stack_gap(vma, addr, len)) {
3173 /* remember the address as a hint for next time */
3174 if (use_cache)
3175 mm->free_area_cache = addr;
3176@@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3177 mm->cached_hole_size = vma->vm_start - addr;
3178
3179 /* try just below the current vma->vm_start */
3180- addr = vma->vm_start;
3181+ addr = skip_heap_stack_gap(vma, len);
3182 }
3183
3184 /*
3185@@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3186 if (fixed && addr > (mm->task_size - len))
3187 return -EINVAL;
3188
3189+#ifdef CONFIG_PAX_RANDMMAP
3190+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3191+ addr = 0;
3192+#endif
3193+
3194 /* If hint, make sure it matches our alignment restrictions */
3195 if (!fixed && addr) {
3196 addr = _ALIGN_UP(addr, 1ul << pshift);
3197diff -urNp linux-2.6.32.48/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.48/arch/powerpc/platforms/52xx/lite5200_pm.c
3198--- linux-2.6.32.48/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-11-08 19:02:43.000000000 -0500
3199+++ linux-2.6.32.48/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-11-15 19:59:42.000000000 -0500
3200@@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
3201 lite5200_pm_target_state = PM_SUSPEND_ON;
3202 }
3203
3204-static struct platform_suspend_ops lite5200_pm_ops = {
3205+static const struct platform_suspend_ops lite5200_pm_ops = {
3206 .valid = lite5200_pm_valid,
3207 .begin = lite5200_pm_begin,
3208 .prepare = lite5200_pm_prepare,
3209diff -urNp linux-2.6.32.48/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.48/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3210--- linux-2.6.32.48/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-11-08 19:02:43.000000000 -0500
3211+++ linux-2.6.32.48/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-11-15 19:59:42.000000000 -0500
3212@@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
3213 iounmap(mbar);
3214 }
3215
3216-static struct platform_suspend_ops mpc52xx_pm_ops = {
3217+static const struct platform_suspend_ops mpc52xx_pm_ops = {
3218 .valid = mpc52xx_pm_valid,
3219 .prepare = mpc52xx_pm_prepare,
3220 .enter = mpc52xx_pm_enter,
3221diff -urNp linux-2.6.32.48/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.48/arch/powerpc/platforms/83xx/suspend.c
3222--- linux-2.6.32.48/arch/powerpc/platforms/83xx/suspend.c 2011-11-08 19:02:43.000000000 -0500
3223+++ linux-2.6.32.48/arch/powerpc/platforms/83xx/suspend.c 2011-11-15 19:59:42.000000000 -0500
3224@@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
3225 return ret;
3226 }
3227
3228-static struct platform_suspend_ops mpc83xx_suspend_ops = {
3229+static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3230 .valid = mpc83xx_suspend_valid,
3231 .begin = mpc83xx_suspend_begin,
3232 .enter = mpc83xx_suspend_enter,
3233diff -urNp linux-2.6.32.48/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.48/arch/powerpc/platforms/cell/iommu.c
3234--- linux-2.6.32.48/arch/powerpc/platforms/cell/iommu.c 2011-11-08 19:02:43.000000000 -0500
3235+++ linux-2.6.32.48/arch/powerpc/platforms/cell/iommu.c 2011-11-15 19:59:42.000000000 -0500
3236@@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3237
3238 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3239
3240-struct dma_map_ops dma_iommu_fixed_ops = {
3241+const struct dma_map_ops dma_iommu_fixed_ops = {
3242 .alloc_coherent = dma_fixed_alloc_coherent,
3243 .free_coherent = dma_fixed_free_coherent,
3244 .map_sg = dma_fixed_map_sg,
3245diff -urNp linux-2.6.32.48/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.48/arch/powerpc/platforms/ps3/system-bus.c
3246--- linux-2.6.32.48/arch/powerpc/platforms/ps3/system-bus.c 2011-11-08 19:02:43.000000000 -0500
3247+++ linux-2.6.32.48/arch/powerpc/platforms/ps3/system-bus.c 2011-11-15 19:59:42.000000000 -0500
3248@@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3249 return mask >= DMA_BIT_MASK(32);
3250 }
3251
3252-static struct dma_map_ops ps3_sb_dma_ops = {
3253+static const struct dma_map_ops ps3_sb_dma_ops = {
3254 .alloc_coherent = ps3_alloc_coherent,
3255 .free_coherent = ps3_free_coherent,
3256 .map_sg = ps3_sb_map_sg,
3257@@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3258 .unmap_page = ps3_unmap_page,
3259 };
3260
3261-static struct dma_map_ops ps3_ioc0_dma_ops = {
3262+static const struct dma_map_ops ps3_ioc0_dma_ops = {
3263 .alloc_coherent = ps3_alloc_coherent,
3264 .free_coherent = ps3_free_coherent,
3265 .map_sg = ps3_ioc0_map_sg,
3266diff -urNp linux-2.6.32.48/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.48/arch/powerpc/platforms/pseries/Kconfig
3267--- linux-2.6.32.48/arch/powerpc/platforms/pseries/Kconfig 2011-11-08 19:02:43.000000000 -0500
3268+++ linux-2.6.32.48/arch/powerpc/platforms/pseries/Kconfig 2011-11-15 19:59:42.000000000 -0500
3269@@ -2,6 +2,8 @@ config PPC_PSERIES
3270 depends on PPC64 && PPC_BOOK3S
3271 bool "IBM pSeries & new (POWER5-based) iSeries"
3272 select MPIC
3273+ select PCI_MSI
3274+ select XICS
3275 select PPC_I8259
3276 select PPC_RTAS
3277 select RTAS_ERROR_LOGGING
3278diff -urNp linux-2.6.32.48/arch/s390/include/asm/elf.h linux-2.6.32.48/arch/s390/include/asm/elf.h
3279--- linux-2.6.32.48/arch/s390/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
3280+++ linux-2.6.32.48/arch/s390/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
3281@@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3282 that it will "exec", and that there is sufficient room for the brk. */
3283 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3284
3285+#ifdef CONFIG_PAX_ASLR
3286+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3287+
3288+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3289+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3290+#endif
3291+
3292 /* This yields a mask that user programs can use to figure out what
3293 instruction set this CPU supports. */
3294
3295diff -urNp linux-2.6.32.48/arch/s390/include/asm/setup.h linux-2.6.32.48/arch/s390/include/asm/setup.h
3296--- linux-2.6.32.48/arch/s390/include/asm/setup.h 2011-11-08 19:02:43.000000000 -0500
3297+++ linux-2.6.32.48/arch/s390/include/asm/setup.h 2011-11-15 19:59:42.000000000 -0500
3298@@ -50,13 +50,13 @@ extern unsigned long memory_end;
3299 void detect_memory_layout(struct mem_chunk chunk[]);
3300
3301 #ifdef CONFIG_S390_SWITCH_AMODE
3302-extern unsigned int switch_amode;
3303+#define switch_amode (1)
3304 #else
3305 #define switch_amode (0)
3306 #endif
3307
3308 #ifdef CONFIG_S390_EXEC_PROTECT
3309-extern unsigned int s390_noexec;
3310+#define s390_noexec (1)
3311 #else
3312 #define s390_noexec (0)
3313 #endif
3314diff -urNp linux-2.6.32.48/arch/s390/include/asm/uaccess.h linux-2.6.32.48/arch/s390/include/asm/uaccess.h
3315--- linux-2.6.32.48/arch/s390/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
3316+++ linux-2.6.32.48/arch/s390/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
3317@@ -232,6 +232,10 @@ static inline unsigned long __must_check
3318 copy_to_user(void __user *to, const void *from, unsigned long n)
3319 {
3320 might_fault();
3321+
3322+ if ((long)n < 0)
3323+ return n;
3324+
3325 if (access_ok(VERIFY_WRITE, to, n))
3326 n = __copy_to_user(to, from, n);
3327 return n;
3328@@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3329 static inline unsigned long __must_check
3330 __copy_from_user(void *to, const void __user *from, unsigned long n)
3331 {
3332+ if ((long)n < 0)
3333+ return n;
3334+
3335 if (__builtin_constant_p(n) && (n <= 256))
3336 return uaccess.copy_from_user_small(n, from, to);
3337 else
3338@@ -283,6 +290,10 @@ static inline unsigned long __must_check
3339 copy_from_user(void *to, const void __user *from, unsigned long n)
3340 {
3341 might_fault();
3342+
3343+ if ((long)n < 0)
3344+ return n;
3345+
3346 if (access_ok(VERIFY_READ, from, n))
3347 n = __copy_from_user(to, from, n);
3348 else
3349diff -urNp linux-2.6.32.48/arch/s390/Kconfig linux-2.6.32.48/arch/s390/Kconfig
3350--- linux-2.6.32.48/arch/s390/Kconfig 2011-11-08 19:02:43.000000000 -0500
3351+++ linux-2.6.32.48/arch/s390/Kconfig 2011-11-15 19:59:42.000000000 -0500
3352@@ -194,28 +194,26 @@ config AUDIT_ARCH
3353
3354 config S390_SWITCH_AMODE
3355 bool "Switch kernel/user addressing modes"
3356+ default y
3357 help
3358 This option allows to switch the addressing modes of kernel and user
3359- space. The kernel parameter switch_amode=on will enable this feature,
3360- default is disabled. Enabling this (via kernel parameter) on machines
3361- earlier than IBM System z9-109 EC/BC will reduce system performance.
3362+ space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3363+ will reduce system performance.
3364
3365 Note that this option will also be selected by selecting the execute
3366- protection option below. Enabling the execute protection via the
3367- noexec kernel parameter will also switch the addressing modes,
3368- independent of the switch_amode kernel parameter.
3369+ protection option below. Enabling the execute protection will also
3370+ switch the addressing modes, independent of this option.
3371
3372
3373 config S390_EXEC_PROTECT
3374 bool "Data execute protection"
3375+ default y
3376 select S390_SWITCH_AMODE
3377 help
3378 This option allows to enable a buffer overflow protection for user
3379 space programs and it also selects the addressing mode option above.
3380- The kernel parameter noexec=on will enable this feature and also
3381- switch the addressing modes, default is disabled. Enabling this (via
3382- kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3383- will reduce system performance.
3384+ Enabling this on machines earlier than IBM System z9-109 EC/BC will
3385+ reduce system performance.
3386
3387 comment "Code generation options"
3388
3389diff -urNp linux-2.6.32.48/arch/s390/kernel/module.c linux-2.6.32.48/arch/s390/kernel/module.c
3390--- linux-2.6.32.48/arch/s390/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
3391+++ linux-2.6.32.48/arch/s390/kernel/module.c 2011-11-15 19:59:42.000000000 -0500
3392@@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3393
3394 /* Increase core size by size of got & plt and set start
3395 offsets for got and plt. */
3396- me->core_size = ALIGN(me->core_size, 4);
3397- me->arch.got_offset = me->core_size;
3398- me->core_size += me->arch.got_size;
3399- me->arch.plt_offset = me->core_size;
3400- me->core_size += me->arch.plt_size;
3401+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
3402+ me->arch.got_offset = me->core_size_rw;
3403+ me->core_size_rw += me->arch.got_size;
3404+ me->arch.plt_offset = me->core_size_rx;
3405+ me->core_size_rx += me->arch.plt_size;
3406 return 0;
3407 }
3408
3409@@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3410 if (info->got_initialized == 0) {
3411 Elf_Addr *gotent;
3412
3413- gotent = me->module_core + me->arch.got_offset +
3414+ gotent = me->module_core_rw + me->arch.got_offset +
3415 info->got_offset;
3416 *gotent = val;
3417 info->got_initialized = 1;
3418@@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3419 else if (r_type == R_390_GOTENT ||
3420 r_type == R_390_GOTPLTENT)
3421 *(unsigned int *) loc =
3422- (val + (Elf_Addr) me->module_core - loc) >> 1;
3423+ (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3424 else if (r_type == R_390_GOT64 ||
3425 r_type == R_390_GOTPLT64)
3426 *(unsigned long *) loc = val;
3427@@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3428 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3429 if (info->plt_initialized == 0) {
3430 unsigned int *ip;
3431- ip = me->module_core + me->arch.plt_offset +
3432+ ip = me->module_core_rx + me->arch.plt_offset +
3433 info->plt_offset;
3434 #ifndef CONFIG_64BIT
3435 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3436@@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3437 val - loc + 0xffffUL < 0x1ffffeUL) ||
3438 (r_type == R_390_PLT32DBL &&
3439 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3440- val = (Elf_Addr) me->module_core +
3441+ val = (Elf_Addr) me->module_core_rx +
3442 me->arch.plt_offset +
3443 info->plt_offset;
3444 val += rela->r_addend - loc;
3445@@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3446 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3447 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3448 val = val + rela->r_addend -
3449- ((Elf_Addr) me->module_core + me->arch.got_offset);
3450+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3451 if (r_type == R_390_GOTOFF16)
3452 *(unsigned short *) loc = val;
3453 else if (r_type == R_390_GOTOFF32)
3454@@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3455 break;
3456 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3457 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3458- val = (Elf_Addr) me->module_core + me->arch.got_offset +
3459+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3460 rela->r_addend - loc;
3461 if (r_type == R_390_GOTPC)
3462 *(unsigned int *) loc = val;
3463diff -urNp linux-2.6.32.48/arch/s390/kernel/setup.c linux-2.6.32.48/arch/s390/kernel/setup.c
3464--- linux-2.6.32.48/arch/s390/kernel/setup.c 2011-11-08 19:02:43.000000000 -0500
3465+++ linux-2.6.32.48/arch/s390/kernel/setup.c 2011-11-15 19:59:42.000000000 -0500
3466@@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3467 early_param("mem", early_parse_mem);
3468
3469 #ifdef CONFIG_S390_SWITCH_AMODE
3470-unsigned int switch_amode = 0;
3471-EXPORT_SYMBOL_GPL(switch_amode);
3472-
3473 static int set_amode_and_uaccess(unsigned long user_amode,
3474 unsigned long user32_amode)
3475 {
3476@@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3477 return 0;
3478 }
3479 }
3480-
3481-/*
3482- * Switch kernel/user addressing modes?
3483- */
3484-static int __init early_parse_switch_amode(char *p)
3485-{
3486- switch_amode = 1;
3487- return 0;
3488-}
3489-early_param("switch_amode", early_parse_switch_amode);
3490-
3491 #else /* CONFIG_S390_SWITCH_AMODE */
3492 static inline int set_amode_and_uaccess(unsigned long user_amode,
3493 unsigned long user32_amode)
3494@@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3495 }
3496 #endif /* CONFIG_S390_SWITCH_AMODE */
3497
3498-#ifdef CONFIG_S390_EXEC_PROTECT
3499-unsigned int s390_noexec = 0;
3500-EXPORT_SYMBOL_GPL(s390_noexec);
3501-
3502-/*
3503- * Enable execute protection?
3504- */
3505-static int __init early_parse_noexec(char *p)
3506-{
3507- if (!strncmp(p, "off", 3))
3508- return 0;
3509- switch_amode = 1;
3510- s390_noexec = 1;
3511- return 0;
3512-}
3513-early_param("noexec", early_parse_noexec);
3514-#endif /* CONFIG_S390_EXEC_PROTECT */
3515-
3516 static void setup_addressing_mode(void)
3517 {
3518 if (s390_noexec) {
3519diff -urNp linux-2.6.32.48/arch/s390/mm/mmap.c linux-2.6.32.48/arch/s390/mm/mmap.c
3520--- linux-2.6.32.48/arch/s390/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
3521+++ linux-2.6.32.48/arch/s390/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
3522@@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3523 */
3524 if (mmap_is_legacy()) {
3525 mm->mmap_base = TASK_UNMAPPED_BASE;
3526+
3527+#ifdef CONFIG_PAX_RANDMMAP
3528+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3529+ mm->mmap_base += mm->delta_mmap;
3530+#endif
3531+
3532 mm->get_unmapped_area = arch_get_unmapped_area;
3533 mm->unmap_area = arch_unmap_area;
3534 } else {
3535 mm->mmap_base = mmap_base();
3536+
3537+#ifdef CONFIG_PAX_RANDMMAP
3538+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3539+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3540+#endif
3541+
3542 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3543 mm->unmap_area = arch_unmap_area_topdown;
3544 }
3545@@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3546 */
3547 if (mmap_is_legacy()) {
3548 mm->mmap_base = TASK_UNMAPPED_BASE;
3549+
3550+#ifdef CONFIG_PAX_RANDMMAP
3551+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3552+ mm->mmap_base += mm->delta_mmap;
3553+#endif
3554+
3555 mm->get_unmapped_area = s390_get_unmapped_area;
3556 mm->unmap_area = arch_unmap_area;
3557 } else {
3558 mm->mmap_base = mmap_base();
3559+
3560+#ifdef CONFIG_PAX_RANDMMAP
3561+ if (mm->pax_flags & MF_PAX_RANDMMAP)
3562+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3563+#endif
3564+
3565 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3566 mm->unmap_area = arch_unmap_area_topdown;
3567 }
3568diff -urNp linux-2.6.32.48/arch/score/include/asm/system.h linux-2.6.32.48/arch/score/include/asm/system.h
3569--- linux-2.6.32.48/arch/score/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
3570+++ linux-2.6.32.48/arch/score/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
3571@@ -17,7 +17,7 @@ do { \
3572 #define finish_arch_switch(prev) do {} while (0)
3573
3574 typedef void (*vi_handler_t)(void);
3575-extern unsigned long arch_align_stack(unsigned long sp);
3576+#define arch_align_stack(x) (x)
3577
3578 #define mb() barrier()
3579 #define rmb() barrier()
3580diff -urNp linux-2.6.32.48/arch/score/kernel/process.c linux-2.6.32.48/arch/score/kernel/process.c
3581--- linux-2.6.32.48/arch/score/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
3582+++ linux-2.6.32.48/arch/score/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
3583@@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3584
3585 return task_pt_regs(task)->cp0_epc;
3586 }
3587-
3588-unsigned long arch_align_stack(unsigned long sp)
3589-{
3590- return sp;
3591-}
3592diff -urNp linux-2.6.32.48/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.48/arch/sh/boards/mach-hp6xx/pm.c
3593--- linux-2.6.32.48/arch/sh/boards/mach-hp6xx/pm.c 2011-11-08 19:02:43.000000000 -0500
3594+++ linux-2.6.32.48/arch/sh/boards/mach-hp6xx/pm.c 2011-11-15 19:59:42.000000000 -0500
3595@@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3596 return 0;
3597 }
3598
3599-static struct platform_suspend_ops hp6x0_pm_ops = {
3600+static const struct platform_suspend_ops hp6x0_pm_ops = {
3601 .enter = hp6x0_pm_enter,
3602 .valid = suspend_valid_only_mem,
3603 };
3604diff -urNp linux-2.6.32.48/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.48/arch/sh/kernel/cpu/sh4/sq.c
3605--- linux-2.6.32.48/arch/sh/kernel/cpu/sh4/sq.c 2011-11-08 19:02:43.000000000 -0500
3606+++ linux-2.6.32.48/arch/sh/kernel/cpu/sh4/sq.c 2011-11-15 19:59:42.000000000 -0500
3607@@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3608 NULL,
3609 };
3610
3611-static struct sysfs_ops sq_sysfs_ops = {
3612+static const struct sysfs_ops sq_sysfs_ops = {
3613 .show = sq_sysfs_show,
3614 .store = sq_sysfs_store,
3615 };
3616diff -urNp linux-2.6.32.48/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.48/arch/sh/kernel/cpu/shmobile/pm.c
3617--- linux-2.6.32.48/arch/sh/kernel/cpu/shmobile/pm.c 2011-11-08 19:02:43.000000000 -0500
3618+++ linux-2.6.32.48/arch/sh/kernel/cpu/shmobile/pm.c 2011-11-15 19:59:42.000000000 -0500
3619@@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3620 return 0;
3621 }
3622
3623-static struct platform_suspend_ops sh_pm_ops = {
3624+static const struct platform_suspend_ops sh_pm_ops = {
3625 .enter = sh_pm_enter,
3626 .valid = suspend_valid_only_mem,
3627 };
3628diff -urNp linux-2.6.32.48/arch/sh/kernel/kgdb.c linux-2.6.32.48/arch/sh/kernel/kgdb.c
3629--- linux-2.6.32.48/arch/sh/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
3630+++ linux-2.6.32.48/arch/sh/kernel/kgdb.c 2011-11-15 19:59:42.000000000 -0500
3631@@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3632 {
3633 }
3634
3635-struct kgdb_arch arch_kgdb_ops = {
3636+const struct kgdb_arch arch_kgdb_ops = {
3637 /* Breakpoint instruction: trapa #0x3c */
3638 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3639 .gdb_bpt_instr = { 0x3c, 0xc3 },
3640diff -urNp linux-2.6.32.48/arch/sh/mm/mmap.c linux-2.6.32.48/arch/sh/mm/mmap.c
3641--- linux-2.6.32.48/arch/sh/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
3642+++ linux-2.6.32.48/arch/sh/mm/mmap.c 2011-11-15 19:59:42.000000000 -0500
3643@@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3644 addr = PAGE_ALIGN(addr);
3645
3646 vma = find_vma(mm, addr);
3647- if (TASK_SIZE - len >= addr &&
3648- (!vma || addr + len <= vma->vm_start))
3649+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3650 return addr;
3651 }
3652
3653@@ -106,7 +105,7 @@ full_search:
3654 }
3655 return -ENOMEM;
3656 }
3657- if (likely(!vma || addr + len <= vma->vm_start)) {
3658+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3659 /*
3660 * Remember the place where we stopped the search:
3661 */
3662@@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3663 addr = PAGE_ALIGN(addr);
3664
3665 vma = find_vma(mm, addr);
3666- if (TASK_SIZE - len >= addr &&
3667- (!vma || addr + len <= vma->vm_start))
3668+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3669 return addr;
3670 }
3671
3672@@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3673 /* make sure it can fit in the remaining address space */
3674 if (likely(addr > len)) {
3675 vma = find_vma(mm, addr-len);
3676- if (!vma || addr <= vma->vm_start) {
3677+ if (check_heap_stack_gap(vma, addr - len, len)) {
3678 /* remember the address as a hint for next time */
3679 return (mm->free_area_cache = addr-len);
3680 }
3681@@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3682 if (unlikely(mm->mmap_base < len))
3683 goto bottomup;
3684
3685- addr = mm->mmap_base-len;
3686- if (do_colour_align)
3687- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3688+ addr = mm->mmap_base - len;
3689
3690 do {
3691+ if (do_colour_align)
3692+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3693 /*
3694 * Lookup failure means no vma is above this address,
3695 * else if new region fits below vma->vm_start,
3696 * return with success:
3697 */
3698 vma = find_vma(mm, addr);
3699- if (likely(!vma || addr+len <= vma->vm_start)) {
3700+ if (likely(check_heap_stack_gap(vma, addr, len))) {
3701 /* remember the address as a hint for next time */
3702 return (mm->free_area_cache = addr);
3703 }
3704@@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3705 mm->cached_hole_size = vma->vm_start - addr;
3706
3707 /* try just below the current vma->vm_start */
3708- addr = vma->vm_start-len;
3709- if (do_colour_align)
3710- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3711- } while (likely(len < vma->vm_start));
3712+ addr = skip_heap_stack_gap(vma, len);
3713+ } while (!IS_ERR_VALUE(addr));
3714
3715 bottomup:
3716 /*
3717diff -urNp linux-2.6.32.48/arch/sparc/include/asm/atomic_64.h linux-2.6.32.48/arch/sparc/include/asm/atomic_64.h
3718--- linux-2.6.32.48/arch/sparc/include/asm/atomic_64.h 2011-11-08 19:02:43.000000000 -0500
3719+++ linux-2.6.32.48/arch/sparc/include/asm/atomic_64.h 2011-11-15 19:59:42.000000000 -0500
3720@@ -14,18 +14,40 @@
3721 #define ATOMIC64_INIT(i) { (i) }
3722
3723 #define atomic_read(v) ((v)->counter)
3724+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3725+{
3726+ return v->counter;
3727+}
3728 #define atomic64_read(v) ((v)->counter)
3729+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3730+{
3731+ return v->counter;
3732+}
3733
3734 #define atomic_set(v, i) (((v)->counter) = i)
3735+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3736+{
3737+ v->counter = i;
3738+}
3739 #define atomic64_set(v, i) (((v)->counter) = i)
3740+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3741+{
3742+ v->counter = i;
3743+}
3744
3745 extern void atomic_add(int, atomic_t *);
3746+extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3747 extern void atomic64_add(long, atomic64_t *);
3748+extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3749 extern void atomic_sub(int, atomic_t *);
3750+extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3751 extern void atomic64_sub(long, atomic64_t *);
3752+extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3753
3754 extern int atomic_add_ret(int, atomic_t *);
3755+extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3756 extern long atomic64_add_ret(long, atomic64_t *);
3757+extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3758 extern int atomic_sub_ret(int, atomic_t *);
3759 extern long atomic64_sub_ret(long, atomic64_t *);
3760
3761@@ -33,13 +55,29 @@ extern long atomic64_sub_ret(long, atomi
3762 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3763
3764 #define atomic_inc_return(v) atomic_add_ret(1, v)
3765+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3766+{
3767+ return atomic_add_ret_unchecked(1, v);
3768+}
3769 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3770+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3771+{
3772+ return atomic64_add_ret_unchecked(1, v);
3773+}
3774
3775 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3776 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3777
3778 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3779+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3780+{
3781+ return atomic_add_ret_unchecked(i, v);
3782+}
3783 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3784+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
3785+{
3786+ return atomic64_add_ret_unchecked(i, v);
3787+}
3788
3789 /*
3790 * atomic_inc_and_test - increment and test
3791@@ -50,6 +88,10 @@ extern long atomic64_sub_ret(long, atomi
3792 * other cases.
3793 */
3794 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3795+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
3796+{
3797+ return atomic_inc_return_unchecked(v) == 0;
3798+}
3799 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3800
3801 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3802@@ -59,30 +101,65 @@ extern long atomic64_sub_ret(long, atomi
3803 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3804
3805 #define atomic_inc(v) atomic_add(1, v)
3806+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3807+{
3808+ atomic_add_unchecked(1, v);
3809+}
3810 #define atomic64_inc(v) atomic64_add(1, v)
3811+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3812+{
3813+ atomic64_add_unchecked(1, v);
3814+}
3815
3816 #define atomic_dec(v) atomic_sub(1, v)
3817+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3818+{
3819+ atomic_sub_unchecked(1, v);
3820+}
3821 #define atomic64_dec(v) atomic64_sub(1, v)
3822+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3823+{
3824+ atomic64_sub_unchecked(1, v);
3825+}
3826
3827 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3828 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3829
3830 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3831+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
3832+{
3833+ return cmpxchg(&v->counter, old, new);
3834+}
3835 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3836+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
3837+{
3838+ return xchg(&v->counter, new);
3839+}
3840
3841 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3842 {
3843- int c, old;
3844+ int c, old, new;
3845 c = atomic_read(v);
3846 for (;;) {
3847- if (unlikely(c == (u)))
3848+ if (unlikely(c == u))
3849 break;
3850- old = atomic_cmpxchg((v), c, c + (a));
3851+
3852+ asm volatile("addcc %2, %0, %0\n"
3853+
3854+#ifdef CONFIG_PAX_REFCOUNT
3855+ "tvs %%icc, 6\n"
3856+#endif
3857+
3858+ : "=r" (new)
3859+ : "0" (c), "ir" (a)
3860+ : "cc");
3861+
3862+ old = atomic_cmpxchg(v, c, new);
3863 if (likely(old == c))
3864 break;
3865 c = old;
3866 }
3867- return c != (u);
3868+ return c != u;
3869 }
3870
3871 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3872@@ -90,20 +167,35 @@ static inline int atomic_add_unless(atom
3873 #define atomic64_cmpxchg(v, o, n) \
3874 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
3875 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
3876+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
3877+{
3878+ return xchg(&v->counter, new);
3879+}
3880
3881 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3882 {
3883- long c, old;
3884+ long c, old, new;
3885 c = atomic64_read(v);
3886 for (;;) {
3887- if (unlikely(c == (u)))
3888+ if (unlikely(c == u))
3889 break;
3890- old = atomic64_cmpxchg((v), c, c + (a));
3891+
3892+ asm volatile("addcc %2, %0, %0\n"
3893+
3894+#ifdef CONFIG_PAX_REFCOUNT
3895+ "tvs %%xcc, 6\n"
3896+#endif
3897+
3898+ : "=r" (new)
3899+ : "0" (c), "ir" (a)
3900+ : "cc");
3901+
3902+ old = atomic64_cmpxchg(v, c, new);
3903 if (likely(old == c))
3904 break;
3905 c = old;
3906 }
3907- return c != (u);
3908+ return c != u;
3909 }
3910
3911 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3912diff -urNp linux-2.6.32.48/arch/sparc/include/asm/cache.h linux-2.6.32.48/arch/sparc/include/asm/cache.h
3913--- linux-2.6.32.48/arch/sparc/include/asm/cache.h 2011-11-08 19:02:43.000000000 -0500
3914+++ linux-2.6.32.48/arch/sparc/include/asm/cache.h 2011-11-15 19:59:42.000000000 -0500
3915@@ -8,7 +8,7 @@
3916 #define _SPARC_CACHE_H
3917
3918 #define L1_CACHE_SHIFT 5
3919-#define L1_CACHE_BYTES 32
3920+#define L1_CACHE_BYTES 32UL
3921 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3922
3923 #ifdef CONFIG_SPARC32
3924diff -urNp linux-2.6.32.48/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.48/arch/sparc/include/asm/dma-mapping.h
3925--- linux-2.6.32.48/arch/sparc/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
3926+++ linux-2.6.32.48/arch/sparc/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
3927@@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3928 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3929 #define dma_is_consistent(d, h) (1)
3930
3931-extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3932+extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3933 extern struct bus_type pci_bus_type;
3934
3935-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3936+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3937 {
3938 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3939 if (dev->bus == &pci_bus_type)
3940@@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3941 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3942 dma_addr_t *dma_handle, gfp_t flag)
3943 {
3944- struct dma_map_ops *ops = get_dma_ops(dev);
3945+ const struct dma_map_ops *ops = get_dma_ops(dev);
3946 void *cpu_addr;
3947
3948 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3949@@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3950 static inline void dma_free_coherent(struct device *dev, size_t size,
3951 void *cpu_addr, dma_addr_t dma_handle)
3952 {
3953- struct dma_map_ops *ops = get_dma_ops(dev);
3954+ const struct dma_map_ops *ops = get_dma_ops(dev);
3955
3956 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3957 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3958diff -urNp linux-2.6.32.48/arch/sparc/include/asm/elf_32.h linux-2.6.32.48/arch/sparc/include/asm/elf_32.h
3959--- linux-2.6.32.48/arch/sparc/include/asm/elf_32.h 2011-11-08 19:02:43.000000000 -0500
3960+++ linux-2.6.32.48/arch/sparc/include/asm/elf_32.h 2011-11-15 19:59:42.000000000 -0500
3961@@ -116,6 +116,13 @@ typedef struct {
3962
3963 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3964
3965+#ifdef CONFIG_PAX_ASLR
3966+#define PAX_ELF_ET_DYN_BASE 0x10000UL
3967+
3968+#define PAX_DELTA_MMAP_LEN 16
3969+#define PAX_DELTA_STACK_LEN 16
3970+#endif
3971+
3972 /* This yields a mask that user programs can use to figure out what
3973 instruction set this cpu supports. This can NOT be done in userspace
3974 on Sparc. */
3975diff -urNp linux-2.6.32.48/arch/sparc/include/asm/elf_64.h linux-2.6.32.48/arch/sparc/include/asm/elf_64.h
3976--- linux-2.6.32.48/arch/sparc/include/asm/elf_64.h 2011-11-08 19:02:43.000000000 -0500
3977+++ linux-2.6.32.48/arch/sparc/include/asm/elf_64.h 2011-11-15 19:59:42.000000000 -0500
3978@@ -163,6 +163,12 @@ typedef struct {
3979 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3980 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3981
3982+#ifdef CONFIG_PAX_ASLR
3983+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3984+
3985+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3986+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3987+#endif
3988
3989 /* This yields a mask that user programs can use to figure out what
3990 instruction set this cpu supports. */
3991diff -urNp linux-2.6.32.48/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.48/arch/sparc/include/asm/pgtable_32.h
3992--- linux-2.6.32.48/arch/sparc/include/asm/pgtable_32.h 2011-11-08 19:02:43.000000000 -0500
3993+++ linux-2.6.32.48/arch/sparc/include/asm/pgtable_32.h 2011-11-15 19:59:42.000000000 -0500
3994@@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3995 BTFIXUPDEF_INT(page_none)
3996 BTFIXUPDEF_INT(page_copy)
3997 BTFIXUPDEF_INT(page_readonly)
3998+
3999+#ifdef CONFIG_PAX_PAGEEXEC
4000+BTFIXUPDEF_INT(page_shared_noexec)
4001+BTFIXUPDEF_INT(page_copy_noexec)
4002+BTFIXUPDEF_INT(page_readonly_noexec)
4003+#endif
4004+
4005 BTFIXUPDEF_INT(page_kernel)
4006
4007 #define PMD_SHIFT SUN4C_PMD_SHIFT
4008@@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
4009 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
4010 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
4011
4012+#ifdef CONFIG_PAX_PAGEEXEC
4013+extern pgprot_t PAGE_SHARED_NOEXEC;
4014+# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
4015+# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
4016+#else
4017+# define PAGE_SHARED_NOEXEC PAGE_SHARED
4018+# define PAGE_COPY_NOEXEC PAGE_COPY
4019+# define PAGE_READONLY_NOEXEC PAGE_READONLY
4020+#endif
4021+
4022 extern unsigned long page_kernel;
4023
4024 #ifdef MODULE
4025diff -urNp linux-2.6.32.48/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.48/arch/sparc/include/asm/pgtsrmmu.h
4026--- linux-2.6.32.48/arch/sparc/include/asm/pgtsrmmu.h 2011-11-08 19:02:43.000000000 -0500
4027+++ linux-2.6.32.48/arch/sparc/include/asm/pgtsrmmu.h 2011-11-15 19:59:42.000000000 -0500
4028@@ -115,6 +115,13 @@
4029 SRMMU_EXEC | SRMMU_REF)
4030 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
4031 SRMMU_EXEC | SRMMU_REF)
4032+
4033+#ifdef CONFIG_PAX_PAGEEXEC
4034+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
4035+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4036+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
4037+#endif
4038+
4039 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
4040 SRMMU_DIRTY | SRMMU_REF)
4041
4042diff -urNp linux-2.6.32.48/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.48/arch/sparc/include/asm/spinlock_64.h
4043--- linux-2.6.32.48/arch/sparc/include/asm/spinlock_64.h 2011-11-08 19:02:43.000000000 -0500
4044+++ linux-2.6.32.48/arch/sparc/include/asm/spinlock_64.h 2011-11-15 19:59:42.000000000 -0500
4045@@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
4046
4047 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
4048
4049-static void inline arch_read_lock(raw_rwlock_t *lock)
4050+static inline void arch_read_lock(raw_rwlock_t *lock)
4051 {
4052 unsigned long tmp1, tmp2;
4053
4054 __asm__ __volatile__ (
4055 "1: ldsw [%2], %0\n"
4056 " brlz,pn %0, 2f\n"
4057-"4: add %0, 1, %1\n"
4058+"4: addcc %0, 1, %1\n"
4059+
4060+#ifdef CONFIG_PAX_REFCOUNT
4061+" tvs %%icc, 6\n"
4062+#endif
4063+
4064 " cas [%2], %0, %1\n"
4065 " cmp %0, %1\n"
4066 " bne,pn %%icc, 1b\n"
4067@@ -112,10 +117,10 @@ static void inline arch_read_lock(raw_rw
4068 " .previous"
4069 : "=&r" (tmp1), "=&r" (tmp2)
4070 : "r" (lock)
4071- : "memory");
4072+ : "memory", "cc");
4073 }
4074
4075-static int inline arch_read_trylock(raw_rwlock_t *lock)
4076+static inline int arch_read_trylock(raw_rwlock_t *lock)
4077 {
4078 int tmp1, tmp2;
4079
4080@@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
4081 "1: ldsw [%2], %0\n"
4082 " brlz,a,pn %0, 2f\n"
4083 " mov 0, %0\n"
4084-" add %0, 1, %1\n"
4085+" addcc %0, 1, %1\n"
4086+
4087+#ifdef CONFIG_PAX_REFCOUNT
4088+" tvs %%icc, 6\n"
4089+#endif
4090+
4091 " cas [%2], %0, %1\n"
4092 " cmp %0, %1\n"
4093 " bne,pn %%icc, 1b\n"
4094@@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
4095 return tmp1;
4096 }
4097
4098-static void inline arch_read_unlock(raw_rwlock_t *lock)
4099+static inline void arch_read_unlock(raw_rwlock_t *lock)
4100 {
4101 unsigned long tmp1, tmp2;
4102
4103 __asm__ __volatile__(
4104 "1: lduw [%2], %0\n"
4105-" sub %0, 1, %1\n"
4106+" subcc %0, 1, %1\n"
4107+
4108+#ifdef CONFIG_PAX_REFCOUNT
4109+" tvs %%icc, 6\n"
4110+#endif
4111+
4112 " cas [%2], %0, %1\n"
4113 " cmp %0, %1\n"
4114 " bne,pn %%xcc, 1b\n"
4115@@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
4116 : "memory");
4117 }
4118
4119-static void inline arch_write_lock(raw_rwlock_t *lock)
4120+static inline void arch_write_lock(raw_rwlock_t *lock)
4121 {
4122 unsigned long mask, tmp1, tmp2;
4123
4124@@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
4125 : "memory");
4126 }
4127
4128-static void inline arch_write_unlock(raw_rwlock_t *lock)
4129+static inline void arch_write_unlock(raw_rwlock_t *lock)
4130 {
4131 __asm__ __volatile__(
4132 " stw %%g0, [%0]"
4133@@ -186,7 +201,7 @@ static void inline arch_write_unlock(raw
4134 : "memory");
4135 }
4136
4137-static int inline arch_write_trylock(raw_rwlock_t *lock)
4138+static inline int arch_write_trylock(raw_rwlock_t *lock)
4139 {
4140 unsigned long mask, tmp1, tmp2, result;
4141
4142diff -urNp linux-2.6.32.48/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.48/arch/sparc/include/asm/thread_info_32.h
4143--- linux-2.6.32.48/arch/sparc/include/asm/thread_info_32.h 2011-11-08 19:02:43.000000000 -0500
4144+++ linux-2.6.32.48/arch/sparc/include/asm/thread_info_32.h 2011-11-15 19:59:42.000000000 -0500
4145@@ -50,6 +50,8 @@ struct thread_info {
4146 unsigned long w_saved;
4147
4148 struct restart_block restart_block;
4149+
4150+ unsigned long lowest_stack;
4151 };
4152
4153 /*
4154diff -urNp linux-2.6.32.48/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.48/arch/sparc/include/asm/thread_info_64.h
4155--- linux-2.6.32.48/arch/sparc/include/asm/thread_info_64.h 2011-11-08 19:02:43.000000000 -0500
4156+++ linux-2.6.32.48/arch/sparc/include/asm/thread_info_64.h 2011-11-15 19:59:42.000000000 -0500
4157@@ -68,6 +68,8 @@ struct thread_info {
4158 struct pt_regs *kern_una_regs;
4159 unsigned int kern_una_insn;
4160
4161+ unsigned long lowest_stack;
4162+
4163 unsigned long fpregs[0] __attribute__ ((aligned(64)));
4164 };
4165
4166diff -urNp linux-2.6.32.48/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.48/arch/sparc/include/asm/uaccess_32.h
4167--- linux-2.6.32.48/arch/sparc/include/asm/uaccess_32.h 2011-11-08 19:02:43.000000000 -0500
4168+++ linux-2.6.32.48/arch/sparc/include/asm/uaccess_32.h 2011-11-15 19:59:42.000000000 -0500
4169@@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
4170
4171 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
4172 {
4173- if (n && __access_ok((unsigned long) to, n))
4174+ if ((long)n < 0)
4175+ return n;
4176+
4177+ if (n && __access_ok((unsigned long) to, n)) {
4178+ if (!__builtin_constant_p(n))
4179+ check_object_size(from, n, true);
4180 return __copy_user(to, (__force void __user *) from, n);
4181- else
4182+ } else
4183 return n;
4184 }
4185
4186 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
4187 {
4188+ if ((long)n < 0)
4189+ return n;
4190+
4191+ if (!__builtin_constant_p(n))
4192+ check_object_size(from, n, true);
4193+
4194 return __copy_user(to, (__force void __user *) from, n);
4195 }
4196
4197 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
4198 {
4199- if (n && __access_ok((unsigned long) from, n))
4200+ if ((long)n < 0)
4201+ return n;
4202+
4203+ if (n && __access_ok((unsigned long) from, n)) {
4204+ if (!__builtin_constant_p(n))
4205+ check_object_size(to, n, false);
4206 return __copy_user((__force void __user *) to, from, n);
4207- else
4208+ } else
4209 return n;
4210 }
4211
4212 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
4213 {
4214+ if ((long)n < 0)
4215+ return n;
4216+
4217 return __copy_user((__force void __user *) to, from, n);
4218 }
4219
4220diff -urNp linux-2.6.32.48/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.48/arch/sparc/include/asm/uaccess_64.h
4221--- linux-2.6.32.48/arch/sparc/include/asm/uaccess_64.h 2011-11-08 19:02:43.000000000 -0500
4222+++ linux-2.6.32.48/arch/sparc/include/asm/uaccess_64.h 2011-11-15 19:59:42.000000000 -0500
4223@@ -9,6 +9,7 @@
4224 #include <linux/compiler.h>
4225 #include <linux/string.h>
4226 #include <linux/thread_info.h>
4227+#include <linux/kernel.h>
4228 #include <asm/asi.h>
4229 #include <asm/system.h>
4230 #include <asm/spitfire.h>
4231@@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
4232 static inline unsigned long __must_check
4233 copy_from_user(void *to, const void __user *from, unsigned long size)
4234 {
4235- unsigned long ret = ___copy_from_user(to, from, size);
4236+ unsigned long ret;
4237
4238+ if ((long)size < 0 || size > INT_MAX)
4239+ return size;
4240+
4241+ if (!__builtin_constant_p(size))
4242+ check_object_size(to, size, false);
4243+
4244+ ret = ___copy_from_user(to, from, size);
4245 if (unlikely(ret))
4246 ret = copy_from_user_fixup(to, from, size);
4247 return ret;
4248@@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
4249 static inline unsigned long __must_check
4250 copy_to_user(void __user *to, const void *from, unsigned long size)
4251 {
4252- unsigned long ret = ___copy_to_user(to, from, size);
4253+ unsigned long ret;
4254+
4255+ if ((long)size < 0 || size > INT_MAX)
4256+ return size;
4257+
4258+ if (!__builtin_constant_p(size))
4259+ check_object_size(from, size, true);
4260
4261+ ret = ___copy_to_user(to, from, size);
4262 if (unlikely(ret))
4263 ret = copy_to_user_fixup(to, from, size);
4264 return ret;
4265diff -urNp linux-2.6.32.48/arch/sparc/include/asm/uaccess.h linux-2.6.32.48/arch/sparc/include/asm/uaccess.h
4266--- linux-2.6.32.48/arch/sparc/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
4267+++ linux-2.6.32.48/arch/sparc/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
4268@@ -1,5 +1,13 @@
4269 #ifndef ___ASM_SPARC_UACCESS_H
4270 #define ___ASM_SPARC_UACCESS_H
4271+
4272+#ifdef __KERNEL__
4273+#ifndef __ASSEMBLY__
4274+#include <linux/types.h>
4275+extern void check_object_size(const void *ptr, unsigned long n, bool to);
4276+#endif
4277+#endif
4278+
4279 #if defined(__sparc__) && defined(__arch64__)
4280 #include <asm/uaccess_64.h>
4281 #else
4282diff -urNp linux-2.6.32.48/arch/sparc/kernel/iommu.c linux-2.6.32.48/arch/sparc/kernel/iommu.c
4283--- linux-2.6.32.48/arch/sparc/kernel/iommu.c 2011-11-08 19:02:43.000000000 -0500
4284+++ linux-2.6.32.48/arch/sparc/kernel/iommu.c 2011-11-15 19:59:42.000000000 -0500
4285@@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4286 spin_unlock_irqrestore(&iommu->lock, flags);
4287 }
4288
4289-static struct dma_map_ops sun4u_dma_ops = {
4290+static const struct dma_map_ops sun4u_dma_ops = {
4291 .alloc_coherent = dma_4u_alloc_coherent,
4292 .free_coherent = dma_4u_free_coherent,
4293 .map_page = dma_4u_map_page,
4294@@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4295 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4296 };
4297
4298-struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4299+const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4300 EXPORT_SYMBOL(dma_ops);
4301
4302 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4303diff -urNp linux-2.6.32.48/arch/sparc/kernel/ioport.c linux-2.6.32.48/arch/sparc/kernel/ioport.c
4304--- linux-2.6.32.48/arch/sparc/kernel/ioport.c 2011-11-08 19:02:43.000000000 -0500
4305+++ linux-2.6.32.48/arch/sparc/kernel/ioport.c 2011-11-15 19:59:42.000000000 -0500
4306@@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4307 BUG();
4308 }
4309
4310-struct dma_map_ops sbus_dma_ops = {
4311+const struct dma_map_ops sbus_dma_ops = {
4312 .alloc_coherent = sbus_alloc_coherent,
4313 .free_coherent = sbus_free_coherent,
4314 .map_page = sbus_map_page,
4315@@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4316 .sync_sg_for_device = sbus_sync_sg_for_device,
4317 };
4318
4319-struct dma_map_ops *dma_ops = &sbus_dma_ops;
4320+const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4321 EXPORT_SYMBOL(dma_ops);
4322
4323 static int __init sparc_register_ioport(void)
4324@@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4325 }
4326 }
4327
4328-struct dma_map_ops pci32_dma_ops = {
4329+const struct dma_map_ops pci32_dma_ops = {
4330 .alloc_coherent = pci32_alloc_coherent,
4331 .free_coherent = pci32_free_coherent,
4332 .map_page = pci32_map_page,
4333diff -urNp linux-2.6.32.48/arch/sparc/kernel/kgdb_32.c linux-2.6.32.48/arch/sparc/kernel/kgdb_32.c
4334--- linux-2.6.32.48/arch/sparc/kernel/kgdb_32.c 2011-11-08 19:02:43.000000000 -0500
4335+++ linux-2.6.32.48/arch/sparc/kernel/kgdb_32.c 2011-11-15 19:59:42.000000000 -0500
4336@@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4337 {
4338 }
4339
4340-struct kgdb_arch arch_kgdb_ops = {
4341+const struct kgdb_arch arch_kgdb_ops = {
4342 /* Breakpoint instruction: ta 0x7d */
4343 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4344 };
4345diff -urNp linux-2.6.32.48/arch/sparc/kernel/kgdb_64.c linux-2.6.32.48/arch/sparc/kernel/kgdb_64.c
4346--- linux-2.6.32.48/arch/sparc/kernel/kgdb_64.c 2011-11-08 19:02:43.000000000 -0500
4347+++ linux-2.6.32.48/arch/sparc/kernel/kgdb_64.c 2011-11-15 19:59:42.000000000 -0500
4348@@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4349 {
4350 }
4351
4352-struct kgdb_arch arch_kgdb_ops = {
4353+const struct kgdb_arch arch_kgdb_ops = {
4354 /* Breakpoint instruction: ta 0x72 */
4355 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4356 };
4357diff -urNp linux-2.6.32.48/arch/sparc/kernel/Makefile linux-2.6.32.48/arch/sparc/kernel/Makefile
4358--- linux-2.6.32.48/arch/sparc/kernel/Makefile 2011-11-08 19:02:43.000000000 -0500
4359+++ linux-2.6.32.48/arch/sparc/kernel/Makefile 2011-11-15 19:59:42.000000000 -0500
4360@@ -3,7 +3,7 @@
4361 #
4362
4363 asflags-y := -ansi
4364-ccflags-y := -Werror
4365+#ccflags-y := -Werror
4366
4367 extra-y := head_$(BITS).o
4368 extra-y += init_task.o
4369diff -urNp linux-2.6.32.48/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.48/arch/sparc/kernel/pci_sun4v.c
4370--- linux-2.6.32.48/arch/sparc/kernel/pci_sun4v.c 2011-11-08 19:02:43.000000000 -0500
4371+++ linux-2.6.32.48/arch/sparc/kernel/pci_sun4v.c 2011-11-15 19:59:42.000000000 -0500
4372@@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4373 spin_unlock_irqrestore(&iommu->lock, flags);
4374 }
4375
4376-static struct dma_map_ops sun4v_dma_ops = {
4377+static const struct dma_map_ops sun4v_dma_ops = {
4378 .alloc_coherent = dma_4v_alloc_coherent,
4379 .free_coherent = dma_4v_free_coherent,
4380 .map_page = dma_4v_map_page,
4381diff -urNp linux-2.6.32.48/arch/sparc/kernel/process_32.c linux-2.6.32.48/arch/sparc/kernel/process_32.c
4382--- linux-2.6.32.48/arch/sparc/kernel/process_32.c 2011-11-08 19:02:43.000000000 -0500
4383+++ linux-2.6.32.48/arch/sparc/kernel/process_32.c 2011-11-15 19:59:42.000000000 -0500
4384@@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4385 rw->ins[4], rw->ins[5],
4386 rw->ins[6],
4387 rw->ins[7]);
4388- printk("%pS\n", (void *) rw->ins[7]);
4389+ printk("%pA\n", (void *) rw->ins[7]);
4390 rw = (struct reg_window32 *) rw->ins[6];
4391 }
4392 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4393@@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4394
4395 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4396 r->psr, r->pc, r->npc, r->y, print_tainted());
4397- printk("PC: <%pS>\n", (void *) r->pc);
4398+ printk("PC: <%pA>\n", (void *) r->pc);
4399 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4400 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4401 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4402 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4403 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4404 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4405- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4406+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4407
4408 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4409 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4410@@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4411 rw = (struct reg_window32 *) fp;
4412 pc = rw->ins[7];
4413 printk("[%08lx : ", pc);
4414- printk("%pS ] ", (void *) pc);
4415+ printk("%pA ] ", (void *) pc);
4416 fp = rw->ins[6];
4417 } while (++count < 16);
4418 printk("\n");
4419diff -urNp linux-2.6.32.48/arch/sparc/kernel/process_64.c linux-2.6.32.48/arch/sparc/kernel/process_64.c
4420--- linux-2.6.32.48/arch/sparc/kernel/process_64.c 2011-11-08 19:02:43.000000000 -0500
4421+++ linux-2.6.32.48/arch/sparc/kernel/process_64.c 2011-11-15 19:59:42.000000000 -0500
4422@@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4423 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4424 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4425 if (regs->tstate & TSTATE_PRIV)
4426- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4427+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4428 }
4429
4430 void show_regs(struct pt_regs *regs)
4431 {
4432 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4433 regs->tpc, regs->tnpc, regs->y, print_tainted());
4434- printk("TPC: <%pS>\n", (void *) regs->tpc);
4435+ printk("TPC: <%pA>\n", (void *) regs->tpc);
4436 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4437 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4438 regs->u_regs[3]);
4439@@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4440 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4441 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4442 regs->u_regs[15]);
4443- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4444+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4445 show_regwindow(regs);
4446 }
4447
4448@@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4449 ((tp && tp->task) ? tp->task->pid : -1));
4450
4451 if (gp->tstate & TSTATE_PRIV) {
4452- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4453+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4454 (void *) gp->tpc,
4455 (void *) gp->o7,
4456 (void *) gp->i7,
4457diff -urNp linux-2.6.32.48/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.48/arch/sparc/kernel/sys_sparc_32.c
4458--- linux-2.6.32.48/arch/sparc/kernel/sys_sparc_32.c 2011-11-08 19:02:43.000000000 -0500
4459+++ linux-2.6.32.48/arch/sparc/kernel/sys_sparc_32.c 2011-11-15 19:59:42.000000000 -0500
4460@@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4461 if (ARCH_SUN4C && len > 0x20000000)
4462 return -ENOMEM;
4463 if (!addr)
4464- addr = TASK_UNMAPPED_BASE;
4465+ addr = current->mm->mmap_base;
4466
4467 if (flags & MAP_SHARED)
4468 addr = COLOUR_ALIGN(addr);
4469@@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4470 }
4471 if (TASK_SIZE - PAGE_SIZE - len < addr)
4472 return -ENOMEM;
4473- if (!vmm || addr + len <= vmm->vm_start)
4474+ if (check_heap_stack_gap(vmm, addr, len))
4475 return addr;
4476 addr = vmm->vm_end;
4477 if (flags & MAP_SHARED)
4478diff -urNp linux-2.6.32.48/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.48/arch/sparc/kernel/sys_sparc_64.c
4479--- linux-2.6.32.48/arch/sparc/kernel/sys_sparc_64.c 2011-11-08 19:02:43.000000000 -0500
4480+++ linux-2.6.32.48/arch/sparc/kernel/sys_sparc_64.c 2011-11-15 19:59:42.000000000 -0500
4481@@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4482 /* We do not accept a shared mapping if it would violate
4483 * cache aliasing constraints.
4484 */
4485- if ((flags & MAP_SHARED) &&
4486+ if ((filp || (flags & MAP_SHARED)) &&
4487 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4488 return -EINVAL;
4489 return addr;
4490@@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4491 if (filp || (flags & MAP_SHARED))
4492 do_color_align = 1;
4493
4494+#ifdef CONFIG_PAX_RANDMMAP
4495+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4496+#endif
4497+
4498 if (addr) {
4499 if (do_color_align)
4500 addr = COLOUR_ALIGN(addr, pgoff);
4501@@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4502 addr = PAGE_ALIGN(addr);
4503
4504 vma = find_vma(mm, addr);
4505- if (task_size - len >= addr &&
4506- (!vma || addr + len <= vma->vm_start))
4507+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4508 return addr;
4509 }
4510
4511 if (len > mm->cached_hole_size) {
4512- start_addr = addr = mm->free_area_cache;
4513+ start_addr = addr = mm->free_area_cache;
4514 } else {
4515- start_addr = addr = TASK_UNMAPPED_BASE;
4516+ start_addr = addr = mm->mmap_base;
4517 mm->cached_hole_size = 0;
4518 }
4519
4520@@ -175,14 +178,14 @@ full_search:
4521 vma = find_vma(mm, VA_EXCLUDE_END);
4522 }
4523 if (unlikely(task_size < addr)) {
4524- if (start_addr != TASK_UNMAPPED_BASE) {
4525- start_addr = addr = TASK_UNMAPPED_BASE;
4526+ if (start_addr != mm->mmap_base) {
4527+ start_addr = addr = mm->mmap_base;
4528 mm->cached_hole_size = 0;
4529 goto full_search;
4530 }
4531 return -ENOMEM;
4532 }
4533- if (likely(!vma || addr + len <= vma->vm_start)) {
4534+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4535 /*
4536 * Remember the place where we stopped the search:
4537 */
4538@@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4539 /* We do not accept a shared mapping if it would violate
4540 * cache aliasing constraints.
4541 */
4542- if ((flags & MAP_SHARED) &&
4543+ if ((filp || (flags & MAP_SHARED)) &&
4544 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4545 return -EINVAL;
4546 return addr;
4547@@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4548 addr = PAGE_ALIGN(addr);
4549
4550 vma = find_vma(mm, addr);
4551- if (task_size - len >= addr &&
4552- (!vma || addr + len <= vma->vm_start))
4553+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4554 return addr;
4555 }
4556
4557@@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4558 /* make sure it can fit in the remaining address space */
4559 if (likely(addr > len)) {
4560 vma = find_vma(mm, addr-len);
4561- if (!vma || addr <= vma->vm_start) {
4562+ if (check_heap_stack_gap(vma, addr - len, len)) {
4563 /* remember the address as a hint for next time */
4564 return (mm->free_area_cache = addr-len);
4565 }
4566@@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4567 if (unlikely(mm->mmap_base < len))
4568 goto bottomup;
4569
4570- addr = mm->mmap_base-len;
4571- if (do_color_align)
4572- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4573+ addr = mm->mmap_base - len;
4574
4575 do {
4576+ if (do_color_align)
4577+ addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4578 /*
4579 * Lookup failure means no vma is above this address,
4580 * else if new region fits below vma->vm_start,
4581 * return with success:
4582 */
4583 vma = find_vma(mm, addr);
4584- if (likely(!vma || addr+len <= vma->vm_start)) {
4585+ if (likely(check_heap_stack_gap(vma, addr, len))) {
4586 /* remember the address as a hint for next time */
4587 return (mm->free_area_cache = addr);
4588 }
4589@@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4590 mm->cached_hole_size = vma->vm_start - addr;
4591
4592 /* try just below the current vma->vm_start */
4593- addr = vma->vm_start-len;
4594- if (do_color_align)
4595- addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4596- } while (likely(len < vma->vm_start));
4597+ addr = skip_heap_stack_gap(vma, len);
4598+ } while (!IS_ERR_VALUE(addr));
4599
4600 bottomup:
4601 /*
4602@@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4603 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4604 sysctl_legacy_va_layout) {
4605 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4606+
4607+#ifdef CONFIG_PAX_RANDMMAP
4608+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4609+ mm->mmap_base += mm->delta_mmap;
4610+#endif
4611+
4612 mm->get_unmapped_area = arch_get_unmapped_area;
4613 mm->unmap_area = arch_unmap_area;
4614 } else {
4615@@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4616 gap = (task_size / 6 * 5);
4617
4618 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4619+
4620+#ifdef CONFIG_PAX_RANDMMAP
4621+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4622+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4623+#endif
4624+
4625 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4626 mm->unmap_area = arch_unmap_area_topdown;
4627 }
4628diff -urNp linux-2.6.32.48/arch/sparc/kernel/traps_32.c linux-2.6.32.48/arch/sparc/kernel/traps_32.c
4629--- linux-2.6.32.48/arch/sparc/kernel/traps_32.c 2011-11-08 19:02:43.000000000 -0500
4630+++ linux-2.6.32.48/arch/sparc/kernel/traps_32.c 2011-11-15 19:59:42.000000000 -0500
4631@@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4632 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4633 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4634
4635+extern void gr_handle_kernel_exploit(void);
4636+
4637 void die_if_kernel(char *str, struct pt_regs *regs)
4638 {
4639 static int die_counter;
4640@@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4641 count++ < 30 &&
4642 (((unsigned long) rw) >= PAGE_OFFSET) &&
4643 !(((unsigned long) rw) & 0x7)) {
4644- printk("Caller[%08lx]: %pS\n", rw->ins[7],
4645+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
4646 (void *) rw->ins[7]);
4647 rw = (struct reg_window32 *)rw->ins[6];
4648 }
4649 }
4650 printk("Instruction DUMP:");
4651 instruction_dump ((unsigned long *) regs->pc);
4652- if(regs->psr & PSR_PS)
4653+ if(regs->psr & PSR_PS) {
4654+ gr_handle_kernel_exploit();
4655 do_exit(SIGKILL);
4656+ }
4657 do_exit(SIGSEGV);
4658 }
4659
4660diff -urNp linux-2.6.32.48/arch/sparc/kernel/traps_64.c linux-2.6.32.48/arch/sparc/kernel/traps_64.c
4661--- linux-2.6.32.48/arch/sparc/kernel/traps_64.c 2011-11-08 19:02:43.000000000 -0500
4662+++ linux-2.6.32.48/arch/sparc/kernel/traps_64.c 2011-11-15 19:59:42.000000000 -0500
4663@@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4664 i + 1,
4665 p->trapstack[i].tstate, p->trapstack[i].tpc,
4666 p->trapstack[i].tnpc, p->trapstack[i].tt);
4667- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4668+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4669 }
4670 }
4671
4672@@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4673
4674 lvl -= 0x100;
4675 if (regs->tstate & TSTATE_PRIV) {
4676+
4677+#ifdef CONFIG_PAX_REFCOUNT
4678+ if (lvl == 6)
4679+ pax_report_refcount_overflow(regs);
4680+#endif
4681+
4682 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4683 die_if_kernel(buffer, regs);
4684 }
4685@@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4686 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4687 {
4688 char buffer[32];
4689-
4690+
4691 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4692 0, lvl, SIGTRAP) == NOTIFY_STOP)
4693 return;
4694
4695+#ifdef CONFIG_PAX_REFCOUNT
4696+ if (lvl == 6)
4697+ pax_report_refcount_overflow(regs);
4698+#endif
4699+
4700 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4701
4702 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4703@@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4704 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4705 printk("%s" "ERROR(%d): ",
4706 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4707- printk("TPC<%pS>\n", (void *) regs->tpc);
4708+ printk("TPC<%pA>\n", (void *) regs->tpc);
4709 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4710 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4711 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4712@@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4713 smp_processor_id(),
4714 (type & 0x1) ? 'I' : 'D',
4715 regs->tpc);
4716- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4717+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4718 panic("Irrecoverable Cheetah+ parity error.");
4719 }
4720
4721@@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4722 smp_processor_id(),
4723 (type & 0x1) ? 'I' : 'D',
4724 regs->tpc);
4725- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4726+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4727 }
4728
4729 struct sun4v_error_entry {
4730@@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4731
4732 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4733 regs->tpc, tl);
4734- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4735+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4736 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4737- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4738+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4739 (void *) regs->u_regs[UREG_I7]);
4740 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4741 "pte[%lx] error[%lx]\n",
4742@@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4743
4744 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4745 regs->tpc, tl);
4746- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4747+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4748 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4749- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4750+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4751 (void *) regs->u_regs[UREG_I7]);
4752 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4753 "pte[%lx] error[%lx]\n",
4754@@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4755 fp = (unsigned long)sf->fp + STACK_BIAS;
4756 }
4757
4758- printk(" [%016lx] %pS\n", pc, (void *) pc);
4759+ printk(" [%016lx] %pA\n", pc, (void *) pc);
4760 } while (++count < 16);
4761 }
4762
4763@@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4764 return (struct reg_window *) (fp + STACK_BIAS);
4765 }
4766
4767+extern void gr_handle_kernel_exploit(void);
4768+
4769 void die_if_kernel(char *str, struct pt_regs *regs)
4770 {
4771 static int die_counter;
4772@@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4773 while (rw &&
4774 count++ < 30&&
4775 is_kernel_stack(current, rw)) {
4776- printk("Caller[%016lx]: %pS\n", rw->ins[7],
4777+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
4778 (void *) rw->ins[7]);
4779
4780 rw = kernel_stack_up(rw);
4781@@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4782 }
4783 user_instruction_dump ((unsigned int __user *) regs->tpc);
4784 }
4785- if (regs->tstate & TSTATE_PRIV)
4786+ if (regs->tstate & TSTATE_PRIV) {
4787+ gr_handle_kernel_exploit();
4788 do_exit(SIGKILL);
4789+ }
4790+
4791 do_exit(SIGSEGV);
4792 }
4793 EXPORT_SYMBOL(die_if_kernel);
4794diff -urNp linux-2.6.32.48/arch/sparc/kernel/una_asm_64.S linux-2.6.32.48/arch/sparc/kernel/una_asm_64.S
4795--- linux-2.6.32.48/arch/sparc/kernel/una_asm_64.S 2011-11-08 19:02:43.000000000 -0500
4796+++ linux-2.6.32.48/arch/sparc/kernel/una_asm_64.S 2011-11-15 19:59:42.000000000 -0500
4797@@ -127,7 +127,7 @@ do_int_load:
4798 wr %o5, 0x0, %asi
4799 retl
4800 mov 0, %o0
4801- .size __do_int_load, .-__do_int_load
4802+ .size do_int_load, .-do_int_load
4803
4804 .section __ex_table,"a"
4805 .word 4b, __retl_efault
4806diff -urNp linux-2.6.32.48/arch/sparc/kernel/unaligned_64.c linux-2.6.32.48/arch/sparc/kernel/unaligned_64.c
4807--- linux-2.6.32.48/arch/sparc/kernel/unaligned_64.c 2011-11-08 19:02:43.000000000 -0500
4808+++ linux-2.6.32.48/arch/sparc/kernel/unaligned_64.c 2011-11-15 19:59:42.000000000 -0500
4809@@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4810 if (count < 5) {
4811 last_time = jiffies;
4812 count++;
4813- printk("Kernel unaligned access at TPC[%lx] %pS\n",
4814+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
4815 regs->tpc, (void *) regs->tpc);
4816 }
4817 }
4818diff -urNp linux-2.6.32.48/arch/sparc/lib/atomic_64.S linux-2.6.32.48/arch/sparc/lib/atomic_64.S
4819--- linux-2.6.32.48/arch/sparc/lib/atomic_64.S 2011-11-08 19:02:43.000000000 -0500
4820+++ linux-2.6.32.48/arch/sparc/lib/atomic_64.S 2011-11-15 19:59:42.000000000 -0500
4821@@ -18,7 +18,12 @@
4822 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4823 BACKOFF_SETUP(%o2)
4824 1: lduw [%o1], %g1
4825- add %g1, %o0, %g7
4826+ addcc %g1, %o0, %g7
4827+
4828+#ifdef CONFIG_PAX_REFCOUNT
4829+ tvs %icc, 6
4830+#endif
4831+
4832 cas [%o1], %g1, %g7
4833 cmp %g1, %g7
4834 bne,pn %icc, 2f
4835@@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4836 2: BACKOFF_SPIN(%o2, %o3, 1b)
4837 .size atomic_add, .-atomic_add
4838
4839+ .globl atomic_add_unchecked
4840+ .type atomic_add_unchecked,#function
4841+atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4842+ BACKOFF_SETUP(%o2)
4843+1: lduw [%o1], %g1
4844+ add %g1, %o0, %g7
4845+ cas [%o1], %g1, %g7
4846+ cmp %g1, %g7
4847+ bne,pn %icc, 2f
4848+ nop
4849+ retl
4850+ nop
4851+2: BACKOFF_SPIN(%o2, %o3, 1b)
4852+ .size atomic_add_unchecked, .-atomic_add_unchecked
4853+
4854 .globl atomic_sub
4855 .type atomic_sub,#function
4856 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4857 BACKOFF_SETUP(%o2)
4858 1: lduw [%o1], %g1
4859- sub %g1, %o0, %g7
4860+ subcc %g1, %o0, %g7
4861+
4862+#ifdef CONFIG_PAX_REFCOUNT
4863+ tvs %icc, 6
4864+#endif
4865+
4866 cas [%o1], %g1, %g7
4867 cmp %g1, %g7
4868 bne,pn %icc, 2f
4869@@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4870 2: BACKOFF_SPIN(%o2, %o3, 1b)
4871 .size atomic_sub, .-atomic_sub
4872
4873+ .globl atomic_sub_unchecked
4874+ .type atomic_sub_unchecked,#function
4875+atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4876+ BACKOFF_SETUP(%o2)
4877+1: lduw [%o1], %g1
4878+ sub %g1, %o0, %g7
4879+ cas [%o1], %g1, %g7
4880+ cmp %g1, %g7
4881+ bne,pn %icc, 2f
4882+ nop
4883+ retl
4884+ nop
4885+2: BACKOFF_SPIN(%o2, %o3, 1b)
4886+ .size atomic_sub_unchecked, .-atomic_sub_unchecked
4887+
4888 .globl atomic_add_ret
4889 .type atomic_add_ret,#function
4890 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4891 BACKOFF_SETUP(%o2)
4892 1: lduw [%o1], %g1
4893- add %g1, %o0, %g7
4894+ addcc %g1, %o0, %g7
4895+
4896+#ifdef CONFIG_PAX_REFCOUNT
4897+ tvs %icc, 6
4898+#endif
4899+
4900 cas [%o1], %g1, %g7
4901 cmp %g1, %g7
4902 bne,pn %icc, 2f
4903@@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4904 2: BACKOFF_SPIN(%o2, %o3, 1b)
4905 .size atomic_add_ret, .-atomic_add_ret
4906
4907+ .globl atomic_add_ret_unchecked
4908+ .type atomic_add_ret_unchecked,#function
4909+atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4910+ BACKOFF_SETUP(%o2)
4911+1: lduw [%o1], %g1
4912+ addcc %g1, %o0, %g7
4913+ cas [%o1], %g1, %g7
4914+ cmp %g1, %g7
4915+ bne,pn %icc, 2f
4916+ add %g7, %o0, %g7
4917+ sra %g7, 0, %o0
4918+ retl
4919+ nop
4920+2: BACKOFF_SPIN(%o2, %o3, 1b)
4921+ .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4922+
4923 .globl atomic_sub_ret
4924 .type atomic_sub_ret,#function
4925 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4926 BACKOFF_SETUP(%o2)
4927 1: lduw [%o1], %g1
4928- sub %g1, %o0, %g7
4929+ subcc %g1, %o0, %g7
4930+
4931+#ifdef CONFIG_PAX_REFCOUNT
4932+ tvs %icc, 6
4933+#endif
4934+
4935 cas [%o1], %g1, %g7
4936 cmp %g1, %g7
4937 bne,pn %icc, 2f
4938@@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4939 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4940 BACKOFF_SETUP(%o2)
4941 1: ldx [%o1], %g1
4942- add %g1, %o0, %g7
4943+ addcc %g1, %o0, %g7
4944+
4945+#ifdef CONFIG_PAX_REFCOUNT
4946+ tvs %xcc, 6
4947+#endif
4948+
4949 casx [%o1], %g1, %g7
4950 cmp %g1, %g7
4951 bne,pn %xcc, 2f
4952@@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4953 2: BACKOFF_SPIN(%o2, %o3, 1b)
4954 .size atomic64_add, .-atomic64_add
4955
4956+ .globl atomic64_add_unchecked
4957+ .type atomic64_add_unchecked,#function
4958+atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4959+ BACKOFF_SETUP(%o2)
4960+1: ldx [%o1], %g1
4961+ addcc %g1, %o0, %g7
4962+ casx [%o1], %g1, %g7
4963+ cmp %g1, %g7
4964+ bne,pn %xcc, 2f
4965+ nop
4966+ retl
4967+ nop
4968+2: BACKOFF_SPIN(%o2, %o3, 1b)
4969+ .size atomic64_add_unchecked, .-atomic64_add_unchecked
4970+
4971 .globl atomic64_sub
4972 .type atomic64_sub,#function
4973 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4974 BACKOFF_SETUP(%o2)
4975 1: ldx [%o1], %g1
4976- sub %g1, %o0, %g7
4977+ subcc %g1, %o0, %g7
4978+
4979+#ifdef CONFIG_PAX_REFCOUNT
4980+ tvs %xcc, 6
4981+#endif
4982+
4983 casx [%o1], %g1, %g7
4984 cmp %g1, %g7
4985 bne,pn %xcc, 2f
4986@@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4987 2: BACKOFF_SPIN(%o2, %o3, 1b)
4988 .size atomic64_sub, .-atomic64_sub
4989
4990+ .globl atomic64_sub_unchecked
4991+ .type atomic64_sub_unchecked,#function
4992+atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4993+ BACKOFF_SETUP(%o2)
4994+1: ldx [%o1], %g1
4995+ subcc %g1, %o0, %g7
4996+ casx [%o1], %g1, %g7
4997+ cmp %g1, %g7
4998+ bne,pn %xcc, 2f
4999+ nop
5000+ retl
5001+ nop
5002+2: BACKOFF_SPIN(%o2, %o3, 1b)
5003+ .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
5004+
5005 .globl atomic64_add_ret
5006 .type atomic64_add_ret,#function
5007 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
5008 BACKOFF_SETUP(%o2)
5009 1: ldx [%o1], %g1
5010- add %g1, %o0, %g7
5011+ addcc %g1, %o0, %g7
5012+
5013+#ifdef CONFIG_PAX_REFCOUNT
5014+ tvs %xcc, 6
5015+#endif
5016+
5017 casx [%o1], %g1, %g7
5018 cmp %g1, %g7
5019 bne,pn %xcc, 2f
5020@@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
5021 2: BACKOFF_SPIN(%o2, %o3, 1b)
5022 .size atomic64_add_ret, .-atomic64_add_ret
5023
5024+ .globl atomic64_add_ret_unchecked
5025+ .type atomic64_add_ret_unchecked,#function
5026+atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
5027+ BACKOFF_SETUP(%o2)
5028+1: ldx [%o1], %g1
5029+ addcc %g1, %o0, %g7
5030+ casx [%o1], %g1, %g7
5031+ cmp %g1, %g7
5032+ bne,pn %xcc, 2f
5033+ add %g7, %o0, %g7
5034+ mov %g7, %o0
5035+ retl
5036+ nop
5037+2: BACKOFF_SPIN(%o2, %o3, 1b)
5038+ .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
5039+
5040 .globl atomic64_sub_ret
5041 .type atomic64_sub_ret,#function
5042 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
5043 BACKOFF_SETUP(%o2)
5044 1: ldx [%o1], %g1
5045- sub %g1, %o0, %g7
5046+ subcc %g1, %o0, %g7
5047+
5048+#ifdef CONFIG_PAX_REFCOUNT
5049+ tvs %xcc, 6
5050+#endif
5051+
5052 casx [%o1], %g1, %g7
5053 cmp %g1, %g7
5054 bne,pn %xcc, 2f
5055diff -urNp linux-2.6.32.48/arch/sparc/lib/ksyms.c linux-2.6.32.48/arch/sparc/lib/ksyms.c
5056--- linux-2.6.32.48/arch/sparc/lib/ksyms.c 2011-11-08 19:02:43.000000000 -0500
5057+++ linux-2.6.32.48/arch/sparc/lib/ksyms.c 2011-11-15 19:59:42.000000000 -0500
5058@@ -144,12 +144,18 @@ EXPORT_SYMBOL(__downgrade_write);
5059
5060 /* Atomic counter implementation. */
5061 EXPORT_SYMBOL(atomic_add);
5062+EXPORT_SYMBOL(atomic_add_unchecked);
5063 EXPORT_SYMBOL(atomic_add_ret);
5064+EXPORT_SYMBOL(atomic_add_ret_unchecked);
5065 EXPORT_SYMBOL(atomic_sub);
5066+EXPORT_SYMBOL(atomic_sub_unchecked);
5067 EXPORT_SYMBOL(atomic_sub_ret);
5068 EXPORT_SYMBOL(atomic64_add);
5069+EXPORT_SYMBOL(atomic64_add_unchecked);
5070 EXPORT_SYMBOL(atomic64_add_ret);
5071+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
5072 EXPORT_SYMBOL(atomic64_sub);
5073+EXPORT_SYMBOL(atomic64_sub_unchecked);
5074 EXPORT_SYMBOL(atomic64_sub_ret);
5075
5076 /* Atomic bit operations. */
5077diff -urNp linux-2.6.32.48/arch/sparc/lib/Makefile linux-2.6.32.48/arch/sparc/lib/Makefile
5078--- linux-2.6.32.48/arch/sparc/lib/Makefile 2011-11-08 19:02:43.000000000 -0500
5079+++ linux-2.6.32.48/arch/sparc/lib/Makefile 2011-11-15 19:59:42.000000000 -0500
5080@@ -2,7 +2,7 @@
5081 #
5082
5083 asflags-y := -ansi -DST_DIV0=0x02
5084-ccflags-y := -Werror
5085+#ccflags-y := -Werror
5086
5087 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
5088 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
5089diff -urNp linux-2.6.32.48/arch/sparc/lib/rwsem_64.S linux-2.6.32.48/arch/sparc/lib/rwsem_64.S
5090--- linux-2.6.32.48/arch/sparc/lib/rwsem_64.S 2011-11-08 19:02:43.000000000 -0500
5091+++ linux-2.6.32.48/arch/sparc/lib/rwsem_64.S 2011-11-15 19:59:42.000000000 -0500
5092@@ -11,7 +11,12 @@
5093 .globl __down_read
5094 __down_read:
5095 1: lduw [%o0], %g1
5096- add %g1, 1, %g7
5097+ addcc %g1, 1, %g7
5098+
5099+#ifdef CONFIG_PAX_REFCOUNT
5100+ tvs %icc, 6
5101+#endif
5102+
5103 cas [%o0], %g1, %g7
5104 cmp %g1, %g7
5105 bne,pn %icc, 1b
5106@@ -33,7 +38,12 @@ __down_read:
5107 .globl __down_read_trylock
5108 __down_read_trylock:
5109 1: lduw [%o0], %g1
5110- add %g1, 1, %g7
5111+ addcc %g1, 1, %g7
5112+
5113+#ifdef CONFIG_PAX_REFCOUNT
5114+ tvs %icc, 6
5115+#endif
5116+
5117 cmp %g7, 0
5118 bl,pn %icc, 2f
5119 mov 0, %o1
5120@@ -51,7 +61,12 @@ __down_write:
5121 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5122 1:
5123 lduw [%o0], %g3
5124- add %g3, %g1, %g7
5125+ addcc %g3, %g1, %g7
5126+
5127+#ifdef CONFIG_PAX_REFCOUNT
5128+ tvs %icc, 6
5129+#endif
5130+
5131 cas [%o0], %g3, %g7
5132 cmp %g3, %g7
5133 bne,pn %icc, 1b
5134@@ -77,7 +92,12 @@ __down_write_trylock:
5135 cmp %g3, 0
5136 bne,pn %icc, 2f
5137 mov 0, %o1
5138- add %g3, %g1, %g7
5139+ addcc %g3, %g1, %g7
5140+
5141+#ifdef CONFIG_PAX_REFCOUNT
5142+ tvs %icc, 6
5143+#endif
5144+
5145 cas [%o0], %g3, %g7
5146 cmp %g3, %g7
5147 bne,pn %icc, 1b
5148@@ -90,7 +110,12 @@ __down_write_trylock:
5149 __up_read:
5150 1:
5151 lduw [%o0], %g1
5152- sub %g1, 1, %g7
5153+ subcc %g1, 1, %g7
5154+
5155+#ifdef CONFIG_PAX_REFCOUNT
5156+ tvs %icc, 6
5157+#endif
5158+
5159 cas [%o0], %g1, %g7
5160 cmp %g1, %g7
5161 bne,pn %icc, 1b
5162@@ -118,7 +143,12 @@ __up_write:
5163 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
5164 1:
5165 lduw [%o0], %g3
5166- sub %g3, %g1, %g7
5167+ subcc %g3, %g1, %g7
5168+
5169+#ifdef CONFIG_PAX_REFCOUNT
5170+ tvs %icc, 6
5171+#endif
5172+
5173 cas [%o0], %g3, %g7
5174 cmp %g3, %g7
5175 bne,pn %icc, 1b
5176@@ -143,7 +173,12 @@ __downgrade_write:
5177 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
5178 1:
5179 lduw [%o0], %g3
5180- sub %g3, %g1, %g7
5181+ subcc %g3, %g1, %g7
5182+
5183+#ifdef CONFIG_PAX_REFCOUNT
5184+ tvs %icc, 6
5185+#endif
5186+
5187 cas [%o0], %g3, %g7
5188 cmp %g3, %g7
5189 bne,pn %icc, 1b
5190diff -urNp linux-2.6.32.48/arch/sparc/Makefile linux-2.6.32.48/arch/sparc/Makefile
5191--- linux-2.6.32.48/arch/sparc/Makefile 2011-11-08 19:02:43.000000000 -0500
5192+++ linux-2.6.32.48/arch/sparc/Makefile 2011-11-15 19:59:42.000000000 -0500
5193@@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
5194 # Export what is needed by arch/sparc/boot/Makefile
5195 export VMLINUX_INIT VMLINUX_MAIN
5196 VMLINUX_INIT := $(head-y) $(init-y)
5197-VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
5198+VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
5199 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
5200 VMLINUX_MAIN += $(drivers-y) $(net-y)
5201
5202diff -urNp linux-2.6.32.48/arch/sparc/mm/fault_32.c linux-2.6.32.48/arch/sparc/mm/fault_32.c
5203--- linux-2.6.32.48/arch/sparc/mm/fault_32.c 2011-11-08 19:02:43.000000000 -0500
5204+++ linux-2.6.32.48/arch/sparc/mm/fault_32.c 2011-11-18 18:01:52.000000000 -0500
5205@@ -21,6 +21,9 @@
5206 #include <linux/interrupt.h>
5207 #include <linux/module.h>
5208 #include <linux/kdebug.h>
5209+#include <linux/slab.h>
5210+#include <linux/pagemap.h>
5211+#include <linux/compiler.h>
5212
5213 #include <asm/system.h>
5214 #include <asm/page.h>
5215@@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
5216 return safe_compute_effective_address(regs, insn);
5217 }
5218
5219+#ifdef CONFIG_PAX_PAGEEXEC
5220+#ifdef CONFIG_PAX_DLRESOLVE
5221+static void pax_emuplt_close(struct vm_area_struct *vma)
5222+{
5223+ vma->vm_mm->call_dl_resolve = 0UL;
5224+}
5225+
5226+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5227+{
5228+ unsigned int *kaddr;
5229+
5230+ vmf->page = alloc_page(GFP_HIGHUSER);
5231+ if (!vmf->page)
5232+ return VM_FAULT_OOM;
5233+
5234+ kaddr = kmap(vmf->page);
5235+ memset(kaddr, 0, PAGE_SIZE);
5236+ kaddr[0] = 0x9DE3BFA8U; /* save */
5237+ flush_dcache_page(vmf->page);
5238+ kunmap(vmf->page);
5239+ return VM_FAULT_MAJOR;
5240+}
5241+
5242+static const struct vm_operations_struct pax_vm_ops = {
5243+ .close = pax_emuplt_close,
5244+ .fault = pax_emuplt_fault
5245+};
5246+
5247+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5248+{
5249+ int ret;
5250+
5251+ vma->vm_mm = current->mm;
5252+ vma->vm_start = addr;
5253+ vma->vm_end = addr + PAGE_SIZE;
5254+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5255+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5256+ vma->vm_ops = &pax_vm_ops;
5257+
5258+ ret = insert_vm_struct(current->mm, vma);
5259+ if (ret)
5260+ return ret;
5261+
5262+ ++current->mm->total_vm;
5263+ return 0;
5264+}
5265+#endif
5266+
5267+/*
5268+ * PaX: decide what to do with offenders (regs->pc = fault address)
5269+ *
5270+ * returns 1 when task should be killed
5271+ * 2 when patched PLT trampoline was detected
5272+ * 3 when unpatched PLT trampoline was detected
5273+ */
5274+static int pax_handle_fetch_fault(struct pt_regs *regs)
5275+{
5276+
5277+#ifdef CONFIG_PAX_EMUPLT
5278+ int err;
5279+
5280+ do { /* PaX: patched PLT emulation #1 */
5281+ unsigned int sethi1, sethi2, jmpl;
5282+
5283+ err = get_user(sethi1, (unsigned int *)regs->pc);
5284+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
5285+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5286+
5287+ if (err)
5288+ break;
5289+
5290+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5291+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
5292+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
5293+ {
5294+ unsigned int addr;
5295+
5296+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5297+ addr = regs->u_regs[UREG_G1];
5298+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5299+ regs->pc = addr;
5300+ regs->npc = addr+4;
5301+ return 2;
5302+ }
5303+ } while (0);
5304+
5305+ { /* PaX: patched PLT emulation #2 */
5306+ unsigned int ba;
5307+
5308+ err = get_user(ba, (unsigned int *)regs->pc);
5309+
5310+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5311+ unsigned int addr;
5312+
5313+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5314+ regs->pc = addr;
5315+ regs->npc = addr+4;
5316+ return 2;
5317+ }
5318+ }
5319+
5320+ do { /* PaX: patched PLT emulation #3 */
5321+ unsigned int sethi, jmpl, nop;
5322+
5323+ err = get_user(sethi, (unsigned int *)regs->pc);
5324+ err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5325+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
5326+
5327+ if (err)
5328+ break;
5329+
5330+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5331+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5332+ nop == 0x01000000U)
5333+ {
5334+ unsigned int addr;
5335+
5336+ addr = (sethi & 0x003FFFFFU) << 10;
5337+ regs->u_regs[UREG_G1] = addr;
5338+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5339+ regs->pc = addr;
5340+ regs->npc = addr+4;
5341+ return 2;
5342+ }
5343+ } while (0);
5344+
5345+ do { /* PaX: unpatched PLT emulation step 1 */
5346+ unsigned int sethi, ba, nop;
5347+
5348+ err = get_user(sethi, (unsigned int *)regs->pc);
5349+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
5350+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
5351+
5352+ if (err)
5353+ break;
5354+
5355+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5356+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5357+ nop == 0x01000000U)
5358+ {
5359+ unsigned int addr, save, call;
5360+
5361+ if ((ba & 0xFFC00000U) == 0x30800000U)
5362+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5363+ else
5364+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5365+
5366+ err = get_user(save, (unsigned int *)addr);
5367+ err |= get_user(call, (unsigned int *)(addr+4));
5368+ err |= get_user(nop, (unsigned int *)(addr+8));
5369+ if (err)
5370+ break;
5371+
5372+#ifdef CONFIG_PAX_DLRESOLVE
5373+ if (save == 0x9DE3BFA8U &&
5374+ (call & 0xC0000000U) == 0x40000000U &&
5375+ nop == 0x01000000U)
5376+ {
5377+ struct vm_area_struct *vma;
5378+ unsigned long call_dl_resolve;
5379+
5380+ down_read(&current->mm->mmap_sem);
5381+ call_dl_resolve = current->mm->call_dl_resolve;
5382+ up_read(&current->mm->mmap_sem);
5383+ if (likely(call_dl_resolve))
5384+ goto emulate;
5385+
5386+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5387+
5388+ down_write(&current->mm->mmap_sem);
5389+ if (current->mm->call_dl_resolve) {
5390+ call_dl_resolve = current->mm->call_dl_resolve;
5391+ up_write(&current->mm->mmap_sem);
5392+ if (vma)
5393+ kmem_cache_free(vm_area_cachep, vma);
5394+ goto emulate;
5395+ }
5396+
5397+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5398+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5399+ up_write(&current->mm->mmap_sem);
5400+ if (vma)
5401+ kmem_cache_free(vm_area_cachep, vma);
5402+ return 1;
5403+ }
5404+
5405+ if (pax_insert_vma(vma, call_dl_resolve)) {
5406+ up_write(&current->mm->mmap_sem);
5407+ kmem_cache_free(vm_area_cachep, vma);
5408+ return 1;
5409+ }
5410+
5411+ current->mm->call_dl_resolve = call_dl_resolve;
5412+ up_write(&current->mm->mmap_sem);
5413+
5414+emulate:
5415+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5416+ regs->pc = call_dl_resolve;
5417+ regs->npc = addr+4;
5418+ return 3;
5419+ }
5420+#endif
5421+
5422+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5423+ if ((save & 0xFFC00000U) == 0x05000000U &&
5424+ (call & 0xFFFFE000U) == 0x85C0A000U &&
5425+ nop == 0x01000000U)
5426+ {
5427+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5428+ regs->u_regs[UREG_G2] = addr + 4;
5429+ addr = (save & 0x003FFFFFU) << 10;
5430+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5431+ regs->pc = addr;
5432+ regs->npc = addr+4;
5433+ return 3;
5434+ }
5435+ }
5436+ } while (0);
5437+
5438+ do { /* PaX: unpatched PLT emulation step 2 */
5439+ unsigned int save, call, nop;
5440+
5441+ err = get_user(save, (unsigned int *)(regs->pc-4));
5442+ err |= get_user(call, (unsigned int *)regs->pc);
5443+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
5444+ if (err)
5445+ break;
5446+
5447+ if (save == 0x9DE3BFA8U &&
5448+ (call & 0xC0000000U) == 0x40000000U &&
5449+ nop == 0x01000000U)
5450+ {
5451+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5452+
5453+ regs->u_regs[UREG_RETPC] = regs->pc;
5454+ regs->pc = dl_resolve;
5455+ regs->npc = dl_resolve+4;
5456+ return 3;
5457+ }
5458+ } while (0);
5459+#endif
5460+
5461+ return 1;
5462+}
5463+
5464+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5465+{
5466+ unsigned long i;
5467+
5468+ printk(KERN_ERR "PAX: bytes at PC: ");
5469+ for (i = 0; i < 8; i++) {
5470+ unsigned int c;
5471+ if (get_user(c, (unsigned int *)pc+i))
5472+ printk(KERN_CONT "???????? ");
5473+ else
5474+ printk(KERN_CONT "%08x ", c);
5475+ }
5476+ printk("\n");
5477+}
5478+#endif
5479+
5480 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5481 unsigned long address)
5482 {
5483@@ -231,6 +495,24 @@ good_area:
5484 if(!(vma->vm_flags & VM_WRITE))
5485 goto bad_area;
5486 } else {
5487+
5488+#ifdef CONFIG_PAX_PAGEEXEC
5489+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5490+ up_read(&mm->mmap_sem);
5491+ switch (pax_handle_fetch_fault(regs)) {
5492+
5493+#ifdef CONFIG_PAX_EMUPLT
5494+ case 2:
5495+ case 3:
5496+ return;
5497+#endif
5498+
5499+ }
5500+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5501+ do_group_exit(SIGKILL);
5502+ }
5503+#endif
5504+
5505 /* Allow reads even for write-only mappings */
5506 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5507 goto bad_area;
5508diff -urNp linux-2.6.32.48/arch/sparc/mm/fault_64.c linux-2.6.32.48/arch/sparc/mm/fault_64.c
5509--- linux-2.6.32.48/arch/sparc/mm/fault_64.c 2011-11-08 19:02:43.000000000 -0500
5510+++ linux-2.6.32.48/arch/sparc/mm/fault_64.c 2011-11-18 18:01:52.000000000 -0500
5511@@ -20,6 +20,9 @@
5512 #include <linux/kprobes.h>
5513 #include <linux/kdebug.h>
5514 #include <linux/percpu.h>
5515+#include <linux/slab.h>
5516+#include <linux/pagemap.h>
5517+#include <linux/compiler.h>
5518
5519 #include <asm/page.h>
5520 #include <asm/pgtable.h>
5521@@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5522 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5523 regs->tpc);
5524 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5525- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5526+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5527 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5528 dump_stack();
5529 unhandled_fault(regs->tpc, current, regs);
5530@@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5531 show_regs(regs);
5532 }
5533
5534+#ifdef CONFIG_PAX_PAGEEXEC
5535+#ifdef CONFIG_PAX_DLRESOLVE
5536+static void pax_emuplt_close(struct vm_area_struct *vma)
5537+{
5538+ vma->vm_mm->call_dl_resolve = 0UL;
5539+}
5540+
5541+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5542+{
5543+ unsigned int *kaddr;
5544+
5545+ vmf->page = alloc_page(GFP_HIGHUSER);
5546+ if (!vmf->page)
5547+ return VM_FAULT_OOM;
5548+
5549+ kaddr = kmap(vmf->page);
5550+ memset(kaddr, 0, PAGE_SIZE);
5551+ kaddr[0] = 0x9DE3BFA8U; /* save */
5552+ flush_dcache_page(vmf->page);
5553+ kunmap(vmf->page);
5554+ return VM_FAULT_MAJOR;
5555+}
5556+
5557+static const struct vm_operations_struct pax_vm_ops = {
5558+ .close = pax_emuplt_close,
5559+ .fault = pax_emuplt_fault
5560+};
5561+
5562+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5563+{
5564+ int ret;
5565+
5566+ vma->vm_mm = current->mm;
5567+ vma->vm_start = addr;
5568+ vma->vm_end = addr + PAGE_SIZE;
5569+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5570+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5571+ vma->vm_ops = &pax_vm_ops;
5572+
5573+ ret = insert_vm_struct(current->mm, vma);
5574+ if (ret)
5575+ return ret;
5576+
5577+ ++current->mm->total_vm;
5578+ return 0;
5579+}
5580+#endif
5581+
5582+/*
5583+ * PaX: decide what to do with offenders (regs->tpc = fault address)
5584+ *
5585+ * returns 1 when task should be killed
5586+ * 2 when patched PLT trampoline was detected
5587+ * 3 when unpatched PLT trampoline was detected
5588+ */
5589+static int pax_handle_fetch_fault(struct pt_regs *regs)
5590+{
5591+
5592+#ifdef CONFIG_PAX_EMUPLT
5593+ int err;
5594+
5595+ do { /* PaX: patched PLT emulation #1 */
5596+ unsigned int sethi1, sethi2, jmpl;
5597+
5598+ err = get_user(sethi1, (unsigned int *)regs->tpc);
5599+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5600+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5601+
5602+ if (err)
5603+ break;
5604+
5605+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5606+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
5607+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
5608+ {
5609+ unsigned long addr;
5610+
5611+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5612+ addr = regs->u_regs[UREG_G1];
5613+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5614+
5615+ if (test_thread_flag(TIF_32BIT))
5616+ addr &= 0xFFFFFFFFUL;
5617+
5618+ regs->tpc = addr;
5619+ regs->tnpc = addr+4;
5620+ return 2;
5621+ }
5622+ } while (0);
5623+
5624+ { /* PaX: patched PLT emulation #2 */
5625+ unsigned int ba;
5626+
5627+ err = get_user(ba, (unsigned int *)regs->tpc);
5628+
5629+ if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5630+ unsigned long addr;
5631+
5632+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5633+
5634+ if (test_thread_flag(TIF_32BIT))
5635+ addr &= 0xFFFFFFFFUL;
5636+
5637+ regs->tpc = addr;
5638+ regs->tnpc = addr+4;
5639+ return 2;
5640+ }
5641+ }
5642+
5643+ do { /* PaX: patched PLT emulation #3 */
5644+ unsigned int sethi, jmpl, nop;
5645+
5646+ err = get_user(sethi, (unsigned int *)regs->tpc);
5647+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5648+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5649+
5650+ if (err)
5651+ break;
5652+
5653+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5654+ (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5655+ nop == 0x01000000U)
5656+ {
5657+ unsigned long addr;
5658+
5659+ addr = (sethi & 0x003FFFFFU) << 10;
5660+ regs->u_regs[UREG_G1] = addr;
5661+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5662+
5663+ if (test_thread_flag(TIF_32BIT))
5664+ addr &= 0xFFFFFFFFUL;
5665+
5666+ regs->tpc = addr;
5667+ regs->tnpc = addr+4;
5668+ return 2;
5669+ }
5670+ } while (0);
5671+
5672+ do { /* PaX: patched PLT emulation #4 */
5673+ unsigned int sethi, mov1, call, mov2;
5674+
5675+ err = get_user(sethi, (unsigned int *)regs->tpc);
5676+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5677+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
5678+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5679+
5680+ if (err)
5681+ break;
5682+
5683+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5684+ mov1 == 0x8210000FU &&
5685+ (call & 0xC0000000U) == 0x40000000U &&
5686+ mov2 == 0x9E100001U)
5687+ {
5688+ unsigned long addr;
5689+
5690+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5691+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5692+
5693+ if (test_thread_flag(TIF_32BIT))
5694+ addr &= 0xFFFFFFFFUL;
5695+
5696+ regs->tpc = addr;
5697+ regs->tnpc = addr+4;
5698+ return 2;
5699+ }
5700+ } while (0);
5701+
5702+ do { /* PaX: patched PLT emulation #5 */
5703+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5704+
5705+ err = get_user(sethi, (unsigned int *)regs->tpc);
5706+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5707+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5708+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5709+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5710+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5711+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5712+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5713+
5714+ if (err)
5715+ break;
5716+
5717+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5718+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
5719+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5720+ (or1 & 0xFFFFE000U) == 0x82106000U &&
5721+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
5722+ sllx == 0x83287020U &&
5723+ jmpl == 0x81C04005U &&
5724+ nop == 0x01000000U)
5725+ {
5726+ unsigned long addr;
5727+
5728+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5729+ regs->u_regs[UREG_G1] <<= 32;
5730+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5731+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5732+ regs->tpc = addr;
5733+ regs->tnpc = addr+4;
5734+ return 2;
5735+ }
5736+ } while (0);
5737+
5738+ do { /* PaX: patched PLT emulation #6 */
5739+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5740+
5741+ err = get_user(sethi, (unsigned int *)regs->tpc);
5742+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5743+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5744+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5745+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
5746+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5747+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5748+
5749+ if (err)
5750+ break;
5751+
5752+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5753+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
5754+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5755+ sllx == 0x83287020U &&
5756+ (or & 0xFFFFE000U) == 0x8A116000U &&
5757+ jmpl == 0x81C04005U &&
5758+ nop == 0x01000000U)
5759+ {
5760+ unsigned long addr;
5761+
5762+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5763+ regs->u_regs[UREG_G1] <<= 32;
5764+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5765+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5766+ regs->tpc = addr;
5767+ regs->tnpc = addr+4;
5768+ return 2;
5769+ }
5770+ } while (0);
5771+
5772+ do { /* PaX: unpatched PLT emulation step 1 */
5773+ unsigned int sethi, ba, nop;
5774+
5775+ err = get_user(sethi, (unsigned int *)regs->tpc);
5776+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5777+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5778+
5779+ if (err)
5780+ break;
5781+
5782+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5783+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5784+ nop == 0x01000000U)
5785+ {
5786+ unsigned long addr;
5787+ unsigned int save, call;
5788+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5789+
5790+ if ((ba & 0xFFC00000U) == 0x30800000U)
5791+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5792+ else
5793+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5794+
5795+ if (test_thread_flag(TIF_32BIT))
5796+ addr &= 0xFFFFFFFFUL;
5797+
5798+ err = get_user(save, (unsigned int *)addr);
5799+ err |= get_user(call, (unsigned int *)(addr+4));
5800+ err |= get_user(nop, (unsigned int *)(addr+8));
5801+ if (err)
5802+ break;
5803+
5804+#ifdef CONFIG_PAX_DLRESOLVE
5805+ if (save == 0x9DE3BFA8U &&
5806+ (call & 0xC0000000U) == 0x40000000U &&
5807+ nop == 0x01000000U)
5808+ {
5809+ struct vm_area_struct *vma;
5810+ unsigned long call_dl_resolve;
5811+
5812+ down_read(&current->mm->mmap_sem);
5813+ call_dl_resolve = current->mm->call_dl_resolve;
5814+ up_read(&current->mm->mmap_sem);
5815+ if (likely(call_dl_resolve))
5816+ goto emulate;
5817+
5818+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5819+
5820+ down_write(&current->mm->mmap_sem);
5821+ if (current->mm->call_dl_resolve) {
5822+ call_dl_resolve = current->mm->call_dl_resolve;
5823+ up_write(&current->mm->mmap_sem);
5824+ if (vma)
5825+ kmem_cache_free(vm_area_cachep, vma);
5826+ goto emulate;
5827+ }
5828+
5829+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5830+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5831+ up_write(&current->mm->mmap_sem);
5832+ if (vma)
5833+ kmem_cache_free(vm_area_cachep, vma);
5834+ return 1;
5835+ }
5836+
5837+ if (pax_insert_vma(vma, call_dl_resolve)) {
5838+ up_write(&current->mm->mmap_sem);
5839+ kmem_cache_free(vm_area_cachep, vma);
5840+ return 1;
5841+ }
5842+
5843+ current->mm->call_dl_resolve = call_dl_resolve;
5844+ up_write(&current->mm->mmap_sem);
5845+
5846+emulate:
5847+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5848+ regs->tpc = call_dl_resolve;
5849+ regs->tnpc = addr+4;
5850+ return 3;
5851+ }
5852+#endif
5853+
5854+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5855+ if ((save & 0xFFC00000U) == 0x05000000U &&
5856+ (call & 0xFFFFE000U) == 0x85C0A000U &&
5857+ nop == 0x01000000U)
5858+ {
5859+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5860+ regs->u_regs[UREG_G2] = addr + 4;
5861+ addr = (save & 0x003FFFFFU) << 10;
5862+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5863+
5864+ if (test_thread_flag(TIF_32BIT))
5865+ addr &= 0xFFFFFFFFUL;
5866+
5867+ regs->tpc = addr;
5868+ regs->tnpc = addr+4;
5869+ return 3;
5870+ }
5871+
5872+ /* PaX: 64-bit PLT stub */
5873+ err = get_user(sethi1, (unsigned int *)addr);
5874+ err |= get_user(sethi2, (unsigned int *)(addr+4));
5875+ err |= get_user(or1, (unsigned int *)(addr+8));
5876+ err |= get_user(or2, (unsigned int *)(addr+12));
5877+ err |= get_user(sllx, (unsigned int *)(addr+16));
5878+ err |= get_user(add, (unsigned int *)(addr+20));
5879+ err |= get_user(jmpl, (unsigned int *)(addr+24));
5880+ err |= get_user(nop, (unsigned int *)(addr+28));
5881+ if (err)
5882+ break;
5883+
5884+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5885+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5886+ (or1 & 0xFFFFE000U) == 0x88112000U &&
5887+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
5888+ sllx == 0x89293020U &&
5889+ add == 0x8A010005U &&
5890+ jmpl == 0x89C14000U &&
5891+ nop == 0x01000000U)
5892+ {
5893+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5894+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5895+ regs->u_regs[UREG_G4] <<= 32;
5896+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5897+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5898+ regs->u_regs[UREG_G4] = addr + 24;
5899+ addr = regs->u_regs[UREG_G5];
5900+ regs->tpc = addr;
5901+ regs->tnpc = addr+4;
5902+ return 3;
5903+ }
5904+ }
5905+ } while (0);
5906+
5907+#ifdef CONFIG_PAX_DLRESOLVE
5908+ do { /* PaX: unpatched PLT emulation step 2 */
5909+ unsigned int save, call, nop;
5910+
5911+ err = get_user(save, (unsigned int *)(regs->tpc-4));
5912+ err |= get_user(call, (unsigned int *)regs->tpc);
5913+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5914+ if (err)
5915+ break;
5916+
5917+ if (save == 0x9DE3BFA8U &&
5918+ (call & 0xC0000000U) == 0x40000000U &&
5919+ nop == 0x01000000U)
5920+ {
5921+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5922+
5923+ if (test_thread_flag(TIF_32BIT))
5924+ dl_resolve &= 0xFFFFFFFFUL;
5925+
5926+ regs->u_regs[UREG_RETPC] = regs->tpc;
5927+ regs->tpc = dl_resolve;
5928+ regs->tnpc = dl_resolve+4;
5929+ return 3;
5930+ }
5931+ } while (0);
5932+#endif
5933+
5934+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5935+ unsigned int sethi, ba, nop;
5936+
5937+ err = get_user(sethi, (unsigned int *)regs->tpc);
5938+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5939+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5940+
5941+ if (err)
5942+ break;
5943+
5944+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
5945+ (ba & 0xFFF00000U) == 0x30600000U &&
5946+ nop == 0x01000000U)
5947+ {
5948+ unsigned long addr;
5949+
5950+ addr = (sethi & 0x003FFFFFU) << 10;
5951+ regs->u_regs[UREG_G1] = addr;
5952+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5953+
5954+ if (test_thread_flag(TIF_32BIT))
5955+ addr &= 0xFFFFFFFFUL;
5956+
5957+ regs->tpc = addr;
5958+ regs->tnpc = addr+4;
5959+ return 2;
5960+ }
5961+ } while (0);
5962+
5963+#endif
5964+
5965+ return 1;
5966+}
5967+
5968+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5969+{
5970+ unsigned long i;
5971+
5972+ printk(KERN_ERR "PAX: bytes at PC: ");
5973+ for (i = 0; i < 8; i++) {
5974+ unsigned int c;
5975+ if (get_user(c, (unsigned int *)pc+i))
5976+ printk(KERN_CONT "???????? ");
5977+ else
5978+ printk(KERN_CONT "%08x ", c);
5979+ }
5980+ printk("\n");
5981+}
5982+#endif
5983+
5984 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5985 {
5986 struct mm_struct *mm = current->mm;
5987@@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5988 if (!vma)
5989 goto bad_area;
5990
5991+#ifdef CONFIG_PAX_PAGEEXEC
5992+ /* PaX: detect ITLB misses on non-exec pages */
5993+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5994+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5995+ {
5996+ if (address != regs->tpc)
5997+ goto good_area;
5998+
5999+ up_read(&mm->mmap_sem);
6000+ switch (pax_handle_fetch_fault(regs)) {
6001+
6002+#ifdef CONFIG_PAX_EMUPLT
6003+ case 2:
6004+ case 3:
6005+ return;
6006+#endif
6007+
6008+ }
6009+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
6010+ do_group_exit(SIGKILL);
6011+ }
6012+#endif
6013+
6014 /* Pure DTLB misses do not tell us whether the fault causing
6015 * load/store/atomic was a write or not, it only says that there
6016 * was no match. So in such a case we (carefully) read the
6017diff -urNp linux-2.6.32.48/arch/sparc/mm/hugetlbpage.c linux-2.6.32.48/arch/sparc/mm/hugetlbpage.c
6018--- linux-2.6.32.48/arch/sparc/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
6019+++ linux-2.6.32.48/arch/sparc/mm/hugetlbpage.c 2011-11-15 19:59:42.000000000 -0500
6020@@ -69,7 +69,7 @@ full_search:
6021 }
6022 return -ENOMEM;
6023 }
6024- if (likely(!vma || addr + len <= vma->vm_start)) {
6025+ if (likely(check_heap_stack_gap(vma, addr, len))) {
6026 /*
6027 * Remember the place where we stopped the search:
6028 */
6029@@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
6030 /* make sure it can fit in the remaining address space */
6031 if (likely(addr > len)) {
6032 vma = find_vma(mm, addr-len);
6033- if (!vma || addr <= vma->vm_start) {
6034+ if (check_heap_stack_gap(vma, addr - len, len)) {
6035 /* remember the address as a hint for next time */
6036 return (mm->free_area_cache = addr-len);
6037 }
6038@@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
6039 if (unlikely(mm->mmap_base < len))
6040 goto bottomup;
6041
6042- addr = (mm->mmap_base-len) & HPAGE_MASK;
6043+ addr = mm->mmap_base - len;
6044
6045 do {
6046+ addr &= HPAGE_MASK;
6047 /*
6048 * Lookup failure means no vma is above this address,
6049 * else if new region fits below vma->vm_start,
6050 * return with success:
6051 */
6052 vma = find_vma(mm, addr);
6053- if (likely(!vma || addr+len <= vma->vm_start)) {
6054+ if (likely(check_heap_stack_gap(vma, addr, len))) {
6055 /* remember the address as a hint for next time */
6056 return (mm->free_area_cache = addr);
6057 }
6058@@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
6059 mm->cached_hole_size = vma->vm_start - addr;
6060
6061 /* try just below the current vma->vm_start */
6062- addr = (vma->vm_start-len) & HPAGE_MASK;
6063- } while (likely(len < vma->vm_start));
6064+ addr = skip_heap_stack_gap(vma, len);
6065+ } while (!IS_ERR_VALUE(addr));
6066
6067 bottomup:
6068 /*
6069@@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
6070 if (addr) {
6071 addr = ALIGN(addr, HPAGE_SIZE);
6072 vma = find_vma(mm, addr);
6073- if (task_size - len >= addr &&
6074- (!vma || addr + len <= vma->vm_start))
6075+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
6076 return addr;
6077 }
6078 if (mm->get_unmapped_area == arch_get_unmapped_area)
6079diff -urNp linux-2.6.32.48/arch/sparc/mm/init_32.c linux-2.6.32.48/arch/sparc/mm/init_32.c
6080--- linux-2.6.32.48/arch/sparc/mm/init_32.c 2011-11-08 19:02:43.000000000 -0500
6081+++ linux-2.6.32.48/arch/sparc/mm/init_32.c 2011-11-15 19:59:42.000000000 -0500
6082@@ -317,6 +317,9 @@ extern void device_scan(void);
6083 pgprot_t PAGE_SHARED __read_mostly;
6084 EXPORT_SYMBOL(PAGE_SHARED);
6085
6086+pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
6087+EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
6088+
6089 void __init paging_init(void)
6090 {
6091 switch(sparc_cpu_model) {
6092@@ -345,17 +348,17 @@ void __init paging_init(void)
6093
6094 /* Initialize the protection map with non-constant, MMU dependent values. */
6095 protection_map[0] = PAGE_NONE;
6096- protection_map[1] = PAGE_READONLY;
6097- protection_map[2] = PAGE_COPY;
6098- protection_map[3] = PAGE_COPY;
6099+ protection_map[1] = PAGE_READONLY_NOEXEC;
6100+ protection_map[2] = PAGE_COPY_NOEXEC;
6101+ protection_map[3] = PAGE_COPY_NOEXEC;
6102 protection_map[4] = PAGE_READONLY;
6103 protection_map[5] = PAGE_READONLY;
6104 protection_map[6] = PAGE_COPY;
6105 protection_map[7] = PAGE_COPY;
6106 protection_map[8] = PAGE_NONE;
6107- protection_map[9] = PAGE_READONLY;
6108- protection_map[10] = PAGE_SHARED;
6109- protection_map[11] = PAGE_SHARED;
6110+ protection_map[9] = PAGE_READONLY_NOEXEC;
6111+ protection_map[10] = PAGE_SHARED_NOEXEC;
6112+ protection_map[11] = PAGE_SHARED_NOEXEC;
6113 protection_map[12] = PAGE_READONLY;
6114 protection_map[13] = PAGE_READONLY;
6115 protection_map[14] = PAGE_SHARED;
6116diff -urNp linux-2.6.32.48/arch/sparc/mm/Makefile linux-2.6.32.48/arch/sparc/mm/Makefile
6117--- linux-2.6.32.48/arch/sparc/mm/Makefile 2011-11-08 19:02:43.000000000 -0500
6118+++ linux-2.6.32.48/arch/sparc/mm/Makefile 2011-11-15 19:59:42.000000000 -0500
6119@@ -2,7 +2,7 @@
6120 #
6121
6122 asflags-y := -ansi
6123-ccflags-y := -Werror
6124+#ccflags-y := -Werror
6125
6126 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
6127 obj-y += fault_$(BITS).o
6128diff -urNp linux-2.6.32.48/arch/sparc/mm/srmmu.c linux-2.6.32.48/arch/sparc/mm/srmmu.c
6129--- linux-2.6.32.48/arch/sparc/mm/srmmu.c 2011-11-08 19:02:43.000000000 -0500
6130+++ linux-2.6.32.48/arch/sparc/mm/srmmu.c 2011-11-15 19:59:42.000000000 -0500
6131@@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
6132 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
6133 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
6134 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
6135+
6136+#ifdef CONFIG_PAX_PAGEEXEC
6137+ PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
6138+ BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
6139+ BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
6140+#endif
6141+
6142 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
6143 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
6144
6145diff -urNp linux-2.6.32.48/arch/um/include/asm/kmap_types.h linux-2.6.32.48/arch/um/include/asm/kmap_types.h
6146--- linux-2.6.32.48/arch/um/include/asm/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
6147+++ linux-2.6.32.48/arch/um/include/asm/kmap_types.h 2011-11-15 19:59:42.000000000 -0500
6148@@ -23,6 +23,7 @@ enum km_type {
6149 KM_IRQ1,
6150 KM_SOFTIRQ0,
6151 KM_SOFTIRQ1,
6152+ KM_CLEARPAGE,
6153 KM_TYPE_NR
6154 };
6155
6156diff -urNp linux-2.6.32.48/arch/um/include/asm/page.h linux-2.6.32.48/arch/um/include/asm/page.h
6157--- linux-2.6.32.48/arch/um/include/asm/page.h 2011-11-08 19:02:43.000000000 -0500
6158+++ linux-2.6.32.48/arch/um/include/asm/page.h 2011-11-15 19:59:42.000000000 -0500
6159@@ -14,6 +14,9 @@
6160 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
6161 #define PAGE_MASK (~(PAGE_SIZE-1))
6162
6163+#define ktla_ktva(addr) (addr)
6164+#define ktva_ktla(addr) (addr)
6165+
6166 #ifndef __ASSEMBLY__
6167
6168 struct page;
6169diff -urNp linux-2.6.32.48/arch/um/kernel/process.c linux-2.6.32.48/arch/um/kernel/process.c
6170--- linux-2.6.32.48/arch/um/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
6171+++ linux-2.6.32.48/arch/um/kernel/process.c 2011-11-15 19:59:42.000000000 -0500
6172@@ -393,22 +393,6 @@ int singlestepping(void * t)
6173 return 2;
6174 }
6175
6176-/*
6177- * Only x86 and x86_64 have an arch_align_stack().
6178- * All other arches have "#define arch_align_stack(x) (x)"
6179- * in their asm/system.h
6180- * As this is included in UML from asm-um/system-generic.h,
6181- * we can use it to behave as the subarch does.
6182- */
6183-#ifndef arch_align_stack
6184-unsigned long arch_align_stack(unsigned long sp)
6185-{
6186- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6187- sp -= get_random_int() % 8192;
6188- return sp & ~0xf;
6189-}
6190-#endif
6191-
6192 unsigned long get_wchan(struct task_struct *p)
6193 {
6194 unsigned long stack_page, sp, ip;
6195diff -urNp linux-2.6.32.48/arch/um/Makefile linux-2.6.32.48/arch/um/Makefile
6196--- linux-2.6.32.48/arch/um/Makefile 2011-11-08 19:02:43.000000000 -0500
6197+++ linux-2.6.32.48/arch/um/Makefile 2011-11-18 18:01:52.000000000 -0500
6198@@ -49,6 +49,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINE
6199 $(patsubst -I%,,$(KBUILD_CFLAGS)))) $(ARCH_INCLUDE) $(MODE_INCLUDE) \
6200 $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64
6201
6202+ifdef CONSTIFY_PLUGIN
6203+USER_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6204+endif
6205+
6206 include $(srctree)/$(ARCH_DIR)/Makefile-$(SUBARCH)
6207
6208 #This will adjust *FLAGS accordingly to the platform.
6209diff -urNp linux-2.6.32.48/arch/um/sys-i386/shared/sysdep/system.h linux-2.6.32.48/arch/um/sys-i386/shared/sysdep/system.h
6210--- linux-2.6.32.48/arch/um/sys-i386/shared/sysdep/system.h 2011-11-08 19:02:43.000000000 -0500
6211+++ linux-2.6.32.48/arch/um/sys-i386/shared/sysdep/system.h 2011-11-18 18:01:52.000000000 -0500
6212@@ -17,7 +17,7 @@
6213 # define AT_VECTOR_SIZE_ARCH 1
6214 #endif
6215
6216-extern unsigned long arch_align_stack(unsigned long sp);
6217+#define arch_align_stack(x) ((x) & ~0xfUL)
6218
6219 void default_idle(void);
6220
6221diff -urNp linux-2.6.32.48/arch/um/sys-i386/syscalls.c linux-2.6.32.48/arch/um/sys-i386/syscalls.c
6222--- linux-2.6.32.48/arch/um/sys-i386/syscalls.c 2011-11-08 19:02:43.000000000 -0500
6223+++ linux-2.6.32.48/arch/um/sys-i386/syscalls.c 2011-11-15 19:59:42.000000000 -0500
6224@@ -11,6 +11,21 @@
6225 #include "asm/uaccess.h"
6226 #include "asm/unistd.h"
6227
6228+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
6229+{
6230+ unsigned long pax_task_size = TASK_SIZE;
6231+
6232+#ifdef CONFIG_PAX_SEGMEXEC
6233+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
6234+ pax_task_size = SEGMEXEC_TASK_SIZE;
6235+#endif
6236+
6237+ if (len > pax_task_size || addr > pax_task_size - len)
6238+ return -EINVAL;
6239+
6240+ return 0;
6241+}
6242+
6243 /*
6244 * Perform the select(nd, in, out, ex, tv) and mmap() system
6245 * calls. Linux/i386 didn't use to be able to handle more than
6246diff -urNp linux-2.6.32.48/arch/um/sys-x86_64/shared/sysdep/system.h linux-2.6.32.48/arch/um/sys-x86_64/shared/sysdep/system.h
6247--- linux-2.6.32.48/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-08 19:02:43.000000000 -0500
6248+++ linux-2.6.32.48/arch/um/sys-x86_64/shared/sysdep/system.h 2011-11-18 18:01:52.000000000 -0500
6249@@ -17,7 +17,7 @@
6250 # define AT_VECTOR_SIZE_ARCH 1
6251 #endif
6252
6253-extern unsigned long arch_align_stack(unsigned long sp);
6254+#define arch_align_stack(x) ((x) & ~0xfUL)
6255
6256 void default_idle(void);
6257
6258diff -urNp linux-2.6.32.48/arch/x86/boot/bitops.h linux-2.6.32.48/arch/x86/boot/bitops.h
6259--- linux-2.6.32.48/arch/x86/boot/bitops.h 2011-11-08 19:02:43.000000000 -0500
6260+++ linux-2.6.32.48/arch/x86/boot/bitops.h 2011-11-15 19:59:42.000000000 -0500
6261@@ -26,7 +26,7 @@ static inline int variable_test_bit(int
6262 u8 v;
6263 const u32 *p = (const u32 *)addr;
6264
6265- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6266+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
6267 return v;
6268 }
6269
6270@@ -37,7 +37,7 @@ static inline int variable_test_bit(int
6271
6272 static inline void set_bit(int nr, void *addr)
6273 {
6274- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6275+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
6276 }
6277
6278 #endif /* BOOT_BITOPS_H */
6279diff -urNp linux-2.6.32.48/arch/x86/boot/boot.h linux-2.6.32.48/arch/x86/boot/boot.h
6280--- linux-2.6.32.48/arch/x86/boot/boot.h 2011-11-08 19:02:43.000000000 -0500
6281+++ linux-2.6.32.48/arch/x86/boot/boot.h 2011-11-15 19:59:42.000000000 -0500
6282@@ -82,7 +82,7 @@ static inline void io_delay(void)
6283 static inline u16 ds(void)
6284 {
6285 u16 seg;
6286- asm("movw %%ds,%0" : "=rm" (seg));
6287+ asm volatile("movw %%ds,%0" : "=rm" (seg));
6288 return seg;
6289 }
6290
6291@@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
6292 static inline int memcmp(const void *s1, const void *s2, size_t len)
6293 {
6294 u8 diff;
6295- asm("repe; cmpsb; setnz %0"
6296+ asm volatile("repe; cmpsb; setnz %0"
6297 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
6298 return diff;
6299 }
6300diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/head_32.S linux-2.6.32.48/arch/x86/boot/compressed/head_32.S
6301--- linux-2.6.32.48/arch/x86/boot/compressed/head_32.S 2011-11-08 19:02:43.000000000 -0500
6302+++ linux-2.6.32.48/arch/x86/boot/compressed/head_32.S 2011-11-15 19:59:42.000000000 -0500
6303@@ -76,7 +76,7 @@ ENTRY(startup_32)
6304 notl %eax
6305 andl %eax, %ebx
6306 #else
6307- movl $LOAD_PHYSICAL_ADDR, %ebx
6308+ movl $____LOAD_PHYSICAL_ADDR, %ebx
6309 #endif
6310
6311 /* Target address to relocate to for decompression */
6312@@ -149,7 +149,7 @@ relocated:
6313 * and where it was actually loaded.
6314 */
6315 movl %ebp, %ebx
6316- subl $LOAD_PHYSICAL_ADDR, %ebx
6317+ subl $____LOAD_PHYSICAL_ADDR, %ebx
6318 jz 2f /* Nothing to be done if loaded at compiled addr. */
6319 /*
6320 * Process relocations.
6321@@ -157,8 +157,7 @@ relocated:
6322
6323 1: subl $4, %edi
6324 movl (%edi), %ecx
6325- testl %ecx, %ecx
6326- jz 2f
6327+ jecxz 2f
6328 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6329 jmp 1b
6330 2:
6331diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/head_64.S linux-2.6.32.48/arch/x86/boot/compressed/head_64.S
6332--- linux-2.6.32.48/arch/x86/boot/compressed/head_64.S 2011-11-08 19:02:43.000000000 -0500
6333+++ linux-2.6.32.48/arch/x86/boot/compressed/head_64.S 2011-11-15 19:59:42.000000000 -0500
6334@@ -91,7 +91,7 @@ ENTRY(startup_32)
6335 notl %eax
6336 andl %eax, %ebx
6337 #else
6338- movl $LOAD_PHYSICAL_ADDR, %ebx
6339+ movl $____LOAD_PHYSICAL_ADDR, %ebx
6340 #endif
6341
6342 /* Target address to relocate to for decompression */
6343@@ -183,7 +183,7 @@ no_longmode:
6344 hlt
6345 jmp 1b
6346
6347-#include "../../kernel/verify_cpu_64.S"
6348+#include "../../kernel/verify_cpu.S"
6349
6350 /*
6351 * Be careful here startup_64 needs to be at a predictable
6352@@ -234,7 +234,7 @@ ENTRY(startup_64)
6353 notq %rax
6354 andq %rax, %rbp
6355 #else
6356- movq $LOAD_PHYSICAL_ADDR, %rbp
6357+ movq $____LOAD_PHYSICAL_ADDR, %rbp
6358 #endif
6359
6360 /* Target address to relocate to for decompression */
6361diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/Makefile linux-2.6.32.48/arch/x86/boot/compressed/Makefile
6362--- linux-2.6.32.48/arch/x86/boot/compressed/Makefile 2011-11-08 19:02:43.000000000 -0500
6363+++ linux-2.6.32.48/arch/x86/boot/compressed/Makefile 2011-11-15 19:59:42.000000000 -0500
6364@@ -13,6 +13,9 @@ cflags-$(CONFIG_X86_64) := -mcmodel=smal
6365 KBUILD_CFLAGS += $(cflags-y)
6366 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
6367 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
6368+ifdef CONSTIFY_PLUGIN
6369+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6370+endif
6371
6372 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6373 GCOV_PROFILE := n
6374diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/misc.c linux-2.6.32.48/arch/x86/boot/compressed/misc.c
6375--- linux-2.6.32.48/arch/x86/boot/compressed/misc.c 2011-11-08 19:02:43.000000000 -0500
6376+++ linux-2.6.32.48/arch/x86/boot/compressed/misc.c 2011-11-15 19:59:42.000000000 -0500
6377@@ -288,7 +288,7 @@ static void parse_elf(void *output)
6378 case PT_LOAD:
6379 #ifdef CONFIG_RELOCATABLE
6380 dest = output;
6381- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6382+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6383 #else
6384 dest = (void *)(phdr->p_paddr);
6385 #endif
6386@@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6387 error("Destination address too large");
6388 #endif
6389 #ifndef CONFIG_RELOCATABLE
6390- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6391+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6392 error("Wrong destination address");
6393 #endif
6394
6395diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.48/arch/x86/boot/compressed/mkpiggy.c
6396--- linux-2.6.32.48/arch/x86/boot/compressed/mkpiggy.c 2011-11-08 19:02:43.000000000 -0500
6397+++ linux-2.6.32.48/arch/x86/boot/compressed/mkpiggy.c 2011-11-15 19:59:42.000000000 -0500
6398@@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6399
6400 offs = (olen > ilen) ? olen - ilen : 0;
6401 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6402- offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6403+ offs += 64*1024; /* Add 64K bytes slack */
6404 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6405
6406 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6407diff -urNp linux-2.6.32.48/arch/x86/boot/compressed/relocs.c linux-2.6.32.48/arch/x86/boot/compressed/relocs.c
6408--- linux-2.6.32.48/arch/x86/boot/compressed/relocs.c 2011-11-08 19:02:43.000000000 -0500
6409+++ linux-2.6.32.48/arch/x86/boot/compressed/relocs.c 2011-11-15 19:59:42.000000000 -0500
6410@@ -10,8 +10,11 @@
6411 #define USE_BSD
6412 #include <endian.h>
6413
6414+#include "../../../../include/linux/autoconf.h"
6415+
6416 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6417 static Elf32_Ehdr ehdr;
6418+static Elf32_Phdr *phdr;
6419 static unsigned long reloc_count, reloc_idx;
6420 static unsigned long *relocs;
6421
6422@@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6423
6424 static int is_safe_abs_reloc(const char* sym_name)
6425 {
6426- int i;
6427+ unsigned int i;
6428
6429 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6430 if (!strcmp(sym_name, safe_abs_relocs[i]))
6431@@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6432 }
6433 }
6434
6435+static void read_phdrs(FILE *fp)
6436+{
6437+ unsigned int i;
6438+
6439+ phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6440+ if (!phdr) {
6441+ die("Unable to allocate %d program headers\n",
6442+ ehdr.e_phnum);
6443+ }
6444+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6445+ die("Seek to %d failed: %s\n",
6446+ ehdr.e_phoff, strerror(errno));
6447+ }
6448+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6449+ die("Cannot read ELF program headers: %s\n",
6450+ strerror(errno));
6451+ }
6452+ for(i = 0; i < ehdr.e_phnum; i++) {
6453+ phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6454+ phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6455+ phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6456+ phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6457+ phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6458+ phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6459+ phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6460+ phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6461+ }
6462+
6463+}
6464+
6465 static void read_shdrs(FILE *fp)
6466 {
6467- int i;
6468+ unsigned int i;
6469 Elf32_Shdr shdr;
6470
6471 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6472@@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6473
6474 static void read_strtabs(FILE *fp)
6475 {
6476- int i;
6477+ unsigned int i;
6478 for (i = 0; i < ehdr.e_shnum; i++) {
6479 struct section *sec = &secs[i];
6480 if (sec->shdr.sh_type != SHT_STRTAB) {
6481@@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6482
6483 static void read_symtabs(FILE *fp)
6484 {
6485- int i,j;
6486+ unsigned int i,j;
6487 for (i = 0; i < ehdr.e_shnum; i++) {
6488 struct section *sec = &secs[i];
6489 if (sec->shdr.sh_type != SHT_SYMTAB) {
6490@@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6491
6492 static void read_relocs(FILE *fp)
6493 {
6494- int i,j;
6495+ unsigned int i,j;
6496+ uint32_t base;
6497+
6498 for (i = 0; i < ehdr.e_shnum; i++) {
6499 struct section *sec = &secs[i];
6500 if (sec->shdr.sh_type != SHT_REL) {
6501@@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6502 die("Cannot read symbol table: %s\n",
6503 strerror(errno));
6504 }
6505+ base = 0;
6506+ for (j = 0; j < ehdr.e_phnum; j++) {
6507+ if (phdr[j].p_type != PT_LOAD )
6508+ continue;
6509+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6510+ continue;
6511+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6512+ break;
6513+ }
6514 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6515 Elf32_Rel *rel = &sec->reltab[j];
6516- rel->r_offset = elf32_to_cpu(rel->r_offset);
6517+ rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6518 rel->r_info = elf32_to_cpu(rel->r_info);
6519 }
6520 }
6521@@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6522
6523 static void print_absolute_symbols(void)
6524 {
6525- int i;
6526+ unsigned int i;
6527 printf("Absolute symbols\n");
6528 printf(" Num: Value Size Type Bind Visibility Name\n");
6529 for (i = 0; i < ehdr.e_shnum; i++) {
6530 struct section *sec = &secs[i];
6531 char *sym_strtab;
6532 Elf32_Sym *sh_symtab;
6533- int j;
6534+ unsigned int j;
6535
6536 if (sec->shdr.sh_type != SHT_SYMTAB) {
6537 continue;
6538@@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6539
6540 static void print_absolute_relocs(void)
6541 {
6542- int i, printed = 0;
6543+ unsigned int i, printed = 0;
6544
6545 for (i = 0; i < ehdr.e_shnum; i++) {
6546 struct section *sec = &secs[i];
6547 struct section *sec_applies, *sec_symtab;
6548 char *sym_strtab;
6549 Elf32_Sym *sh_symtab;
6550- int j;
6551+ unsigned int j;
6552 if (sec->shdr.sh_type != SHT_REL) {
6553 continue;
6554 }
6555@@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6556
6557 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6558 {
6559- int i;
6560+ unsigned int i;
6561 /* Walk through the relocations */
6562 for (i = 0; i < ehdr.e_shnum; i++) {
6563 char *sym_strtab;
6564 Elf32_Sym *sh_symtab;
6565 struct section *sec_applies, *sec_symtab;
6566- int j;
6567+ unsigned int j;
6568 struct section *sec = &secs[i];
6569
6570 if (sec->shdr.sh_type != SHT_REL) {
6571@@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6572 if (sym->st_shndx == SHN_ABS) {
6573 continue;
6574 }
6575+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6576+ if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6577+ continue;
6578+
6579+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6580+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6581+ if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6582+ continue;
6583+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6584+ continue;
6585+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6586+ continue;
6587+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6588+ continue;
6589+#endif
6590 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6591 /*
6592 * NONE can be ignored and and PC relative
6593@@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6594
6595 static void emit_relocs(int as_text)
6596 {
6597- int i;
6598+ unsigned int i;
6599 /* Count how many relocations I have and allocate space for them. */
6600 reloc_count = 0;
6601 walk_relocs(count_reloc);
6602@@ -634,6 +693,7 @@ int main(int argc, char **argv)
6603 fname, strerror(errno));
6604 }
6605 read_ehdr(fp);
6606+ read_phdrs(fp);
6607 read_shdrs(fp);
6608 read_strtabs(fp);
6609 read_symtabs(fp);
6610diff -urNp linux-2.6.32.48/arch/x86/boot/cpucheck.c linux-2.6.32.48/arch/x86/boot/cpucheck.c
6611--- linux-2.6.32.48/arch/x86/boot/cpucheck.c 2011-11-08 19:02:43.000000000 -0500
6612+++ linux-2.6.32.48/arch/x86/boot/cpucheck.c 2011-11-15 19:59:42.000000000 -0500
6613@@ -74,7 +74,7 @@ static int has_fpu(void)
6614 u16 fcw = -1, fsw = -1;
6615 u32 cr0;
6616
6617- asm("movl %%cr0,%0" : "=r" (cr0));
6618+ asm volatile("movl %%cr0,%0" : "=r" (cr0));
6619 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6620 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6621 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6622@@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6623 {
6624 u32 f0, f1;
6625
6626- asm("pushfl ; "
6627+ asm volatile("pushfl ; "
6628 "pushfl ; "
6629 "popl %0 ; "
6630 "movl %0,%1 ; "
6631@@ -115,7 +115,7 @@ static void get_flags(void)
6632 set_bit(X86_FEATURE_FPU, cpu.flags);
6633
6634 if (has_eflag(X86_EFLAGS_ID)) {
6635- asm("cpuid"
6636+ asm volatile("cpuid"
6637 : "=a" (max_intel_level),
6638 "=b" (cpu_vendor[0]),
6639 "=d" (cpu_vendor[1]),
6640@@ -124,7 +124,7 @@ static void get_flags(void)
6641
6642 if (max_intel_level >= 0x00000001 &&
6643 max_intel_level <= 0x0000ffff) {
6644- asm("cpuid"
6645+ asm volatile("cpuid"
6646 : "=a" (tfms),
6647 "=c" (cpu.flags[4]),
6648 "=d" (cpu.flags[0])
6649@@ -136,7 +136,7 @@ static void get_flags(void)
6650 cpu.model += ((tfms >> 16) & 0xf) << 4;
6651 }
6652
6653- asm("cpuid"
6654+ asm volatile("cpuid"
6655 : "=a" (max_amd_level)
6656 : "a" (0x80000000)
6657 : "ebx", "ecx", "edx");
6658@@ -144,7 +144,7 @@ static void get_flags(void)
6659 if (max_amd_level >= 0x80000001 &&
6660 max_amd_level <= 0x8000ffff) {
6661 u32 eax = 0x80000001;
6662- asm("cpuid"
6663+ asm volatile("cpuid"
6664 : "+a" (eax),
6665 "=c" (cpu.flags[6]),
6666 "=d" (cpu.flags[1])
6667@@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6668 u32 ecx = MSR_K7_HWCR;
6669 u32 eax, edx;
6670
6671- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6672+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6673 eax &= ~(1 << 15);
6674- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6675+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6676
6677 get_flags(); /* Make sure it really did something */
6678 err = check_flags();
6679@@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6680 u32 ecx = MSR_VIA_FCR;
6681 u32 eax, edx;
6682
6683- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6684+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6685 eax |= (1<<1)|(1<<7);
6686- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6687+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6688
6689 set_bit(X86_FEATURE_CX8, cpu.flags);
6690 err = check_flags();
6691@@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6692 u32 eax, edx;
6693 u32 level = 1;
6694
6695- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6696- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6697- asm("cpuid"
6698+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6699+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6700+ asm volatile("cpuid"
6701 : "+a" (level), "=d" (cpu.flags[0])
6702 : : "ecx", "ebx");
6703- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6704+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6705
6706 err = check_flags();
6707 }
6708diff -urNp linux-2.6.32.48/arch/x86/boot/header.S linux-2.6.32.48/arch/x86/boot/header.S
6709--- linux-2.6.32.48/arch/x86/boot/header.S 2011-11-08 19:02:43.000000000 -0500
6710+++ linux-2.6.32.48/arch/x86/boot/header.S 2011-11-15 19:59:42.000000000 -0500
6711@@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6712 # single linked list of
6713 # struct setup_data
6714
6715-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6716+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6717
6718 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6719 #define VO_INIT_SIZE (VO__end - VO__text)
6720diff -urNp linux-2.6.32.48/arch/x86/boot/Makefile linux-2.6.32.48/arch/x86/boot/Makefile
6721--- linux-2.6.32.48/arch/x86/boot/Makefile 2011-11-08 19:02:43.000000000 -0500
6722+++ linux-2.6.32.48/arch/x86/boot/Makefile 2011-11-15 19:59:42.000000000 -0500
6723@@ -69,6 +69,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
6724 $(call cc-option, -fno-stack-protector) \
6725 $(call cc-option, -mpreferred-stack-boundary=2)
6726 KBUILD_CFLAGS += $(call cc-option, -m32)
6727+ifdef CONSTIFY_PLUGIN
6728+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
6729+endif
6730 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
6731 GCOV_PROFILE := n
6732
6733diff -urNp linux-2.6.32.48/arch/x86/boot/memory.c linux-2.6.32.48/arch/x86/boot/memory.c
6734--- linux-2.6.32.48/arch/x86/boot/memory.c 2011-11-08 19:02:43.000000000 -0500
6735+++ linux-2.6.32.48/arch/x86/boot/memory.c 2011-11-15 19:59:42.000000000 -0500
6736@@ -19,7 +19,7 @@
6737
6738 static int detect_memory_e820(void)
6739 {
6740- int count = 0;
6741+ unsigned int count = 0;
6742 struct biosregs ireg, oreg;
6743 struct e820entry *desc = boot_params.e820_map;
6744 static struct e820entry buf; /* static so it is zeroed */
6745diff -urNp linux-2.6.32.48/arch/x86/boot/video.c linux-2.6.32.48/arch/x86/boot/video.c
6746--- linux-2.6.32.48/arch/x86/boot/video.c 2011-11-08 19:02:43.000000000 -0500
6747+++ linux-2.6.32.48/arch/x86/boot/video.c 2011-11-15 19:59:42.000000000 -0500
6748@@ -90,7 +90,7 @@ static void store_mode_params(void)
6749 static unsigned int get_entry(void)
6750 {
6751 char entry_buf[4];
6752- int i, len = 0;
6753+ unsigned int i, len = 0;
6754 int key;
6755 unsigned int v;
6756
6757diff -urNp linux-2.6.32.48/arch/x86/boot/video-vesa.c linux-2.6.32.48/arch/x86/boot/video-vesa.c
6758--- linux-2.6.32.48/arch/x86/boot/video-vesa.c 2011-11-08 19:02:43.000000000 -0500
6759+++ linux-2.6.32.48/arch/x86/boot/video-vesa.c 2011-11-15 19:59:42.000000000 -0500
6760@@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6761
6762 boot_params.screen_info.vesapm_seg = oreg.es;
6763 boot_params.screen_info.vesapm_off = oreg.di;
6764+ boot_params.screen_info.vesapm_size = oreg.cx;
6765 }
6766
6767 /*
6768diff -urNp linux-2.6.32.48/arch/x86/crypto/aes-x86_64-asm_64.S linux-2.6.32.48/arch/x86/crypto/aes-x86_64-asm_64.S
6769--- linux-2.6.32.48/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6770+++ linux-2.6.32.48/arch/x86/crypto/aes-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6771@@ -8,6 +8,8 @@
6772 * including this sentence is retained in full.
6773 */
6774
6775+#include <asm/alternative-asm.h>
6776+
6777 .extern crypto_ft_tab
6778 .extern crypto_it_tab
6779 .extern crypto_fl_tab
6780@@ -71,6 +73,8 @@ FUNC: movq r1,r2; \
6781 je B192; \
6782 leaq 32(r9),r9;
6783
6784+#define ret pax_force_retaddr; ret
6785+
6786 #define epilogue(r1,r2,r3,r4,r5,r6,r7,r8,r9) \
6787 movq r1,r2; \
6788 movq r3,r4; \
6789diff -urNp linux-2.6.32.48/arch/x86/crypto/salsa20-x86_64-asm_64.S linux-2.6.32.48/arch/x86/crypto/salsa20-x86_64-asm_64.S
6790--- linux-2.6.32.48/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6791+++ linux-2.6.32.48/arch/x86/crypto/salsa20-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6792@@ -1,3 +1,5 @@
6793+#include <asm/alternative-asm.h>
6794+
6795 # enter ECRYPT_encrypt_bytes
6796 .text
6797 .p2align 5
6798@@ -790,6 +792,7 @@ ECRYPT_encrypt_bytes:
6799 add %r11,%rsp
6800 mov %rdi,%rax
6801 mov %rsi,%rdx
6802+ pax_force_retaddr
6803 ret
6804 # bytesatleast65:
6805 ._bytesatleast65:
6806@@ -891,6 +894,7 @@ ECRYPT_keysetup:
6807 add %r11,%rsp
6808 mov %rdi,%rax
6809 mov %rsi,%rdx
6810+ pax_force_retaddr
6811 ret
6812 # enter ECRYPT_ivsetup
6813 .text
6814@@ -917,4 +921,5 @@ ECRYPT_ivsetup:
6815 add %r11,%rsp
6816 mov %rdi,%rax
6817 mov %rsi,%rdx
6818+ pax_force_retaddr
6819 ret
6820diff -urNp linux-2.6.32.48/arch/x86/crypto/twofish-x86_64-asm_64.S linux-2.6.32.48/arch/x86/crypto/twofish-x86_64-asm_64.S
6821--- linux-2.6.32.48/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-08 19:02:43.000000000 -0500
6822+++ linux-2.6.32.48/arch/x86/crypto/twofish-x86_64-asm_64.S 2011-11-15 19:59:42.000000000 -0500
6823@@ -21,6 +21,7 @@
6824 .text
6825
6826 #include <asm/asm-offsets.h>
6827+#include <asm/alternative-asm.h>
6828
6829 #define a_offset 0
6830 #define b_offset 4
6831@@ -269,6 +270,7 @@ twofish_enc_blk:
6832
6833 popq R1
6834 movq $1,%rax
6835+ pax_force_retaddr
6836 ret
6837
6838 twofish_dec_blk:
6839@@ -321,4 +323,5 @@ twofish_dec_blk:
6840
6841 popq R1
6842 movq $1,%rax
6843+ pax_force_retaddr
6844 ret
6845diff -urNp linux-2.6.32.48/arch/x86/ia32/ia32_aout.c linux-2.6.32.48/arch/x86/ia32/ia32_aout.c
6846--- linux-2.6.32.48/arch/x86/ia32/ia32_aout.c 2011-11-08 19:02:43.000000000 -0500
6847+++ linux-2.6.32.48/arch/x86/ia32/ia32_aout.c 2011-11-15 19:59:42.000000000 -0500
6848@@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6849 unsigned long dump_start, dump_size;
6850 struct user32 dump;
6851
6852+ memset(&dump, 0, sizeof(dump));
6853+
6854 fs = get_fs();
6855 set_fs(KERNEL_DS);
6856 has_dumped = 1;
6857@@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6858 dump_size = dump.u_ssize << PAGE_SHIFT;
6859 DUMP_WRITE(dump_start, dump_size);
6860 }
6861- /*
6862- * Finally dump the task struct. Not be used by gdb, but
6863- * could be useful
6864- */
6865- set_fs(KERNEL_DS);
6866- DUMP_WRITE(current, sizeof(*current));
6867 end_coredump:
6868 set_fs(fs);
6869 return has_dumped;
6870diff -urNp linux-2.6.32.48/arch/x86/ia32/ia32entry.S linux-2.6.32.48/arch/x86/ia32/ia32entry.S
6871--- linux-2.6.32.48/arch/x86/ia32/ia32entry.S 2011-11-08 19:02:43.000000000 -0500
6872+++ linux-2.6.32.48/arch/x86/ia32/ia32entry.S 2011-11-18 18:01:52.000000000 -0500
6873@@ -13,7 +13,9 @@
6874 #include <asm/thread_info.h>
6875 #include <asm/segment.h>
6876 #include <asm/irqflags.h>
6877+#include <asm/pgtable.h>
6878 #include <linux/linkage.h>
6879+#include <asm/alternative-asm.h>
6880
6881 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6882 #include <linux/elf-em.h>
6883@@ -93,6 +95,29 @@ ENTRY(native_irq_enable_sysexit)
6884 ENDPROC(native_irq_enable_sysexit)
6885 #endif
6886
6887+ .macro pax_enter_kernel_user
6888+#ifdef CONFIG_PAX_MEMORY_UDEREF
6889+ call pax_enter_kernel_user
6890+#endif
6891+ .endm
6892+
6893+ .macro pax_exit_kernel_user
6894+#ifdef CONFIG_PAX_MEMORY_UDEREF
6895+ call pax_exit_kernel_user
6896+#endif
6897+#ifdef CONFIG_PAX_RANDKSTACK
6898+ pushq %rax
6899+ call pax_randomize_kstack
6900+ popq %rax
6901+#endif
6902+ .endm
6903+
6904+.macro pax_erase_kstack
6905+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6906+ call pax_erase_kstack
6907+#endif
6908+.endm
6909+
6910 /*
6911 * 32bit SYSENTER instruction entry.
6912 *
6913@@ -119,7 +144,7 @@ ENTRY(ia32_sysenter_target)
6914 CFI_REGISTER rsp,rbp
6915 SWAPGS_UNSAFE_STACK
6916 movq PER_CPU_VAR(kernel_stack), %rsp
6917- addq $(KERNEL_STACK_OFFSET),%rsp
6918+ pax_enter_kernel_user
6919 /*
6920 * No need to follow this irqs on/off section: the syscall
6921 * disabled irqs, here we enable it straight after entry:
6922@@ -135,7 +160,8 @@ ENTRY(ia32_sysenter_target)
6923 pushfq
6924 CFI_ADJUST_CFA_OFFSET 8
6925 /*CFI_REL_OFFSET rflags,0*/
6926- movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6927+ GET_THREAD_INFO(%r10)
6928+ movl TI_sysenter_return(%r10), %r10d
6929 CFI_REGISTER rip,r10
6930 pushq $__USER32_CS
6931 CFI_ADJUST_CFA_OFFSET 8
6932@@ -150,6 +176,12 @@ ENTRY(ia32_sysenter_target)
6933 SAVE_ARGS 0,0,1
6934 /* no need to do an access_ok check here because rbp has been
6935 32bit zero extended */
6936+
6937+#ifdef CONFIG_PAX_MEMORY_UDEREF
6938+ mov $PAX_USER_SHADOW_BASE,%r10
6939+ add %r10,%rbp
6940+#endif
6941+
6942 1: movl (%rbp),%ebp
6943 .section __ex_table,"a"
6944 .quad 1b,ia32_badarg
6945@@ -172,6 +204,8 @@ sysenter_dispatch:
6946 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6947 jnz sysexit_audit
6948 sysexit_from_sys_call:
6949+ pax_exit_kernel_user
6950+ pax_erase_kstack
6951 andl $~TS_COMPAT,TI_status(%r10)
6952 /* clear IF, that popfq doesn't enable interrupts early */
6953 andl $~0x200,EFLAGS-R11(%rsp)
6954@@ -200,6 +234,9 @@ sysexit_from_sys_call:
6955 movl %eax,%esi /* 2nd arg: syscall number */
6956 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6957 call audit_syscall_entry
6958+
6959+ pax_erase_kstack
6960+
6961 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6962 cmpq $(IA32_NR_syscalls-1),%rax
6963 ja ia32_badsys
6964@@ -252,6 +289,9 @@ sysenter_tracesys:
6965 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6966 movq %rsp,%rdi /* &pt_regs -> arg1 */
6967 call syscall_trace_enter
6968+
6969+ pax_erase_kstack
6970+
6971 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6972 RESTORE_REST
6973 cmpq $(IA32_NR_syscalls-1),%rax
6974@@ -283,19 +323,24 @@ ENDPROC(ia32_sysenter_target)
6975 ENTRY(ia32_cstar_target)
6976 CFI_STARTPROC32 simple
6977 CFI_SIGNAL_FRAME
6978- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6979+ CFI_DEF_CFA rsp,0
6980 CFI_REGISTER rip,rcx
6981 /*CFI_REGISTER rflags,r11*/
6982 SWAPGS_UNSAFE_STACK
6983 movl %esp,%r8d
6984 CFI_REGISTER rsp,r8
6985 movq PER_CPU_VAR(kernel_stack),%rsp
6986+
6987+#ifdef CONFIG_PAX_MEMORY_UDEREF
6988+ pax_enter_kernel_user
6989+#endif
6990+
6991 /*
6992 * No need to follow this irqs on/off section: the syscall
6993 * disabled irqs and here we enable it straight after entry:
6994 */
6995 ENABLE_INTERRUPTS(CLBR_NONE)
6996- SAVE_ARGS 8,1,1
6997+ SAVE_ARGS 8*6,1,1
6998 movl %eax,%eax /* zero extension */
6999 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
7000 movq %rcx,RIP-ARGOFFSET(%rsp)
7001@@ -311,6 +356,12 @@ ENTRY(ia32_cstar_target)
7002 /* no need to do an access_ok check here because r8 has been
7003 32bit zero extended */
7004 /* hardware stack frame is complete now */
7005+
7006+#ifdef CONFIG_PAX_MEMORY_UDEREF
7007+ mov $PAX_USER_SHADOW_BASE,%r10
7008+ add %r10,%r8
7009+#endif
7010+
7011 1: movl (%r8),%r9d
7012 .section __ex_table,"a"
7013 .quad 1b,ia32_badarg
7014@@ -333,6 +384,8 @@ cstar_dispatch:
7015 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
7016 jnz sysretl_audit
7017 sysretl_from_sys_call:
7018+ pax_exit_kernel_user
7019+ pax_erase_kstack
7020 andl $~TS_COMPAT,TI_status(%r10)
7021 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
7022 movl RIP-ARGOFFSET(%rsp),%ecx
7023@@ -370,6 +423,9 @@ cstar_tracesys:
7024 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7025 movq %rsp,%rdi /* &pt_regs -> arg1 */
7026 call syscall_trace_enter
7027+
7028+ pax_erase_kstack
7029+
7030 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
7031 RESTORE_REST
7032 xchgl %ebp,%r9d
7033@@ -415,6 +471,7 @@ ENTRY(ia32_syscall)
7034 CFI_REL_OFFSET rip,RIP-RIP
7035 PARAVIRT_ADJUST_EXCEPTION_FRAME
7036 SWAPGS
7037+ pax_enter_kernel_user
7038 /*
7039 * No need to follow this irqs on/off section: the syscall
7040 * disabled irqs and here we enable it straight after entry:
7041@@ -448,6 +505,9 @@ ia32_tracesys:
7042 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
7043 movq %rsp,%rdi /* &pt_regs -> arg1 */
7044 call syscall_trace_enter
7045+
7046+ pax_erase_kstack
7047+
7048 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
7049 RESTORE_REST
7050 cmpq $(IA32_NR_syscalls-1),%rax
7051@@ -462,6 +522,7 @@ ia32_badsys:
7052
7053 quiet_ni_syscall:
7054 movq $-ENOSYS,%rax
7055+ pax_force_retaddr
7056 ret
7057 CFI_ENDPROC
7058
7059diff -urNp linux-2.6.32.48/arch/x86/ia32/ia32_signal.c linux-2.6.32.48/arch/x86/ia32/ia32_signal.c
7060--- linux-2.6.32.48/arch/x86/ia32/ia32_signal.c 2011-11-08 19:02:43.000000000 -0500
7061+++ linux-2.6.32.48/arch/x86/ia32/ia32_signal.c 2011-11-15 19:59:42.000000000 -0500
7062@@ -167,7 +167,7 @@ asmlinkage long sys32_sigaltstack(const
7063 }
7064 seg = get_fs();
7065 set_fs(KERNEL_DS);
7066- ret = do_sigaltstack(uss_ptr ? &uss : NULL, &uoss, regs->sp);
7067+ ret = do_sigaltstack(uss_ptr ? (const stack_t __force_user *)&uss : NULL, (stack_t __force_user *)&uoss, regs->sp);
7068 set_fs(seg);
7069 if (ret >= 0 && uoss_ptr) {
7070 if (!access_ok(VERIFY_WRITE, uoss_ptr, sizeof(stack_ia32_t)))
7071@@ -374,7 +374,7 @@ static int ia32_setup_sigcontext(struct
7072 */
7073 static void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs,
7074 size_t frame_size,
7075- void **fpstate)
7076+ void __user **fpstate)
7077 {
7078 unsigned long sp;
7079
7080@@ -395,7 +395,7 @@ static void __user *get_sigframe(struct
7081
7082 if (used_math()) {
7083 sp = sp - sig_xstate_ia32_size;
7084- *fpstate = (struct _fpstate_ia32 *) sp;
7085+ *fpstate = (struct _fpstate_ia32 __user *) sp;
7086 if (save_i387_xstate_ia32(*fpstate) < 0)
7087 return (void __user *) -1L;
7088 }
7089@@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
7090 sp -= frame_size;
7091 /* Align the stack pointer according to the i386 ABI,
7092 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
7093- sp = ((sp + 4) & -16ul) - 4;
7094+ sp = ((sp - 12) & -16ul) - 4;
7095 return (void __user *) sp;
7096 }
7097
7098@@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
7099 * These are actually not used anymore, but left because some
7100 * gdb versions depend on them as a marker.
7101 */
7102- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7103+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7104 } put_user_catch(err);
7105
7106 if (err)
7107@@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
7108 0xb8,
7109 __NR_ia32_rt_sigreturn,
7110 0x80cd,
7111- 0,
7112+ 0
7113 };
7114
7115 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
7116@@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
7117
7118 if (ka->sa.sa_flags & SA_RESTORER)
7119 restorer = ka->sa.sa_restorer;
7120+ else if (current->mm->context.vdso)
7121+ /* Return stub is in 32bit vsyscall page */
7122+ restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
7123 else
7124- restorer = VDSO32_SYMBOL(current->mm->context.vdso,
7125- rt_sigreturn);
7126+ restorer = &frame->retcode;
7127 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
7128
7129 /*
7130 * Not actually used anymore, but left because some gdb
7131 * versions need it.
7132 */
7133- put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
7134+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
7135 } put_user_catch(err);
7136
7137 if (err)
7138diff -urNp linux-2.6.32.48/arch/x86/ia32/sys_ia32.c linux-2.6.32.48/arch/x86/ia32/sys_ia32.c
7139--- linux-2.6.32.48/arch/x86/ia32/sys_ia32.c 2011-11-08 19:02:43.000000000 -0500
7140+++ linux-2.6.32.48/arch/x86/ia32/sys_ia32.c 2011-11-15 19:59:42.000000000 -0500
7141@@ -69,8 +69,8 @@ asmlinkage long sys32_ftruncate64(unsign
7142 */
7143 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
7144 {
7145- typeof(ubuf->st_uid) uid = 0;
7146- typeof(ubuf->st_gid) gid = 0;
7147+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
7148+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
7149 SET_UID(uid, stat->uid);
7150 SET_GID(gid, stat->gid);
7151 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
7152@@ -308,8 +308,8 @@ asmlinkage long sys32_rt_sigprocmask(int
7153 }
7154 set_fs(KERNEL_DS);
7155 ret = sys_rt_sigprocmask(how,
7156- set ? (sigset_t __user *)&s : NULL,
7157- oset ? (sigset_t __user *)&s : NULL,
7158+ set ? (sigset_t __force_user *)&s : NULL,
7159+ oset ? (sigset_t __force_user *)&s : NULL,
7160 sigsetsize);
7161 set_fs(old_fs);
7162 if (ret)
7163@@ -371,7 +371,7 @@ asmlinkage long sys32_sched_rr_get_inter
7164 mm_segment_t old_fs = get_fs();
7165
7166 set_fs(KERNEL_DS);
7167- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
7168+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
7169 set_fs(old_fs);
7170 if (put_compat_timespec(&t, interval))
7171 return -EFAULT;
7172@@ -387,7 +387,7 @@ asmlinkage long sys32_rt_sigpending(comp
7173 mm_segment_t old_fs = get_fs();
7174
7175 set_fs(KERNEL_DS);
7176- ret = sys_rt_sigpending((sigset_t __user *)&s, sigsetsize);
7177+ ret = sys_rt_sigpending((sigset_t __force_user *)&s, sigsetsize);
7178 set_fs(old_fs);
7179 if (!ret) {
7180 switch (_NSIG_WORDS) {
7181@@ -412,7 +412,7 @@ asmlinkage long sys32_rt_sigqueueinfo(in
7182 if (copy_siginfo_from_user32(&info, uinfo))
7183 return -EFAULT;
7184 set_fs(KERNEL_DS);
7185- ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __user *)&info);
7186+ ret = sys_rt_sigqueueinfo(pid, sig, (siginfo_t __force_user *)&info);
7187 set_fs(old_fs);
7188 return ret;
7189 }
7190@@ -513,7 +513,7 @@ asmlinkage long sys32_sendfile(int out_f
7191 return -EFAULT;
7192
7193 set_fs(KERNEL_DS);
7194- ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __user *)&of : NULL,
7195+ ret = sys_sendfile(out_fd, in_fd, offset ? (off_t __force_user *)&of : NULL,
7196 count);
7197 set_fs(old_fs);
7198
7199diff -urNp linux-2.6.32.48/arch/x86/include/asm/alternative-asm.h linux-2.6.32.48/arch/x86/include/asm/alternative-asm.h
7200--- linux-2.6.32.48/arch/x86/include/asm/alternative-asm.h 2011-11-08 19:02:43.000000000 -0500
7201+++ linux-2.6.32.48/arch/x86/include/asm/alternative-asm.h 2011-11-15 19:59:42.000000000 -0500
7202@@ -19,4 +19,18 @@
7203 .endm
7204 #endif
7205
7206+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
7207+ .macro pax_force_retaddr rip=0
7208+ btsq $63,\rip(%rsp)
7209+ .endm
7210+ .macro pax_force_fptr ptr
7211+ btsq $63,\ptr
7212+ .endm
7213+#else
7214+ .macro pax_force_retaddr rip=0
7215+ .endm
7216+ .macro pax_force_fptr ptr
7217+ .endm
7218+#endif
7219+
7220 #endif /* __ASSEMBLY__ */
7221diff -urNp linux-2.6.32.48/arch/x86/include/asm/alternative.h linux-2.6.32.48/arch/x86/include/asm/alternative.h
7222--- linux-2.6.32.48/arch/x86/include/asm/alternative.h 2011-11-08 19:02:43.000000000 -0500
7223+++ linux-2.6.32.48/arch/x86/include/asm/alternative.h 2011-11-15 19:59:42.000000000 -0500
7224@@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
7225 " .byte 662b-661b\n" /* sourcelen */ \
7226 " .byte 664f-663f\n" /* replacementlen */ \
7227 ".previous\n" \
7228- ".section .altinstr_replacement, \"ax\"\n" \
7229+ ".section .altinstr_replacement, \"a\"\n" \
7230 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
7231 ".previous"
7232
7233diff -urNp linux-2.6.32.48/arch/x86/include/asm/apic.h linux-2.6.32.48/arch/x86/include/asm/apic.h
7234--- linux-2.6.32.48/arch/x86/include/asm/apic.h 2011-11-08 19:02:43.000000000 -0500
7235+++ linux-2.6.32.48/arch/x86/include/asm/apic.h 2011-11-15 19:59:42.000000000 -0500
7236@@ -46,7 +46,7 @@ static inline void generic_apic_probe(vo
7237
7238 #ifdef CONFIG_X86_LOCAL_APIC
7239
7240-extern unsigned int apic_verbosity;
7241+extern int apic_verbosity;
7242 extern int local_apic_timer_c2_ok;
7243
7244 extern int disable_apic;
7245diff -urNp linux-2.6.32.48/arch/x86/include/asm/apm.h linux-2.6.32.48/arch/x86/include/asm/apm.h
7246--- linux-2.6.32.48/arch/x86/include/asm/apm.h 2011-11-08 19:02:43.000000000 -0500
7247+++ linux-2.6.32.48/arch/x86/include/asm/apm.h 2011-11-15 19:59:42.000000000 -0500
7248@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
7249 __asm__ __volatile__(APM_DO_ZERO_SEGS
7250 "pushl %%edi\n\t"
7251 "pushl %%ebp\n\t"
7252- "lcall *%%cs:apm_bios_entry\n\t"
7253+ "lcall *%%ss:apm_bios_entry\n\t"
7254 "setc %%al\n\t"
7255 "popl %%ebp\n\t"
7256 "popl %%edi\n\t"
7257@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
7258 __asm__ __volatile__(APM_DO_ZERO_SEGS
7259 "pushl %%edi\n\t"
7260 "pushl %%ebp\n\t"
7261- "lcall *%%cs:apm_bios_entry\n\t"
7262+ "lcall *%%ss:apm_bios_entry\n\t"
7263 "setc %%bl\n\t"
7264 "popl %%ebp\n\t"
7265 "popl %%edi\n\t"
7266diff -urNp linux-2.6.32.48/arch/x86/include/asm/atomic_32.h linux-2.6.32.48/arch/x86/include/asm/atomic_32.h
7267--- linux-2.6.32.48/arch/x86/include/asm/atomic_32.h 2011-11-08 19:02:43.000000000 -0500
7268+++ linux-2.6.32.48/arch/x86/include/asm/atomic_32.h 2011-11-15 19:59:42.000000000 -0500
7269@@ -25,6 +25,17 @@ static inline int atomic_read(const atom
7270 }
7271
7272 /**
7273+ * atomic_read_unchecked - read atomic variable
7274+ * @v: pointer of type atomic_unchecked_t
7275+ *
7276+ * Atomically reads the value of @v.
7277+ */
7278+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7279+{
7280+ return v->counter;
7281+}
7282+
7283+/**
7284 * atomic_set - set atomic variable
7285 * @v: pointer of type atomic_t
7286 * @i: required value
7287@@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
7288 }
7289
7290 /**
7291+ * atomic_set_unchecked - set atomic variable
7292+ * @v: pointer of type atomic_unchecked_t
7293+ * @i: required value
7294+ *
7295+ * Atomically sets the value of @v to @i.
7296+ */
7297+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7298+{
7299+ v->counter = i;
7300+}
7301+
7302+/**
7303 * atomic_add - add integer to atomic variable
7304 * @i: integer value to add
7305 * @v: pointer of type atomic_t
7306@@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
7307 */
7308 static inline void atomic_add(int i, atomic_t *v)
7309 {
7310- asm volatile(LOCK_PREFIX "addl %1,%0"
7311+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
7312+
7313+#ifdef CONFIG_PAX_REFCOUNT
7314+ "jno 0f\n"
7315+ LOCK_PREFIX "subl %1,%0\n"
7316+ "int $4\n0:\n"
7317+ _ASM_EXTABLE(0b, 0b)
7318+#endif
7319+
7320+ : "+m" (v->counter)
7321+ : "ir" (i));
7322+}
7323+
7324+/**
7325+ * atomic_add_unchecked - add integer to atomic variable
7326+ * @i: integer value to add
7327+ * @v: pointer of type atomic_unchecked_t
7328+ *
7329+ * Atomically adds @i to @v.
7330+ */
7331+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7332+{
7333+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
7334 : "+m" (v->counter)
7335 : "ir" (i));
7336 }
7337@@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
7338 */
7339 static inline void atomic_sub(int i, atomic_t *v)
7340 {
7341- asm volatile(LOCK_PREFIX "subl %1,%0"
7342+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
7343+
7344+#ifdef CONFIG_PAX_REFCOUNT
7345+ "jno 0f\n"
7346+ LOCK_PREFIX "addl %1,%0\n"
7347+ "int $4\n0:\n"
7348+ _ASM_EXTABLE(0b, 0b)
7349+#endif
7350+
7351+ : "+m" (v->counter)
7352+ : "ir" (i));
7353+}
7354+
7355+/**
7356+ * atomic_sub_unchecked - subtract integer from atomic variable
7357+ * @i: integer value to subtract
7358+ * @v: pointer of type atomic_unchecked_t
7359+ *
7360+ * Atomically subtracts @i from @v.
7361+ */
7362+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7363+{
7364+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
7365 : "+m" (v->counter)
7366 : "ir" (i));
7367 }
7368@@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
7369 {
7370 unsigned char c;
7371
7372- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7373+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
7374+
7375+#ifdef CONFIG_PAX_REFCOUNT
7376+ "jno 0f\n"
7377+ LOCK_PREFIX "addl %2,%0\n"
7378+ "int $4\n0:\n"
7379+ _ASM_EXTABLE(0b, 0b)
7380+#endif
7381+
7382+ "sete %1\n"
7383 : "+m" (v->counter), "=qm" (c)
7384 : "ir" (i) : "memory");
7385 return c;
7386@@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
7387 */
7388 static inline void atomic_inc(atomic_t *v)
7389 {
7390- asm volatile(LOCK_PREFIX "incl %0"
7391+ asm volatile(LOCK_PREFIX "incl %0\n"
7392+
7393+#ifdef CONFIG_PAX_REFCOUNT
7394+ "jno 0f\n"
7395+ LOCK_PREFIX "decl %0\n"
7396+ "int $4\n0:\n"
7397+ _ASM_EXTABLE(0b, 0b)
7398+#endif
7399+
7400+ : "+m" (v->counter));
7401+}
7402+
7403+/**
7404+ * atomic_inc_unchecked - increment atomic variable
7405+ * @v: pointer of type atomic_unchecked_t
7406+ *
7407+ * Atomically increments @v by 1.
7408+ */
7409+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7410+{
7411+ asm volatile(LOCK_PREFIX "incl %0\n"
7412 : "+m" (v->counter));
7413 }
7414
7415@@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
7416 */
7417 static inline void atomic_dec(atomic_t *v)
7418 {
7419- asm volatile(LOCK_PREFIX "decl %0"
7420+ asm volatile(LOCK_PREFIX "decl %0\n"
7421+
7422+#ifdef CONFIG_PAX_REFCOUNT
7423+ "jno 0f\n"
7424+ LOCK_PREFIX "incl %0\n"
7425+ "int $4\n0:\n"
7426+ _ASM_EXTABLE(0b, 0b)
7427+#endif
7428+
7429+ : "+m" (v->counter));
7430+}
7431+
7432+/**
7433+ * atomic_dec_unchecked - decrement atomic variable
7434+ * @v: pointer of type atomic_unchecked_t
7435+ *
7436+ * Atomically decrements @v by 1.
7437+ */
7438+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7439+{
7440+ asm volatile(LOCK_PREFIX "decl %0\n"
7441 : "+m" (v->counter));
7442 }
7443
7444@@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
7445 {
7446 unsigned char c;
7447
7448- asm volatile(LOCK_PREFIX "decl %0; sete %1"
7449+ asm volatile(LOCK_PREFIX "decl %0\n"
7450+
7451+#ifdef CONFIG_PAX_REFCOUNT
7452+ "jno 0f\n"
7453+ LOCK_PREFIX "incl %0\n"
7454+ "int $4\n0:\n"
7455+ _ASM_EXTABLE(0b, 0b)
7456+#endif
7457+
7458+ "sete %1\n"
7459 : "+m" (v->counter), "=qm" (c)
7460 : : "memory");
7461 return c != 0;
7462@@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
7463 {
7464 unsigned char c;
7465
7466- asm volatile(LOCK_PREFIX "incl %0; sete %1"
7467+ asm volatile(LOCK_PREFIX "incl %0\n"
7468+
7469+#ifdef CONFIG_PAX_REFCOUNT
7470+ "jno 0f\n"
7471+ LOCK_PREFIX "decl %0\n"
7472+ "into\n0:\n"
7473+ _ASM_EXTABLE(0b, 0b)
7474+#endif
7475+
7476+ "sete %1\n"
7477+ : "+m" (v->counter), "=qm" (c)
7478+ : : "memory");
7479+ return c != 0;
7480+}
7481+
7482+/**
7483+ * atomic_inc_and_test_unchecked - increment and test
7484+ * @v: pointer of type atomic_unchecked_t
7485+ *
7486+ * Atomically increments @v by 1
7487+ * and returns true if the result is zero, or false for all
7488+ * other cases.
7489+ */
7490+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7491+{
7492+ unsigned char c;
7493+
7494+ asm volatile(LOCK_PREFIX "incl %0\n"
7495+ "sete %1\n"
7496 : "+m" (v->counter), "=qm" (c)
7497 : : "memory");
7498 return c != 0;
7499@@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
7500 {
7501 unsigned char c;
7502
7503- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7504+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
7505+
7506+#ifdef CONFIG_PAX_REFCOUNT
7507+ "jno 0f\n"
7508+ LOCK_PREFIX "subl %2,%0\n"
7509+ "int $4\n0:\n"
7510+ _ASM_EXTABLE(0b, 0b)
7511+#endif
7512+
7513+ "sets %1\n"
7514 : "+m" (v->counter), "=qm" (c)
7515 : "ir" (i) : "memory");
7516 return c;
7517@@ -179,6 +341,46 @@ static inline int atomic_add_return(int
7518 #endif
7519 /* Modern 486+ processor */
7520 __i = i;
7521+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7522+
7523+#ifdef CONFIG_PAX_REFCOUNT
7524+ "jno 0f\n"
7525+ "movl %0, %1\n"
7526+ "int $4\n0:\n"
7527+ _ASM_EXTABLE(0b, 0b)
7528+#endif
7529+
7530+ : "+r" (i), "+m" (v->counter)
7531+ : : "memory");
7532+ return i + __i;
7533+
7534+#ifdef CONFIG_M386
7535+no_xadd: /* Legacy 386 processor */
7536+ local_irq_save(flags);
7537+ __i = atomic_read(v);
7538+ atomic_set(v, i + __i);
7539+ local_irq_restore(flags);
7540+ return i + __i;
7541+#endif
7542+}
7543+
7544+/**
7545+ * atomic_add_return_unchecked - add integer and return
7546+ * @v: pointer of type atomic_unchecked_t
7547+ * @i: integer value to add
7548+ *
7549+ * Atomically adds @i to @v and returns @i + @v
7550+ */
7551+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7552+{
7553+ int __i;
7554+#ifdef CONFIG_M386
7555+ unsigned long flags;
7556+ if (unlikely(boot_cpu_data.x86 <= 3))
7557+ goto no_xadd;
7558+#endif
7559+ /* Modern 486+ processor */
7560+ __i = i;
7561 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7562 : "+r" (i), "+m" (v->counter)
7563 : : "memory");
7564@@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
7565 return cmpxchg(&v->counter, old, new);
7566 }
7567
7568+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7569+{
7570+ return cmpxchg(&v->counter, old, new);
7571+}
7572+
7573 static inline int atomic_xchg(atomic_t *v, int new)
7574 {
7575 return xchg(&v->counter, new);
7576 }
7577
7578+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7579+{
7580+ return xchg(&v->counter, new);
7581+}
7582+
7583 /**
7584 * atomic_add_unless - add unless the number is already a given value
7585 * @v: pointer of type atomic_t
7586@@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7587 */
7588 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7589 {
7590- int c, old;
7591+ int c, old, new;
7592 c = atomic_read(v);
7593 for (;;) {
7594- if (unlikely(c == (u)))
7595+ if (unlikely(c == u))
7596 break;
7597- old = atomic_cmpxchg((v), c, c + (a));
7598+
7599+ asm volatile("addl %2,%0\n"
7600+
7601+#ifdef CONFIG_PAX_REFCOUNT
7602+ "jno 0f\n"
7603+ "subl %2,%0\n"
7604+ "int $4\n0:\n"
7605+ _ASM_EXTABLE(0b, 0b)
7606+#endif
7607+
7608+ : "=r" (new)
7609+ : "0" (c), "ir" (a));
7610+
7611+ old = atomic_cmpxchg(v, c, new);
7612 if (likely(old == c))
7613 break;
7614 c = old;
7615 }
7616- return c != (u);
7617+ return c != u;
7618 }
7619
7620 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7621
7622 #define atomic_inc_return(v) (atomic_add_return(1, v))
7623+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7624+{
7625+ return atomic_add_return_unchecked(1, v);
7626+}
7627 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7628
7629 /* These are x86-specific, used by some header files */
7630@@ -266,9 +495,18 @@ typedef struct {
7631 u64 __aligned(8) counter;
7632 } atomic64_t;
7633
7634+#ifdef CONFIG_PAX_REFCOUNT
7635+typedef struct {
7636+ u64 __aligned(8) counter;
7637+} atomic64_unchecked_t;
7638+#else
7639+typedef atomic64_t atomic64_unchecked_t;
7640+#endif
7641+
7642 #define ATOMIC64_INIT(val) { (val) }
7643
7644 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7645+extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7646
7647 /**
7648 * atomic64_xchg - xchg atomic64 variable
7649@@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7650 * the old value.
7651 */
7652 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7653+extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7654
7655 /**
7656 * atomic64_set - set atomic64 variable
7657@@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7658 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7659
7660 /**
7661+ * atomic64_unchecked_set - set atomic64 variable
7662+ * @ptr: pointer to type atomic64_unchecked_t
7663+ * @new_val: value to assign
7664+ *
7665+ * Atomically sets the value of @ptr to @new_val.
7666+ */
7667+extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7668+
7669+/**
7670 * atomic64_read - read atomic64 variable
7671 * @ptr: pointer to type atomic64_t
7672 *
7673@@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7674 return res;
7675 }
7676
7677-extern u64 atomic64_read(atomic64_t *ptr);
7678+/**
7679+ * atomic64_read_unchecked - read atomic64 variable
7680+ * @ptr: pointer to type atomic64_unchecked_t
7681+ *
7682+ * Atomically reads the value of @ptr and returns it.
7683+ */
7684+static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7685+{
7686+ u64 res;
7687+
7688+ /*
7689+ * Note, we inline this atomic64_unchecked_t primitive because
7690+ * it only clobbers EAX/EDX and leaves the others
7691+ * untouched. We also (somewhat subtly) rely on the
7692+ * fact that cmpxchg8b returns the current 64-bit value
7693+ * of the memory location we are touching:
7694+ */
7695+ asm volatile(
7696+ "mov %%ebx, %%eax\n\t"
7697+ "mov %%ecx, %%edx\n\t"
7698+ LOCK_PREFIX "cmpxchg8b %1\n"
7699+ : "=&A" (res)
7700+ : "m" (*ptr)
7701+ );
7702+
7703+ return res;
7704+}
7705
7706 /**
7707 * atomic64_add_return - add and return
7708@@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7709 * Other variants with different arithmetic operators:
7710 */
7711 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7712+extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7713 extern u64 atomic64_inc_return(atomic64_t *ptr);
7714+extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7715 extern u64 atomic64_dec_return(atomic64_t *ptr);
7716+extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7717
7718 /**
7719 * atomic64_add - add integer to atomic64 variable
7720@@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7721 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7722
7723 /**
7724+ * atomic64_add_unchecked - add integer to atomic64 variable
7725+ * @delta: integer value to add
7726+ * @ptr: pointer to type atomic64_unchecked_t
7727+ *
7728+ * Atomically adds @delta to @ptr.
7729+ */
7730+extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7731+
7732+/**
7733 * atomic64_sub - subtract the atomic64 variable
7734 * @delta: integer value to subtract
7735 * @ptr: pointer to type atomic64_t
7736@@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7737 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7738
7739 /**
7740+ * atomic64_sub_unchecked - subtract the atomic64 variable
7741+ * @delta: integer value to subtract
7742+ * @ptr: pointer to type atomic64_unchecked_t
7743+ *
7744+ * Atomically subtracts @delta from @ptr.
7745+ */
7746+extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7747+
7748+/**
7749 * atomic64_sub_and_test - subtract value from variable and test result
7750 * @delta: integer value to subtract
7751 * @ptr: pointer to type atomic64_t
7752@@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7753 extern void atomic64_inc(atomic64_t *ptr);
7754
7755 /**
7756+ * atomic64_inc_unchecked - increment atomic64 variable
7757+ * @ptr: pointer to type atomic64_unchecked_t
7758+ *
7759+ * Atomically increments @ptr by 1.
7760+ */
7761+extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7762+
7763+/**
7764 * atomic64_dec - decrement atomic64 variable
7765 * @ptr: pointer to type atomic64_t
7766 *
7767@@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7768 extern void atomic64_dec(atomic64_t *ptr);
7769
7770 /**
7771+ * atomic64_dec_unchecked - decrement atomic64 variable
7772+ * @ptr: pointer to type atomic64_unchecked_t
7773+ *
7774+ * Atomically decrements @ptr by 1.
7775+ */
7776+extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7777+
7778+/**
7779 * atomic64_dec_and_test - decrement and test
7780 * @ptr: pointer to type atomic64_t
7781 *
7782diff -urNp linux-2.6.32.48/arch/x86/include/asm/atomic_64.h linux-2.6.32.48/arch/x86/include/asm/atomic_64.h
7783--- linux-2.6.32.48/arch/x86/include/asm/atomic_64.h 2011-11-08 19:02:43.000000000 -0500
7784+++ linux-2.6.32.48/arch/x86/include/asm/atomic_64.h 2011-11-15 19:59:42.000000000 -0500
7785@@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7786 }
7787
7788 /**
7789+ * atomic_read_unchecked - read atomic variable
7790+ * @v: pointer of type atomic_unchecked_t
7791+ *
7792+ * Atomically reads the value of @v.
7793+ */
7794+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7795+{
7796+ return v->counter;
7797+}
7798+
7799+/**
7800 * atomic_set - set atomic variable
7801 * @v: pointer of type atomic_t
7802 * @i: required value
7803@@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7804 }
7805
7806 /**
7807+ * atomic_set_unchecked - set atomic variable
7808+ * @v: pointer of type atomic_unchecked_t
7809+ * @i: required value
7810+ *
7811+ * Atomically sets the value of @v to @i.
7812+ */
7813+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7814+{
7815+ v->counter = i;
7816+}
7817+
7818+/**
7819 * atomic_add - add integer to atomic variable
7820 * @i: integer value to add
7821 * @v: pointer of type atomic_t
7822@@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7823 */
7824 static inline void atomic_add(int i, atomic_t *v)
7825 {
7826- asm volatile(LOCK_PREFIX "addl %1,%0"
7827+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
7828+
7829+#ifdef CONFIG_PAX_REFCOUNT
7830+ "jno 0f\n"
7831+ LOCK_PREFIX "subl %1,%0\n"
7832+ "int $4\n0:\n"
7833+ _ASM_EXTABLE(0b, 0b)
7834+#endif
7835+
7836+ : "=m" (v->counter)
7837+ : "ir" (i), "m" (v->counter));
7838+}
7839+
7840+/**
7841+ * atomic_add_unchecked - add integer to atomic variable
7842+ * @i: integer value to add
7843+ * @v: pointer of type atomic_unchecked_t
7844+ *
7845+ * Atomically adds @i to @v.
7846+ */
7847+static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7848+{
7849+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
7850 : "=m" (v->counter)
7851 : "ir" (i), "m" (v->counter));
7852 }
7853@@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7854 */
7855 static inline void atomic_sub(int i, atomic_t *v)
7856 {
7857- asm volatile(LOCK_PREFIX "subl %1,%0"
7858+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
7859+
7860+#ifdef CONFIG_PAX_REFCOUNT
7861+ "jno 0f\n"
7862+ LOCK_PREFIX "addl %1,%0\n"
7863+ "int $4\n0:\n"
7864+ _ASM_EXTABLE(0b, 0b)
7865+#endif
7866+
7867+ : "=m" (v->counter)
7868+ : "ir" (i), "m" (v->counter));
7869+}
7870+
7871+/**
7872+ * atomic_sub_unchecked - subtract the atomic variable
7873+ * @i: integer value to subtract
7874+ * @v: pointer of type atomic_unchecked_t
7875+ *
7876+ * Atomically subtracts @i from @v.
7877+ */
7878+static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7879+{
7880+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
7881 : "=m" (v->counter)
7882 : "ir" (i), "m" (v->counter));
7883 }
7884@@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7885 {
7886 unsigned char c;
7887
7888- asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7889+ asm volatile(LOCK_PREFIX "subl %2,%0\n"
7890+
7891+#ifdef CONFIG_PAX_REFCOUNT
7892+ "jno 0f\n"
7893+ LOCK_PREFIX "addl %2,%0\n"
7894+ "int $4\n0:\n"
7895+ _ASM_EXTABLE(0b, 0b)
7896+#endif
7897+
7898+ "sete %1\n"
7899 : "=m" (v->counter), "=qm" (c)
7900 : "ir" (i), "m" (v->counter) : "memory");
7901 return c;
7902@@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7903 */
7904 static inline void atomic_inc(atomic_t *v)
7905 {
7906- asm volatile(LOCK_PREFIX "incl %0"
7907+ asm volatile(LOCK_PREFIX "incl %0\n"
7908+
7909+#ifdef CONFIG_PAX_REFCOUNT
7910+ "jno 0f\n"
7911+ LOCK_PREFIX "decl %0\n"
7912+ "int $4\n0:\n"
7913+ _ASM_EXTABLE(0b, 0b)
7914+#endif
7915+
7916+ : "=m" (v->counter)
7917+ : "m" (v->counter));
7918+}
7919+
7920+/**
7921+ * atomic_inc_unchecked - increment atomic variable
7922+ * @v: pointer of type atomic_unchecked_t
7923+ *
7924+ * Atomically increments @v by 1.
7925+ */
7926+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7927+{
7928+ asm volatile(LOCK_PREFIX "incl %0\n"
7929 : "=m" (v->counter)
7930 : "m" (v->counter));
7931 }
7932@@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7933 */
7934 static inline void atomic_dec(atomic_t *v)
7935 {
7936- asm volatile(LOCK_PREFIX "decl %0"
7937+ asm volatile(LOCK_PREFIX "decl %0\n"
7938+
7939+#ifdef CONFIG_PAX_REFCOUNT
7940+ "jno 0f\n"
7941+ LOCK_PREFIX "incl %0\n"
7942+ "int $4\n0:\n"
7943+ _ASM_EXTABLE(0b, 0b)
7944+#endif
7945+
7946+ : "=m" (v->counter)
7947+ : "m" (v->counter));
7948+}
7949+
7950+/**
7951+ * atomic_dec_unchecked - decrement atomic variable
7952+ * @v: pointer of type atomic_unchecked_t
7953+ *
7954+ * Atomically decrements @v by 1.
7955+ */
7956+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7957+{
7958+ asm volatile(LOCK_PREFIX "decl %0\n"
7959 : "=m" (v->counter)
7960 : "m" (v->counter));
7961 }
7962@@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7963 {
7964 unsigned char c;
7965
7966- asm volatile(LOCK_PREFIX "decl %0; sete %1"
7967+ asm volatile(LOCK_PREFIX "decl %0\n"
7968+
7969+#ifdef CONFIG_PAX_REFCOUNT
7970+ "jno 0f\n"
7971+ LOCK_PREFIX "incl %0\n"
7972+ "int $4\n0:\n"
7973+ _ASM_EXTABLE(0b, 0b)
7974+#endif
7975+
7976+ "sete %1\n"
7977 : "=m" (v->counter), "=qm" (c)
7978 : "m" (v->counter) : "memory");
7979 return c != 0;
7980@@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7981 {
7982 unsigned char c;
7983
7984- asm volatile(LOCK_PREFIX "incl %0; sete %1"
7985+ asm volatile(LOCK_PREFIX "incl %0\n"
7986+
7987+#ifdef CONFIG_PAX_REFCOUNT
7988+ "jno 0f\n"
7989+ LOCK_PREFIX "decl %0\n"
7990+ "int $4\n0:\n"
7991+ _ASM_EXTABLE(0b, 0b)
7992+#endif
7993+
7994+ "sete %1\n"
7995+ : "=m" (v->counter), "=qm" (c)
7996+ : "m" (v->counter) : "memory");
7997+ return c != 0;
7998+}
7999+
8000+/**
8001+ * atomic_inc_and_test_unchecked - increment and test
8002+ * @v: pointer of type atomic_unchecked_t
8003+ *
8004+ * Atomically increments @v by 1
8005+ * and returns true if the result is zero, or false for all
8006+ * other cases.
8007+ */
8008+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8009+{
8010+ unsigned char c;
8011+
8012+ asm volatile(LOCK_PREFIX "incl %0\n"
8013+ "sete %1\n"
8014 : "=m" (v->counter), "=qm" (c)
8015 : "m" (v->counter) : "memory");
8016 return c != 0;
8017@@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
8018 {
8019 unsigned char c;
8020
8021- asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
8022+ asm volatile(LOCK_PREFIX "addl %2,%0\n"
8023+
8024+#ifdef CONFIG_PAX_REFCOUNT
8025+ "jno 0f\n"
8026+ LOCK_PREFIX "subl %2,%0\n"
8027+ "int $4\n0:\n"
8028+ _ASM_EXTABLE(0b, 0b)
8029+#endif
8030+
8031+ "sets %1\n"
8032 : "=m" (v->counter), "=qm" (c)
8033 : "ir" (i), "m" (v->counter) : "memory");
8034 return c;
8035@@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
8036 static inline int atomic_add_return(int i, atomic_t *v)
8037 {
8038 int __i = i;
8039- asm volatile(LOCK_PREFIX "xaddl %0, %1"
8040+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8041+
8042+#ifdef CONFIG_PAX_REFCOUNT
8043+ "jno 0f\n"
8044+ "movl %0, %1\n"
8045+ "int $4\n0:\n"
8046+ _ASM_EXTABLE(0b, 0b)
8047+#endif
8048+
8049+ : "+r" (i), "+m" (v->counter)
8050+ : : "memory");
8051+ return i + __i;
8052+}
8053+
8054+/**
8055+ * atomic_add_return_unchecked - add and return
8056+ * @i: integer value to add
8057+ * @v: pointer of type atomic_unchecked_t
8058+ *
8059+ * Atomically adds @i to @v and returns @i + @v
8060+ */
8061+static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
8062+{
8063+ int __i = i;
8064+ asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
8065 : "+r" (i), "+m" (v->counter)
8066 : : "memory");
8067 return i + __i;
8068@@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
8069 }
8070
8071 #define atomic_inc_return(v) (atomic_add_return(1, v))
8072+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8073+{
8074+ return atomic_add_return_unchecked(1, v);
8075+}
8076 #define atomic_dec_return(v) (atomic_sub_return(1, v))
8077
8078 /* The 64-bit atomic type */
8079@@ -204,6 +396,18 @@ static inline long atomic64_read(const a
8080 }
8081
8082 /**
8083+ * atomic64_read_unchecked - read atomic64 variable
8084+ * @v: pointer of type atomic64_unchecked_t
8085+ *
8086+ * Atomically reads the value of @v.
8087+ * Doesn't imply a read memory barrier.
8088+ */
8089+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8090+{
8091+ return v->counter;
8092+}
8093+
8094+/**
8095 * atomic64_set - set atomic64 variable
8096 * @v: pointer to type atomic64_t
8097 * @i: required value
8098@@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
8099 }
8100
8101 /**
8102+ * atomic64_set_unchecked - set atomic64 variable
8103+ * @v: pointer to type atomic64_unchecked_t
8104+ * @i: required value
8105+ *
8106+ * Atomically sets the value of @v to @i.
8107+ */
8108+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8109+{
8110+ v->counter = i;
8111+}
8112+
8113+/**
8114 * atomic64_add - add integer to atomic64 variable
8115 * @i: integer value to add
8116 * @v: pointer to type atomic64_t
8117@@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
8118 */
8119 static inline void atomic64_add(long i, atomic64_t *v)
8120 {
8121+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
8122+
8123+#ifdef CONFIG_PAX_REFCOUNT
8124+ "jno 0f\n"
8125+ LOCK_PREFIX "subq %1,%0\n"
8126+ "int $4\n0:\n"
8127+ _ASM_EXTABLE(0b, 0b)
8128+#endif
8129+
8130+ : "=m" (v->counter)
8131+ : "er" (i), "m" (v->counter));
8132+}
8133+
8134+/**
8135+ * atomic64_add_unchecked - add integer to atomic64 variable
8136+ * @i: integer value to add
8137+ * @v: pointer to type atomic64_unchecked_t
8138+ *
8139+ * Atomically adds @i to @v.
8140+ */
8141+static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
8142+{
8143 asm volatile(LOCK_PREFIX "addq %1,%0"
8144 : "=m" (v->counter)
8145 : "er" (i), "m" (v->counter));
8146@@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
8147 */
8148 static inline void atomic64_sub(long i, atomic64_t *v)
8149 {
8150- asm volatile(LOCK_PREFIX "subq %1,%0"
8151+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
8152+
8153+#ifdef CONFIG_PAX_REFCOUNT
8154+ "jno 0f\n"
8155+ LOCK_PREFIX "addq %1,%0\n"
8156+ "int $4\n0:\n"
8157+ _ASM_EXTABLE(0b, 0b)
8158+#endif
8159+
8160 : "=m" (v->counter)
8161 : "er" (i), "m" (v->counter));
8162 }
8163@@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
8164 {
8165 unsigned char c;
8166
8167- asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
8168+ asm volatile(LOCK_PREFIX "subq %2,%0\n"
8169+
8170+#ifdef CONFIG_PAX_REFCOUNT
8171+ "jno 0f\n"
8172+ LOCK_PREFIX "addq %2,%0\n"
8173+ "int $4\n0:\n"
8174+ _ASM_EXTABLE(0b, 0b)
8175+#endif
8176+
8177+ "sete %1\n"
8178 : "=m" (v->counter), "=qm" (c)
8179 : "er" (i), "m" (v->counter) : "memory");
8180 return c;
8181@@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
8182 */
8183 static inline void atomic64_inc(atomic64_t *v)
8184 {
8185+ asm volatile(LOCK_PREFIX "incq %0\n"
8186+
8187+#ifdef CONFIG_PAX_REFCOUNT
8188+ "jno 0f\n"
8189+ LOCK_PREFIX "decq %0\n"
8190+ "int $4\n0:\n"
8191+ _ASM_EXTABLE(0b, 0b)
8192+#endif
8193+
8194+ : "=m" (v->counter)
8195+ : "m" (v->counter));
8196+}
8197+
8198+/**
8199+ * atomic64_inc_unchecked - increment atomic64 variable
8200+ * @v: pointer to type atomic64_unchecked_t
8201+ *
8202+ * Atomically increments @v by 1.
8203+ */
8204+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8205+{
8206 asm volatile(LOCK_PREFIX "incq %0"
8207 : "=m" (v->counter)
8208 : "m" (v->counter));
8209@@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
8210 */
8211 static inline void atomic64_dec(atomic64_t *v)
8212 {
8213- asm volatile(LOCK_PREFIX "decq %0"
8214+ asm volatile(LOCK_PREFIX "decq %0\n"
8215+
8216+#ifdef CONFIG_PAX_REFCOUNT
8217+ "jno 0f\n"
8218+ LOCK_PREFIX "incq %0\n"
8219+ "int $4\n0:\n"
8220+ _ASM_EXTABLE(0b, 0b)
8221+#endif
8222+
8223+ : "=m" (v->counter)
8224+ : "m" (v->counter));
8225+}
8226+
8227+/**
8228+ * atomic64_dec_unchecked - decrement atomic64 variable
8229+ * @v: pointer to type atomic64_t
8230+ *
8231+ * Atomically decrements @v by 1.
8232+ */
8233+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8234+{
8235+ asm volatile(LOCK_PREFIX "decq %0\n"
8236 : "=m" (v->counter)
8237 : "m" (v->counter));
8238 }
8239@@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
8240 {
8241 unsigned char c;
8242
8243- asm volatile(LOCK_PREFIX "decq %0; sete %1"
8244+ asm volatile(LOCK_PREFIX "decq %0\n"
8245+
8246+#ifdef CONFIG_PAX_REFCOUNT
8247+ "jno 0f\n"
8248+ LOCK_PREFIX "incq %0\n"
8249+ "int $4\n0:\n"
8250+ _ASM_EXTABLE(0b, 0b)
8251+#endif
8252+
8253+ "sete %1\n"
8254 : "=m" (v->counter), "=qm" (c)
8255 : "m" (v->counter) : "memory");
8256 return c != 0;
8257@@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
8258 {
8259 unsigned char c;
8260
8261- asm volatile(LOCK_PREFIX "incq %0; sete %1"
8262+ asm volatile(LOCK_PREFIX "incq %0\n"
8263+
8264+#ifdef CONFIG_PAX_REFCOUNT
8265+ "jno 0f\n"
8266+ LOCK_PREFIX "decq %0\n"
8267+ "int $4\n0:\n"
8268+ _ASM_EXTABLE(0b, 0b)
8269+#endif
8270+
8271+ "sete %1\n"
8272 : "=m" (v->counter), "=qm" (c)
8273 : "m" (v->counter) : "memory");
8274 return c != 0;
8275@@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
8276 {
8277 unsigned char c;
8278
8279- asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
8280+ asm volatile(LOCK_PREFIX "addq %2,%0\n"
8281+
8282+#ifdef CONFIG_PAX_REFCOUNT
8283+ "jno 0f\n"
8284+ LOCK_PREFIX "subq %2,%0\n"
8285+ "int $4\n0:\n"
8286+ _ASM_EXTABLE(0b, 0b)
8287+#endif
8288+
8289+ "sets %1\n"
8290 : "=m" (v->counter), "=qm" (c)
8291 : "er" (i), "m" (v->counter) : "memory");
8292 return c;
8293@@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
8294 static inline long atomic64_add_return(long i, atomic64_t *v)
8295 {
8296 long __i = i;
8297- asm volatile(LOCK_PREFIX "xaddq %0, %1;"
8298+ asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
8299+
8300+#ifdef CONFIG_PAX_REFCOUNT
8301+ "jno 0f\n"
8302+ "movq %0, %1\n"
8303+ "int $4\n0:\n"
8304+ _ASM_EXTABLE(0b, 0b)
8305+#endif
8306+
8307+ : "+r" (i), "+m" (v->counter)
8308+ : : "memory");
8309+ return i + __i;
8310+}
8311+
8312+/**
8313+ * atomic64_add_return_unchecked - add and return
8314+ * @i: integer value to add
8315+ * @v: pointer to type atomic64_unchecked_t
8316+ *
8317+ * Atomically adds @i to @v and returns @i + @v
8318+ */
8319+static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
8320+{
8321+ long __i = i;
8322+ asm volatile(LOCK_PREFIX "xaddq %0, %1"
8323 : "+r" (i), "+m" (v->counter)
8324 : : "memory");
8325 return i + __i;
8326@@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
8327 }
8328
8329 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
8330+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8331+{
8332+ return atomic64_add_return_unchecked(1, v);
8333+}
8334 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
8335
8336 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
8337@@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
8338 return cmpxchg(&v->counter, old, new);
8339 }
8340
8341+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8342+{
8343+ return cmpxchg(&v->counter, old, new);
8344+}
8345+
8346 static inline long atomic64_xchg(atomic64_t *v, long new)
8347 {
8348 return xchg(&v->counter, new);
8349 }
8350
8351+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8352+{
8353+ return xchg(&v->counter, new);
8354+}
8355+
8356 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
8357 {
8358 return cmpxchg(&v->counter, old, new);
8359 }
8360
8361+static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8362+{
8363+ return cmpxchg(&v->counter, old, new);
8364+}
8365+
8366 static inline long atomic_xchg(atomic_t *v, int new)
8367 {
8368 return xchg(&v->counter, new);
8369 }
8370
8371+static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8372+{
8373+ return xchg(&v->counter, new);
8374+}
8375+
8376 /**
8377 * atomic_add_unless - add unless the number is a given value
8378 * @v: pointer of type atomic_t
8379@@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
8380 */
8381 static inline int atomic_add_unless(atomic_t *v, int a, int u)
8382 {
8383- int c, old;
8384+ int c, old, new;
8385 c = atomic_read(v);
8386 for (;;) {
8387- if (unlikely(c == (u)))
8388+ if (unlikely(c == u))
8389 break;
8390- old = atomic_cmpxchg((v), c, c + (a));
8391+
8392+ asm volatile("addl %2,%0\n"
8393+
8394+#ifdef CONFIG_PAX_REFCOUNT
8395+ "jno 0f\n"
8396+ "subl %2,%0\n"
8397+ "int $4\n0:\n"
8398+ _ASM_EXTABLE(0b, 0b)
8399+#endif
8400+
8401+ : "=r" (new)
8402+ : "0" (c), "ir" (a));
8403+
8404+ old = atomic_cmpxchg(v, c, new);
8405 if (likely(old == c))
8406 break;
8407 c = old;
8408 }
8409- return c != (u);
8410+ return c != u;
8411 }
8412
8413 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
8414@@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
8415 */
8416 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
8417 {
8418- long c, old;
8419+ long c, old, new;
8420 c = atomic64_read(v);
8421 for (;;) {
8422- if (unlikely(c == (u)))
8423+ if (unlikely(c == u))
8424 break;
8425- old = atomic64_cmpxchg((v), c, c + (a));
8426+
8427+ asm volatile("addq %2,%0\n"
8428+
8429+#ifdef CONFIG_PAX_REFCOUNT
8430+ "jno 0f\n"
8431+ "subq %2,%0\n"
8432+ "int $4\n0:\n"
8433+ _ASM_EXTABLE(0b, 0b)
8434+#endif
8435+
8436+ : "=r" (new)
8437+ : "0" (c), "er" (a));
8438+
8439+ old = atomic64_cmpxchg(v, c, new);
8440 if (likely(old == c))
8441 break;
8442 c = old;
8443 }
8444- return c != (u);
8445+ return c != u;
8446 }
8447
8448 /**
8449diff -urNp linux-2.6.32.48/arch/x86/include/asm/bitops.h linux-2.6.32.48/arch/x86/include/asm/bitops.h
8450--- linux-2.6.32.48/arch/x86/include/asm/bitops.h 2011-11-08 19:02:43.000000000 -0500
8451+++ linux-2.6.32.48/arch/x86/include/asm/bitops.h 2011-11-15 19:59:42.000000000 -0500
8452@@ -38,7 +38,7 @@
8453 * a mask operation on a byte.
8454 */
8455 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
8456-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
8457+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
8458 #define CONST_MASK(nr) (1 << ((nr) & 7))
8459
8460 /**
8461diff -urNp linux-2.6.32.48/arch/x86/include/asm/boot.h linux-2.6.32.48/arch/x86/include/asm/boot.h
8462--- linux-2.6.32.48/arch/x86/include/asm/boot.h 2011-11-08 19:02:43.000000000 -0500
8463+++ linux-2.6.32.48/arch/x86/include/asm/boot.h 2011-11-15 19:59:42.000000000 -0500
8464@@ -11,10 +11,15 @@
8465 #include <asm/pgtable_types.h>
8466
8467 /* Physical address where kernel should be loaded. */
8468-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8469+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
8470 + (CONFIG_PHYSICAL_ALIGN - 1)) \
8471 & ~(CONFIG_PHYSICAL_ALIGN - 1))
8472
8473+#ifndef __ASSEMBLY__
8474+extern unsigned char __LOAD_PHYSICAL_ADDR[];
8475+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
8476+#endif
8477+
8478 /* Minimum kernel alignment, as a power of two */
8479 #ifdef CONFIG_X86_64
8480 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
8481diff -urNp linux-2.6.32.48/arch/x86/include/asm/cacheflush.h linux-2.6.32.48/arch/x86/include/asm/cacheflush.h
8482--- linux-2.6.32.48/arch/x86/include/asm/cacheflush.h 2011-11-08 19:02:43.000000000 -0500
8483+++ linux-2.6.32.48/arch/x86/include/asm/cacheflush.h 2011-11-15 19:59:42.000000000 -0500
8484@@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
8485 static inline unsigned long get_page_memtype(struct page *pg)
8486 {
8487 if (!PageUncached(pg) && !PageWC(pg))
8488- return -1;
8489+ return ~0UL;
8490 else if (!PageUncached(pg) && PageWC(pg))
8491 return _PAGE_CACHE_WC;
8492 else if (PageUncached(pg) && !PageWC(pg))
8493@@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
8494 SetPageWC(pg);
8495 break;
8496 default:
8497- case -1:
8498+ case ~0UL:
8499 ClearPageUncached(pg);
8500 ClearPageWC(pg);
8501 break;
8502diff -urNp linux-2.6.32.48/arch/x86/include/asm/cache.h linux-2.6.32.48/arch/x86/include/asm/cache.h
8503--- linux-2.6.32.48/arch/x86/include/asm/cache.h 2011-11-08 19:02:43.000000000 -0500
8504+++ linux-2.6.32.48/arch/x86/include/asm/cache.h 2011-11-15 19:59:42.000000000 -0500
8505@@ -5,9 +5,10 @@
8506
8507 /* L1 cache line size */
8508 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
8509-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8510+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8511
8512 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
8513+#define __read_only __attribute__((__section__(".data.read_only")))
8514
8515 #ifdef CONFIG_X86_VSMP
8516 /* vSMP Internode cacheline shift */
8517diff -urNp linux-2.6.32.48/arch/x86/include/asm/calling.h linux-2.6.32.48/arch/x86/include/asm/calling.h
8518--- linux-2.6.32.48/arch/x86/include/asm/calling.h 2011-11-08 19:02:43.000000000 -0500
8519+++ linux-2.6.32.48/arch/x86/include/asm/calling.h 2011-11-15 19:59:42.000000000 -0500
8520@@ -52,32 +52,32 @@ For 32-bit we have the following convent
8521 * for assembly code:
8522 */
8523
8524-#define R15 0
8525-#define R14 8
8526-#define R13 16
8527-#define R12 24
8528-#define RBP 32
8529-#define RBX 40
8530+#define R15 (0)
8531+#define R14 (8)
8532+#define R13 (16)
8533+#define R12 (24)
8534+#define RBP (32)
8535+#define RBX (40)
8536
8537 /* arguments: interrupts/non tracing syscalls only save up to here: */
8538-#define R11 48
8539-#define R10 56
8540-#define R9 64
8541-#define R8 72
8542-#define RAX 80
8543-#define RCX 88
8544-#define RDX 96
8545-#define RSI 104
8546-#define RDI 112
8547-#define ORIG_RAX 120 /* + error_code */
8548+#define R11 (48)
8549+#define R10 (56)
8550+#define R9 (64)
8551+#define R8 (72)
8552+#define RAX (80)
8553+#define RCX (88)
8554+#define RDX (96)
8555+#define RSI (104)
8556+#define RDI (112)
8557+#define ORIG_RAX (120) /* + error_code */
8558 /* end of arguments */
8559
8560 /* cpu exception frame or undefined in case of fast syscall: */
8561-#define RIP 128
8562-#define CS 136
8563-#define EFLAGS 144
8564-#define RSP 152
8565-#define SS 160
8566+#define RIP (128)
8567+#define CS (136)
8568+#define EFLAGS (144)
8569+#define RSP (152)
8570+#define SS (160)
8571
8572 #define ARGOFFSET R11
8573 #define SWFRAME ORIG_RAX
8574diff -urNp linux-2.6.32.48/arch/x86/include/asm/checksum_32.h linux-2.6.32.48/arch/x86/include/asm/checksum_32.h
8575--- linux-2.6.32.48/arch/x86/include/asm/checksum_32.h 2011-11-08 19:02:43.000000000 -0500
8576+++ linux-2.6.32.48/arch/x86/include/asm/checksum_32.h 2011-11-15 19:59:42.000000000 -0500
8577@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
8578 int len, __wsum sum,
8579 int *src_err_ptr, int *dst_err_ptr);
8580
8581+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
8582+ int len, __wsum sum,
8583+ int *src_err_ptr, int *dst_err_ptr);
8584+
8585+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
8586+ int len, __wsum sum,
8587+ int *src_err_ptr, int *dst_err_ptr);
8588+
8589 /*
8590 * Note: when you get a NULL pointer exception here this means someone
8591 * passed in an incorrect kernel address to one of these functions.
8592@@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
8593 int *err_ptr)
8594 {
8595 might_sleep();
8596- return csum_partial_copy_generic((__force void *)src, dst,
8597+ return csum_partial_copy_generic_from_user((__force void *)src, dst,
8598 len, sum, err_ptr, NULL);
8599 }
8600
8601@@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
8602 {
8603 might_sleep();
8604 if (access_ok(VERIFY_WRITE, dst, len))
8605- return csum_partial_copy_generic(src, (__force void *)dst,
8606+ return csum_partial_copy_generic_to_user(src, (__force void *)dst,
8607 len, sum, NULL, err_ptr);
8608
8609 if (len)
8610diff -urNp linux-2.6.32.48/arch/x86/include/asm/desc_defs.h linux-2.6.32.48/arch/x86/include/asm/desc_defs.h
8611--- linux-2.6.32.48/arch/x86/include/asm/desc_defs.h 2011-11-08 19:02:43.000000000 -0500
8612+++ linux-2.6.32.48/arch/x86/include/asm/desc_defs.h 2011-11-15 19:59:42.000000000 -0500
8613@@ -31,6 +31,12 @@ struct desc_struct {
8614 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
8615 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
8616 };
8617+ struct {
8618+ u16 offset_low;
8619+ u16 seg;
8620+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
8621+ unsigned offset_high: 16;
8622+ } gate;
8623 };
8624 } __attribute__((packed));
8625
8626diff -urNp linux-2.6.32.48/arch/x86/include/asm/desc.h linux-2.6.32.48/arch/x86/include/asm/desc.h
8627--- linux-2.6.32.48/arch/x86/include/asm/desc.h 2011-11-08 19:02:43.000000000 -0500
8628+++ linux-2.6.32.48/arch/x86/include/asm/desc.h 2011-11-15 19:59:42.000000000 -0500
8629@@ -4,6 +4,7 @@
8630 #include <asm/desc_defs.h>
8631 #include <asm/ldt.h>
8632 #include <asm/mmu.h>
8633+#include <asm/pgtable.h>
8634 #include <linux/smp.h>
8635
8636 static inline void fill_ldt(struct desc_struct *desc,
8637@@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8638 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8639 desc->type = (info->read_exec_only ^ 1) << 1;
8640 desc->type |= info->contents << 2;
8641+ desc->type |= info->seg_not_present ^ 1;
8642 desc->s = 1;
8643 desc->dpl = 0x3;
8644 desc->p = info->seg_not_present ^ 1;
8645@@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8646 }
8647
8648 extern struct desc_ptr idt_descr;
8649-extern gate_desc idt_table[];
8650-
8651-struct gdt_page {
8652- struct desc_struct gdt[GDT_ENTRIES];
8653-} __attribute__((aligned(PAGE_SIZE)));
8654-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8655+extern gate_desc idt_table[256];
8656
8657+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8658 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8659 {
8660- return per_cpu(gdt_page, cpu).gdt;
8661+ return cpu_gdt_table[cpu];
8662 }
8663
8664 #ifdef CONFIG_X86_64
8665@@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8666 unsigned long base, unsigned dpl, unsigned flags,
8667 unsigned short seg)
8668 {
8669- gate->a = (seg << 16) | (base & 0xffff);
8670- gate->b = (base & 0xffff0000) |
8671- (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8672+ gate->gate.offset_low = base;
8673+ gate->gate.seg = seg;
8674+ gate->gate.reserved = 0;
8675+ gate->gate.type = type;
8676+ gate->gate.s = 0;
8677+ gate->gate.dpl = dpl;
8678+ gate->gate.p = 1;
8679+ gate->gate.offset_high = base >> 16;
8680 }
8681
8682 #endif
8683@@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8684 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8685 const gate_desc *gate)
8686 {
8687+ pax_open_kernel();
8688 memcpy(&idt[entry], gate, sizeof(*gate));
8689+ pax_close_kernel();
8690 }
8691
8692 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8693 const void *desc)
8694 {
8695+ pax_open_kernel();
8696 memcpy(&ldt[entry], desc, 8);
8697+ pax_close_kernel();
8698 }
8699
8700 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8701@@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8702 size = sizeof(struct desc_struct);
8703 break;
8704 }
8705+
8706+ pax_open_kernel();
8707 memcpy(&gdt[entry], desc, size);
8708+ pax_close_kernel();
8709 }
8710
8711 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8712@@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8713
8714 static inline void native_load_tr_desc(void)
8715 {
8716+ pax_open_kernel();
8717 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8718+ pax_close_kernel();
8719 }
8720
8721 static inline void native_load_gdt(const struct desc_ptr *dtr)
8722@@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8723 unsigned int i;
8724 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8725
8726+ pax_open_kernel();
8727 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8728 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8729+ pax_close_kernel();
8730 }
8731
8732 #define _LDT_empty(info) \
8733@@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8734 desc->limit = (limit >> 16) & 0xf;
8735 }
8736
8737-static inline void _set_gate(int gate, unsigned type, void *addr,
8738+static inline void _set_gate(int gate, unsigned type, const void *addr,
8739 unsigned dpl, unsigned ist, unsigned seg)
8740 {
8741 gate_desc s;
8742@@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8743 * Pentium F0 0F bugfix can have resulted in the mapped
8744 * IDT being write-protected.
8745 */
8746-static inline void set_intr_gate(unsigned int n, void *addr)
8747+static inline void set_intr_gate(unsigned int n, const void *addr)
8748 {
8749 BUG_ON((unsigned)n > 0xFF);
8750 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8751@@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8752 /*
8753 * This routine sets up an interrupt gate at directory privilege level 3.
8754 */
8755-static inline void set_system_intr_gate(unsigned int n, void *addr)
8756+static inline void set_system_intr_gate(unsigned int n, const void *addr)
8757 {
8758 BUG_ON((unsigned)n > 0xFF);
8759 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8760 }
8761
8762-static inline void set_system_trap_gate(unsigned int n, void *addr)
8763+static inline void set_system_trap_gate(unsigned int n, const void *addr)
8764 {
8765 BUG_ON((unsigned)n > 0xFF);
8766 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8767 }
8768
8769-static inline void set_trap_gate(unsigned int n, void *addr)
8770+static inline void set_trap_gate(unsigned int n, const void *addr)
8771 {
8772 BUG_ON((unsigned)n > 0xFF);
8773 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8774@@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8775 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8776 {
8777 BUG_ON((unsigned)n > 0xFF);
8778- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8779+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8780 }
8781
8782-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8783+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8784 {
8785 BUG_ON((unsigned)n > 0xFF);
8786 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8787 }
8788
8789-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8790+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8791 {
8792 BUG_ON((unsigned)n > 0xFF);
8793 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8794 }
8795
8796+#ifdef CONFIG_X86_32
8797+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8798+{
8799+ struct desc_struct d;
8800+
8801+ if (likely(limit))
8802+ limit = (limit - 1UL) >> PAGE_SHIFT;
8803+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
8804+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8805+}
8806+#endif
8807+
8808 #endif /* _ASM_X86_DESC_H */
8809diff -urNp linux-2.6.32.48/arch/x86/include/asm/device.h linux-2.6.32.48/arch/x86/include/asm/device.h
8810--- linux-2.6.32.48/arch/x86/include/asm/device.h 2011-11-08 19:02:43.000000000 -0500
8811+++ linux-2.6.32.48/arch/x86/include/asm/device.h 2011-11-15 19:59:42.000000000 -0500
8812@@ -6,7 +6,7 @@ struct dev_archdata {
8813 void *acpi_handle;
8814 #endif
8815 #ifdef CONFIG_X86_64
8816-struct dma_map_ops *dma_ops;
8817+ const struct dma_map_ops *dma_ops;
8818 #endif
8819 #ifdef CONFIG_DMAR
8820 void *iommu; /* hook for IOMMU specific extension */
8821diff -urNp linux-2.6.32.48/arch/x86/include/asm/dma-mapping.h linux-2.6.32.48/arch/x86/include/asm/dma-mapping.h
8822--- linux-2.6.32.48/arch/x86/include/asm/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
8823+++ linux-2.6.32.48/arch/x86/include/asm/dma-mapping.h 2011-11-15 19:59:42.000000000 -0500
8824@@ -25,9 +25,9 @@ extern int iommu_merge;
8825 extern struct device x86_dma_fallback_dev;
8826 extern int panic_on_overflow;
8827
8828-extern struct dma_map_ops *dma_ops;
8829+extern const struct dma_map_ops *dma_ops;
8830
8831-static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8832+static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8833 {
8834 #ifdef CONFIG_X86_32
8835 return dma_ops;
8836@@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8837 /* Make sure we keep the same behaviour */
8838 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8839 {
8840- struct dma_map_ops *ops = get_dma_ops(dev);
8841+ const struct dma_map_ops *ops = get_dma_ops(dev);
8842 if (ops->mapping_error)
8843 return ops->mapping_error(dev, dma_addr);
8844
8845@@ -122,7 +122,7 @@ static inline void *
8846 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8847 gfp_t gfp)
8848 {
8849- struct dma_map_ops *ops = get_dma_ops(dev);
8850+ const struct dma_map_ops *ops = get_dma_ops(dev);
8851 void *memory;
8852
8853 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8854@@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8855 static inline void dma_free_coherent(struct device *dev, size_t size,
8856 void *vaddr, dma_addr_t bus)
8857 {
8858- struct dma_map_ops *ops = get_dma_ops(dev);
8859+ const struct dma_map_ops *ops = get_dma_ops(dev);
8860
8861 WARN_ON(irqs_disabled()); /* for portability */
8862
8863diff -urNp linux-2.6.32.48/arch/x86/include/asm/e820.h linux-2.6.32.48/arch/x86/include/asm/e820.h
8864--- linux-2.6.32.48/arch/x86/include/asm/e820.h 2011-11-08 19:02:43.000000000 -0500
8865+++ linux-2.6.32.48/arch/x86/include/asm/e820.h 2011-11-15 19:59:42.000000000 -0500
8866@@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8867 #define ISA_END_ADDRESS 0x100000
8868 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8869
8870-#define BIOS_BEGIN 0x000a0000
8871+#define BIOS_BEGIN 0x000c0000
8872 #define BIOS_END 0x00100000
8873
8874 #ifdef __KERNEL__
8875diff -urNp linux-2.6.32.48/arch/x86/include/asm/elf.h linux-2.6.32.48/arch/x86/include/asm/elf.h
8876--- linux-2.6.32.48/arch/x86/include/asm/elf.h 2011-11-08 19:02:43.000000000 -0500
8877+++ linux-2.6.32.48/arch/x86/include/asm/elf.h 2011-11-15 19:59:42.000000000 -0500
8878@@ -257,7 +257,25 @@ extern int force_personality32;
8879 the loader. We need to make sure that it is out of the way of the program
8880 that it will "exec", and that there is sufficient room for the brk. */
8881
8882+#ifdef CONFIG_PAX_SEGMEXEC
8883+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8884+#else
8885 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8886+#endif
8887+
8888+#ifdef CONFIG_PAX_ASLR
8889+#ifdef CONFIG_X86_32
8890+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8891+
8892+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8893+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8894+#else
8895+#define PAX_ELF_ET_DYN_BASE 0x400000UL
8896+
8897+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8898+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8899+#endif
8900+#endif
8901
8902 /* This yields a mask that user programs can use to figure out what
8903 instruction set this CPU supports. This could be done in user space,
8904@@ -310,9 +328,7 @@ do { \
8905
8906 #define ARCH_DLINFO \
8907 do { \
8908- if (vdso_enabled) \
8909- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8910- (unsigned long)current->mm->context.vdso); \
8911+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
8912 } while (0)
8913
8914 #define AT_SYSINFO 32
8915@@ -323,7 +339,7 @@ do { \
8916
8917 #endif /* !CONFIG_X86_32 */
8918
8919-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8920+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8921
8922 #define VDSO_ENTRY \
8923 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8924@@ -337,7 +353,4 @@ extern int arch_setup_additional_pages(s
8925 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8926 #define compat_arch_setup_additional_pages syscall32_setup_pages
8927
8928-extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8929-#define arch_randomize_brk arch_randomize_brk
8930-
8931 #endif /* _ASM_X86_ELF_H */
8932diff -urNp linux-2.6.32.48/arch/x86/include/asm/emergency-restart.h linux-2.6.32.48/arch/x86/include/asm/emergency-restart.h
8933--- linux-2.6.32.48/arch/x86/include/asm/emergency-restart.h 2011-11-08 19:02:43.000000000 -0500
8934+++ linux-2.6.32.48/arch/x86/include/asm/emergency-restart.h 2011-11-15 19:59:42.000000000 -0500
8935@@ -15,6 +15,6 @@ enum reboot_type {
8936
8937 extern enum reboot_type reboot_type;
8938
8939-extern void machine_emergency_restart(void);
8940+extern void machine_emergency_restart(void) __noreturn;
8941
8942 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8943diff -urNp linux-2.6.32.48/arch/x86/include/asm/futex.h linux-2.6.32.48/arch/x86/include/asm/futex.h
8944--- linux-2.6.32.48/arch/x86/include/asm/futex.h 2011-11-08 19:02:43.000000000 -0500
8945+++ linux-2.6.32.48/arch/x86/include/asm/futex.h 2011-11-15 19:59:42.000000000 -0500
8946@@ -12,16 +12,18 @@
8947 #include <asm/system.h>
8948
8949 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8950+ typecheck(u32 __user *, uaddr); \
8951 asm volatile("1:\t" insn "\n" \
8952 "2:\t.section .fixup,\"ax\"\n" \
8953 "3:\tmov\t%3, %1\n" \
8954 "\tjmp\t2b\n" \
8955 "\t.previous\n" \
8956 _ASM_EXTABLE(1b, 3b) \
8957- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8958+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr))\
8959 : "i" (-EFAULT), "0" (oparg), "1" (0))
8960
8961 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8962+ typecheck(u32 __user *, uaddr); \
8963 asm volatile("1:\tmovl %2, %0\n" \
8964 "\tmovl\t%0, %3\n" \
8965 "\t" insn "\n" \
8966@@ -34,10 +36,10 @@
8967 _ASM_EXTABLE(1b, 4b) \
8968 _ASM_EXTABLE(2b, 4b) \
8969 : "=&a" (oldval), "=&r" (ret), \
8970- "+m" (*uaddr), "=&r" (tem) \
8971+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
8972 : "r" (oparg), "i" (-EFAULT), "1" (0))
8973
8974-static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8975+static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8976 {
8977 int op = (encoded_op >> 28) & 7;
8978 int cmp = (encoded_op >> 24) & 15;
8979@@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8980
8981 switch (op) {
8982 case FUTEX_OP_SET:
8983- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8984+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8985 break;
8986 case FUTEX_OP_ADD:
8987- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8988+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
8989 uaddr, oparg);
8990 break;
8991 case FUTEX_OP_OR:
8992@@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
8993 return ret;
8994 }
8995
8996-static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
8997+static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
8998 int newval)
8999 {
9000
9001@@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
9002 return -ENOSYS;
9003 #endif
9004
9005- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
9006+ if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
9007 return -EFAULT;
9008
9009- asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
9010+ asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
9011 "2:\t.section .fixup, \"ax\"\n"
9012 "3:\tmov %2, %0\n"
9013 "\tjmp 2b\n"
9014 "\t.previous\n"
9015 _ASM_EXTABLE(1b, 3b)
9016- : "=a" (oldval), "+m" (*uaddr)
9017+ : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
9018 : "i" (-EFAULT), "r" (newval), "0" (oldval)
9019 : "memory"
9020 );
9021diff -urNp linux-2.6.32.48/arch/x86/include/asm/hw_irq.h linux-2.6.32.48/arch/x86/include/asm/hw_irq.h
9022--- linux-2.6.32.48/arch/x86/include/asm/hw_irq.h 2011-11-08 19:02:43.000000000 -0500
9023+++ linux-2.6.32.48/arch/x86/include/asm/hw_irq.h 2011-11-15 19:59:42.000000000 -0500
9024@@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
9025 extern void enable_IO_APIC(void);
9026
9027 /* Statistics */
9028-extern atomic_t irq_err_count;
9029-extern atomic_t irq_mis_count;
9030+extern atomic_unchecked_t irq_err_count;
9031+extern atomic_unchecked_t irq_mis_count;
9032
9033 /* EISA */
9034 extern void eisa_set_level_irq(unsigned int irq);
9035diff -urNp linux-2.6.32.48/arch/x86/include/asm/i387.h linux-2.6.32.48/arch/x86/include/asm/i387.h
9036--- linux-2.6.32.48/arch/x86/include/asm/i387.h 2011-11-08 19:02:43.000000000 -0500
9037+++ linux-2.6.32.48/arch/x86/include/asm/i387.h 2011-11-15 19:59:42.000000000 -0500
9038@@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
9039 {
9040 int err;
9041
9042+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9043+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9044+ fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
9045+#endif
9046+
9047 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
9048 "2:\n"
9049 ".section .fixup,\"ax\"\n"
9050@@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
9051 {
9052 int err;
9053
9054+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9055+ if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
9056+ fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
9057+#endif
9058+
9059 asm volatile("1: rex64/fxsave (%[fx])\n\t"
9060 "2:\n"
9061 ".section .fixup,\"ax\"\n"
9062@@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
9063 }
9064
9065 /* We need a safe address that is cheap to find and that is already
9066- in L1 during context switch. The best choices are unfortunately
9067- different for UP and SMP */
9068-#ifdef CONFIG_SMP
9069-#define safe_address (__per_cpu_offset[0])
9070-#else
9071-#define safe_address (kstat_cpu(0).cpustat.user)
9072-#endif
9073+ in L1 during context switch. */
9074+#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
9075
9076 /*
9077 * These must be called with preempt disabled
9078@@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
9079 struct thread_info *me = current_thread_info();
9080 preempt_disable();
9081 if (me->status & TS_USEDFPU)
9082- __save_init_fpu(me->task);
9083+ __save_init_fpu(current);
9084 else
9085 clts();
9086 }
9087diff -urNp linux-2.6.32.48/arch/x86/include/asm/io_32.h linux-2.6.32.48/arch/x86/include/asm/io_32.h
9088--- linux-2.6.32.48/arch/x86/include/asm/io_32.h 2011-11-08 19:02:43.000000000 -0500
9089+++ linux-2.6.32.48/arch/x86/include/asm/io_32.h 2011-11-15 19:59:42.000000000 -0500
9090@@ -3,6 +3,7 @@
9091
9092 #include <linux/string.h>
9093 #include <linux/compiler.h>
9094+#include <asm/processor.h>
9095
9096 /*
9097 * This file contains the definitions for the x86 IO instructions
9098@@ -42,6 +43,17 @@
9099
9100 #ifdef __KERNEL__
9101
9102+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9103+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9104+{
9105+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9106+}
9107+
9108+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9109+{
9110+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9111+}
9112+
9113 #include <asm-generic/iomap.h>
9114
9115 #include <linux/vmalloc.h>
9116diff -urNp linux-2.6.32.48/arch/x86/include/asm/io_64.h linux-2.6.32.48/arch/x86/include/asm/io_64.h
9117--- linux-2.6.32.48/arch/x86/include/asm/io_64.h 2011-11-08 19:02:43.000000000 -0500
9118+++ linux-2.6.32.48/arch/x86/include/asm/io_64.h 2011-11-15 19:59:42.000000000 -0500
9119@@ -140,6 +140,17 @@ __OUTS(l)
9120
9121 #include <linux/vmalloc.h>
9122
9123+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
9124+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
9125+{
9126+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9127+}
9128+
9129+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
9130+{
9131+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
9132+}
9133+
9134 #include <asm-generic/iomap.h>
9135
9136 void __memcpy_fromio(void *, unsigned long, unsigned);
9137diff -urNp linux-2.6.32.48/arch/x86/include/asm/iommu.h linux-2.6.32.48/arch/x86/include/asm/iommu.h
9138--- linux-2.6.32.48/arch/x86/include/asm/iommu.h 2011-11-08 19:02:43.000000000 -0500
9139+++ linux-2.6.32.48/arch/x86/include/asm/iommu.h 2011-11-15 19:59:42.000000000 -0500
9140@@ -3,7 +3,7 @@
9141
9142 extern void pci_iommu_shutdown(void);
9143 extern void no_iommu_init(void);
9144-extern struct dma_map_ops nommu_dma_ops;
9145+extern const struct dma_map_ops nommu_dma_ops;
9146 extern int force_iommu, no_iommu;
9147 extern int iommu_detected;
9148 extern int iommu_pass_through;
9149diff -urNp linux-2.6.32.48/arch/x86/include/asm/irqflags.h linux-2.6.32.48/arch/x86/include/asm/irqflags.h
9150--- linux-2.6.32.48/arch/x86/include/asm/irqflags.h 2011-11-08 19:02:43.000000000 -0500
9151+++ linux-2.6.32.48/arch/x86/include/asm/irqflags.h 2011-11-15 19:59:42.000000000 -0500
9152@@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
9153 sti; \
9154 sysexit
9155
9156+#define GET_CR0_INTO_RDI mov %cr0, %rdi
9157+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
9158+#define GET_CR3_INTO_RDI mov %cr3, %rdi
9159+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
9160+
9161 #else
9162 #define INTERRUPT_RETURN iret
9163 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
9164diff -urNp linux-2.6.32.48/arch/x86/include/asm/kprobes.h linux-2.6.32.48/arch/x86/include/asm/kprobes.h
9165--- linux-2.6.32.48/arch/x86/include/asm/kprobes.h 2011-11-08 19:02:43.000000000 -0500
9166+++ linux-2.6.32.48/arch/x86/include/asm/kprobes.h 2011-11-15 19:59:42.000000000 -0500
9167@@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
9168 #define BREAKPOINT_INSTRUCTION 0xcc
9169 #define RELATIVEJUMP_INSTRUCTION 0xe9
9170 #define MAX_INSN_SIZE 16
9171-#define MAX_STACK_SIZE 64
9172-#define MIN_STACK_SIZE(ADDR) \
9173- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
9174- THREAD_SIZE - (unsigned long)(ADDR))) \
9175- ? (MAX_STACK_SIZE) \
9176- : (((unsigned long)current_thread_info()) + \
9177- THREAD_SIZE - (unsigned long)(ADDR)))
9178+#define MAX_STACK_SIZE 64UL
9179+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
9180
9181 #define flush_insn_slot(p) do { } while (0)
9182
9183diff -urNp linux-2.6.32.48/arch/x86/include/asm/kvm_host.h linux-2.6.32.48/arch/x86/include/asm/kvm_host.h
9184--- linux-2.6.32.48/arch/x86/include/asm/kvm_host.h 2011-11-08 19:02:43.000000000 -0500
9185+++ linux-2.6.32.48/arch/x86/include/asm/kvm_host.h 2011-11-15 19:59:42.000000000 -0500
9186@@ -534,9 +534,9 @@ struct kvm_x86_ops {
9187 bool (*gb_page_enable)(void);
9188
9189 const struct trace_print_flags *exit_reasons_str;
9190-};
9191+} __do_const;
9192
9193-extern struct kvm_x86_ops *kvm_x86_ops;
9194+extern const struct kvm_x86_ops *kvm_x86_ops;
9195
9196 int kvm_mmu_module_init(void);
9197 void kvm_mmu_module_exit(void);
9198diff -urNp linux-2.6.32.48/arch/x86/include/asm/local.h linux-2.6.32.48/arch/x86/include/asm/local.h
9199--- linux-2.6.32.48/arch/x86/include/asm/local.h 2011-11-08 19:02:43.000000000 -0500
9200+++ linux-2.6.32.48/arch/x86/include/asm/local.h 2011-11-15 19:59:42.000000000 -0500
9201@@ -18,26 +18,58 @@ typedef struct {
9202
9203 static inline void local_inc(local_t *l)
9204 {
9205- asm volatile(_ASM_INC "%0"
9206+ asm volatile(_ASM_INC "%0\n"
9207+
9208+#ifdef CONFIG_PAX_REFCOUNT
9209+ "jno 0f\n"
9210+ _ASM_DEC "%0\n"
9211+ "int $4\n0:\n"
9212+ _ASM_EXTABLE(0b, 0b)
9213+#endif
9214+
9215 : "+m" (l->a.counter));
9216 }
9217
9218 static inline void local_dec(local_t *l)
9219 {
9220- asm volatile(_ASM_DEC "%0"
9221+ asm volatile(_ASM_DEC "%0\n"
9222+
9223+#ifdef CONFIG_PAX_REFCOUNT
9224+ "jno 0f\n"
9225+ _ASM_INC "%0\n"
9226+ "int $4\n0:\n"
9227+ _ASM_EXTABLE(0b, 0b)
9228+#endif
9229+
9230 : "+m" (l->a.counter));
9231 }
9232
9233 static inline void local_add(long i, local_t *l)
9234 {
9235- asm volatile(_ASM_ADD "%1,%0"
9236+ asm volatile(_ASM_ADD "%1,%0\n"
9237+
9238+#ifdef CONFIG_PAX_REFCOUNT
9239+ "jno 0f\n"
9240+ _ASM_SUB "%1,%0\n"
9241+ "int $4\n0:\n"
9242+ _ASM_EXTABLE(0b, 0b)
9243+#endif
9244+
9245 : "+m" (l->a.counter)
9246 : "ir" (i));
9247 }
9248
9249 static inline void local_sub(long i, local_t *l)
9250 {
9251- asm volatile(_ASM_SUB "%1,%0"
9252+ asm volatile(_ASM_SUB "%1,%0\n"
9253+
9254+#ifdef CONFIG_PAX_REFCOUNT
9255+ "jno 0f\n"
9256+ _ASM_ADD "%1,%0\n"
9257+ "int $4\n0:\n"
9258+ _ASM_EXTABLE(0b, 0b)
9259+#endif
9260+
9261 : "+m" (l->a.counter)
9262 : "ir" (i));
9263 }
9264@@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
9265 {
9266 unsigned char c;
9267
9268- asm volatile(_ASM_SUB "%2,%0; sete %1"
9269+ asm volatile(_ASM_SUB "%2,%0\n"
9270+
9271+#ifdef CONFIG_PAX_REFCOUNT
9272+ "jno 0f\n"
9273+ _ASM_ADD "%2,%0\n"
9274+ "int $4\n0:\n"
9275+ _ASM_EXTABLE(0b, 0b)
9276+#endif
9277+
9278+ "sete %1\n"
9279 : "+m" (l->a.counter), "=qm" (c)
9280 : "ir" (i) : "memory");
9281 return c;
9282@@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
9283 {
9284 unsigned char c;
9285
9286- asm volatile(_ASM_DEC "%0; sete %1"
9287+ asm volatile(_ASM_DEC "%0\n"
9288+
9289+#ifdef CONFIG_PAX_REFCOUNT
9290+ "jno 0f\n"
9291+ _ASM_INC "%0\n"
9292+ "int $4\n0:\n"
9293+ _ASM_EXTABLE(0b, 0b)
9294+#endif
9295+
9296+ "sete %1\n"
9297 : "+m" (l->a.counter), "=qm" (c)
9298 : : "memory");
9299 return c != 0;
9300@@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
9301 {
9302 unsigned char c;
9303
9304- asm volatile(_ASM_INC "%0; sete %1"
9305+ asm volatile(_ASM_INC "%0\n"
9306+
9307+#ifdef CONFIG_PAX_REFCOUNT
9308+ "jno 0f\n"
9309+ _ASM_DEC "%0\n"
9310+ "int $4\n0:\n"
9311+ _ASM_EXTABLE(0b, 0b)
9312+#endif
9313+
9314+ "sete %1\n"
9315 : "+m" (l->a.counter), "=qm" (c)
9316 : : "memory");
9317 return c != 0;
9318@@ -110,7 +169,16 @@ static inline int local_add_negative(lon
9319 {
9320 unsigned char c;
9321
9322- asm volatile(_ASM_ADD "%2,%0; sets %1"
9323+ asm volatile(_ASM_ADD "%2,%0\n"
9324+
9325+#ifdef CONFIG_PAX_REFCOUNT
9326+ "jno 0f\n"
9327+ _ASM_SUB "%2,%0\n"
9328+ "int $4\n0:\n"
9329+ _ASM_EXTABLE(0b, 0b)
9330+#endif
9331+
9332+ "sets %1\n"
9333 : "+m" (l->a.counter), "=qm" (c)
9334 : "ir" (i) : "memory");
9335 return c;
9336@@ -133,7 +201,15 @@ static inline long local_add_return(long
9337 #endif
9338 /* Modern 486+ processor */
9339 __i = i;
9340- asm volatile(_ASM_XADD "%0, %1;"
9341+ asm volatile(_ASM_XADD "%0, %1\n"
9342+
9343+#ifdef CONFIG_PAX_REFCOUNT
9344+ "jno 0f\n"
9345+ _ASM_MOV "%0,%1\n"
9346+ "int $4\n0:\n"
9347+ _ASM_EXTABLE(0b, 0b)
9348+#endif
9349+
9350 : "+r" (i), "+m" (l->a.counter)
9351 : : "memory");
9352 return i + __i;
9353diff -urNp linux-2.6.32.48/arch/x86/include/asm/microcode.h linux-2.6.32.48/arch/x86/include/asm/microcode.h
9354--- linux-2.6.32.48/arch/x86/include/asm/microcode.h 2011-11-08 19:02:43.000000000 -0500
9355+++ linux-2.6.32.48/arch/x86/include/asm/microcode.h 2011-11-15 19:59:42.000000000 -0500
9356@@ -12,13 +12,13 @@ struct device;
9357 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
9358
9359 struct microcode_ops {
9360- enum ucode_state (*request_microcode_user) (int cpu,
9361+ enum ucode_state (* const request_microcode_user) (int cpu,
9362 const void __user *buf, size_t size);
9363
9364- enum ucode_state (*request_microcode_fw) (int cpu,
9365+ enum ucode_state (* const request_microcode_fw) (int cpu,
9366 struct device *device);
9367
9368- void (*microcode_fini_cpu) (int cpu);
9369+ void (* const microcode_fini_cpu) (int cpu);
9370
9371 /*
9372 * The generic 'microcode_core' part guarantees that
9373@@ -38,18 +38,18 @@ struct ucode_cpu_info {
9374 extern struct ucode_cpu_info ucode_cpu_info[];
9375
9376 #ifdef CONFIG_MICROCODE_INTEL
9377-extern struct microcode_ops * __init init_intel_microcode(void);
9378+extern const struct microcode_ops * __init init_intel_microcode(void);
9379 #else
9380-static inline struct microcode_ops * __init init_intel_microcode(void)
9381+static inline const struct microcode_ops * __init init_intel_microcode(void)
9382 {
9383 return NULL;
9384 }
9385 #endif /* CONFIG_MICROCODE_INTEL */
9386
9387 #ifdef CONFIG_MICROCODE_AMD
9388-extern struct microcode_ops * __init init_amd_microcode(void);
9389+extern const struct microcode_ops * __init init_amd_microcode(void);
9390 #else
9391-static inline struct microcode_ops * __init init_amd_microcode(void)
9392+static inline const struct microcode_ops * __init init_amd_microcode(void)
9393 {
9394 return NULL;
9395 }
9396diff -urNp linux-2.6.32.48/arch/x86/include/asm/mman.h linux-2.6.32.48/arch/x86/include/asm/mman.h
9397--- linux-2.6.32.48/arch/x86/include/asm/mman.h 2011-11-08 19:02:43.000000000 -0500
9398+++ linux-2.6.32.48/arch/x86/include/asm/mman.h 2011-11-15 19:59:42.000000000 -0500
9399@@ -5,4 +5,14 @@
9400
9401 #include <asm-generic/mman.h>
9402
9403+#ifdef __KERNEL__
9404+#ifndef __ASSEMBLY__
9405+#ifdef CONFIG_X86_32
9406+#define arch_mmap_check i386_mmap_check
9407+int i386_mmap_check(unsigned long addr, unsigned long len,
9408+ unsigned long flags);
9409+#endif
9410+#endif
9411+#endif
9412+
9413 #endif /* _ASM_X86_MMAN_H */
9414diff -urNp linux-2.6.32.48/arch/x86/include/asm/mmu_context.h linux-2.6.32.48/arch/x86/include/asm/mmu_context.h
9415--- linux-2.6.32.48/arch/x86/include/asm/mmu_context.h 2011-11-08 19:02:43.000000000 -0500
9416+++ linux-2.6.32.48/arch/x86/include/asm/mmu_context.h 2011-11-15 19:59:42.000000000 -0500
9417@@ -24,6 +24,18 @@ void destroy_context(struct mm_struct *m
9418
9419 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
9420 {
9421+
9422+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9423+ unsigned int i;
9424+ pgd_t *pgd;
9425+
9426+ pax_open_kernel();
9427+ pgd = get_cpu_pgd(smp_processor_id());
9428+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
9429+ set_pgd_batched(pgd+i, native_make_pgd(0));
9430+ pax_close_kernel();
9431+#endif
9432+
9433 #ifdef CONFIG_SMP
9434 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
9435 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
9436@@ -34,16 +46,30 @@ static inline void switch_mm(struct mm_s
9437 struct task_struct *tsk)
9438 {
9439 unsigned cpu = smp_processor_id();
9440+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)) && defined(CONFIG_SMP)
9441+ int tlbstate = TLBSTATE_OK;
9442+#endif
9443
9444 if (likely(prev != next)) {
9445 #ifdef CONFIG_SMP
9446+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9447+ tlbstate = percpu_read(cpu_tlbstate.state);
9448+#endif
9449 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9450 percpu_write(cpu_tlbstate.active_mm, next);
9451 #endif
9452 cpumask_set_cpu(cpu, mm_cpumask(next));
9453
9454 /* Re-load page tables */
9455+#ifdef CONFIG_PAX_PER_CPU_PGD
9456+ pax_open_kernel();
9457+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9458+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9459+ pax_close_kernel();
9460+ load_cr3(get_cpu_pgd(cpu));
9461+#else
9462 load_cr3(next->pgd);
9463+#endif
9464
9465 /* stop flush ipis for the previous mm */
9466 cpumask_clear_cpu(cpu, mm_cpumask(prev));
9467@@ -53,9 +79,38 @@ static inline void switch_mm(struct mm_s
9468 */
9469 if (unlikely(prev->context.ldt != next->context.ldt))
9470 load_LDT_nolock(&next->context);
9471- }
9472+
9473+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9474+ if (!nx_enabled) {
9475+ smp_mb__before_clear_bit();
9476+ cpu_clear(cpu, prev->context.cpu_user_cs_mask);
9477+ smp_mb__after_clear_bit();
9478+ cpu_set(cpu, next->context.cpu_user_cs_mask);
9479+ }
9480+#endif
9481+
9482+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9483+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
9484+ prev->context.user_cs_limit != next->context.user_cs_limit))
9485+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9486 #ifdef CONFIG_SMP
9487+ else if (unlikely(tlbstate != TLBSTATE_OK))
9488+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9489+#endif
9490+#endif
9491+
9492+ }
9493 else {
9494+
9495+#ifdef CONFIG_PAX_PER_CPU_PGD
9496+ pax_open_kernel();
9497+ __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
9498+ __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
9499+ pax_close_kernel();
9500+ load_cr3(get_cpu_pgd(cpu));
9501+#endif
9502+
9503+#ifdef CONFIG_SMP
9504 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
9505 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
9506
9507@@ -64,11 +119,28 @@ static inline void switch_mm(struct mm_s
9508 * tlb flush IPI delivery. We must reload CR3
9509 * to make sure to use no freed page tables.
9510 */
9511+
9512+#ifndef CONFIG_PAX_PER_CPU_PGD
9513 load_cr3(next->pgd);
9514+#endif
9515+
9516 load_LDT_nolock(&next->context);
9517+
9518+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
9519+ if (!nx_enabled)
9520+ cpu_set(cpu, next->context.cpu_user_cs_mask);
9521+#endif
9522+
9523+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
9524+#ifdef CONFIG_PAX_PAGEEXEC
9525+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
9526+#endif
9527+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
9528+#endif
9529+
9530 }
9531- }
9532 #endif
9533+ }
9534 }
9535
9536 #define activate_mm(prev, next) \
9537diff -urNp linux-2.6.32.48/arch/x86/include/asm/mmu.h linux-2.6.32.48/arch/x86/include/asm/mmu.h
9538--- linux-2.6.32.48/arch/x86/include/asm/mmu.h 2011-11-08 19:02:43.000000000 -0500
9539+++ linux-2.6.32.48/arch/x86/include/asm/mmu.h 2011-11-15 19:59:42.000000000 -0500
9540@@ -9,10 +9,23 @@
9541 * we put the segment information here.
9542 */
9543 typedef struct {
9544- void *ldt;
9545+ struct desc_struct *ldt;
9546 int size;
9547 struct mutex lock;
9548- void *vdso;
9549+ unsigned long vdso;
9550+
9551+#ifdef CONFIG_X86_32
9552+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
9553+ unsigned long user_cs_base;
9554+ unsigned long user_cs_limit;
9555+
9556+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
9557+ cpumask_t cpu_user_cs_mask;
9558+#endif
9559+
9560+#endif
9561+#endif
9562+
9563 } mm_context_t;
9564
9565 #ifdef CONFIG_SMP
9566diff -urNp linux-2.6.32.48/arch/x86/include/asm/module.h linux-2.6.32.48/arch/x86/include/asm/module.h
9567--- linux-2.6.32.48/arch/x86/include/asm/module.h 2011-11-08 19:02:43.000000000 -0500
9568+++ linux-2.6.32.48/arch/x86/include/asm/module.h 2011-11-15 19:59:42.000000000 -0500
9569@@ -5,6 +5,7 @@
9570
9571 #ifdef CONFIG_X86_64
9572 /* X86_64 does not define MODULE_PROC_FAMILY */
9573+#define MODULE_PROC_FAMILY ""
9574 #elif defined CONFIG_M386
9575 #define MODULE_PROC_FAMILY "386 "
9576 #elif defined CONFIG_M486
9577@@ -59,13 +60,24 @@
9578 #error unknown processor family
9579 #endif
9580
9581-#ifdef CONFIG_X86_32
9582-# ifdef CONFIG_4KSTACKS
9583-# define MODULE_STACKSIZE "4KSTACKS "
9584-# else
9585-# define MODULE_STACKSIZE ""
9586-# endif
9587-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
9588+#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
9589+#define MODULE_STACKSIZE "4KSTACKS "
9590+#else
9591+#define MODULE_STACKSIZE ""
9592+#endif
9593+
9594+#ifdef CONFIG_PAX_KERNEXEC
9595+#define MODULE_PAX_KERNEXEC "KERNEXEC "
9596+#else
9597+#define MODULE_PAX_KERNEXEC ""
9598 #endif
9599
9600+#ifdef CONFIG_PAX_MEMORY_UDEREF
9601+#define MODULE_PAX_UDEREF "UDEREF "
9602+#else
9603+#define MODULE_PAX_UDEREF ""
9604+#endif
9605+
9606+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
9607+
9608 #endif /* _ASM_X86_MODULE_H */
9609diff -urNp linux-2.6.32.48/arch/x86/include/asm/page_64_types.h linux-2.6.32.48/arch/x86/include/asm/page_64_types.h
9610--- linux-2.6.32.48/arch/x86/include/asm/page_64_types.h 2011-11-08 19:02:43.000000000 -0500
9611+++ linux-2.6.32.48/arch/x86/include/asm/page_64_types.h 2011-11-15 19:59:42.000000000 -0500
9612@@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
9613
9614 /* duplicated to the one in bootmem.h */
9615 extern unsigned long max_pfn;
9616-extern unsigned long phys_base;
9617+extern const unsigned long phys_base;
9618
9619 extern unsigned long __phys_addr(unsigned long);
9620 #define __phys_reloc_hide(x) (x)
9621diff -urNp linux-2.6.32.48/arch/x86/include/asm/paravirt.h linux-2.6.32.48/arch/x86/include/asm/paravirt.h
9622--- linux-2.6.32.48/arch/x86/include/asm/paravirt.h 2011-11-08 19:02:43.000000000 -0500
9623+++ linux-2.6.32.48/arch/x86/include/asm/paravirt.h 2011-11-15 19:59:42.000000000 -0500
9624@@ -648,6 +648,18 @@ static inline void set_pgd(pgd_t *pgdp,
9625 val);
9626 }
9627
9628+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9629+{
9630+ pgdval_t val = native_pgd_val(pgd);
9631+
9632+ if (sizeof(pgdval_t) > sizeof(long))
9633+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
9634+ val, (u64)val >> 32);
9635+ else
9636+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
9637+ val);
9638+}
9639+
9640 static inline void pgd_clear(pgd_t *pgdp)
9641 {
9642 set_pgd(pgdp, __pgd(0));
9643@@ -729,6 +741,21 @@ static inline void __set_fixmap(unsigned
9644 pv_mmu_ops.set_fixmap(idx, phys, flags);
9645 }
9646
9647+#ifdef CONFIG_PAX_KERNEXEC
9648+static inline unsigned long pax_open_kernel(void)
9649+{
9650+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9651+}
9652+
9653+static inline unsigned long pax_close_kernel(void)
9654+{
9655+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9656+}
9657+#else
9658+static inline unsigned long pax_open_kernel(void) { return 0; }
9659+static inline unsigned long pax_close_kernel(void) { return 0; }
9660+#endif
9661+
9662 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9663
9664 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9665@@ -945,7 +972,7 @@ extern void default_banner(void);
9666
9667 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9668 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9669-#define PARA_INDIRECT(addr) *%cs:addr
9670+#define PARA_INDIRECT(addr) *%ss:addr
9671 #endif
9672
9673 #define INTERRUPT_RETURN \
9674@@ -1022,6 +1049,21 @@ extern void default_banner(void);
9675 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9676 CLBR_NONE, \
9677 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9678+
9679+#define GET_CR0_INTO_RDI \
9680+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9681+ mov %rax,%rdi
9682+
9683+#define SET_RDI_INTO_CR0 \
9684+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9685+
9686+#define GET_CR3_INTO_RDI \
9687+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9688+ mov %rax,%rdi
9689+
9690+#define SET_RDI_INTO_CR3 \
9691+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9692+
9693 #endif /* CONFIG_X86_32 */
9694
9695 #endif /* __ASSEMBLY__ */
9696diff -urNp linux-2.6.32.48/arch/x86/include/asm/paravirt_types.h linux-2.6.32.48/arch/x86/include/asm/paravirt_types.h
9697--- linux-2.6.32.48/arch/x86/include/asm/paravirt_types.h 2011-11-08 19:02:43.000000000 -0500
9698+++ linux-2.6.32.48/arch/x86/include/asm/paravirt_types.h 2011-11-15 19:59:42.000000000 -0500
9699@@ -78,19 +78,19 @@ struct pv_init_ops {
9700 */
9701 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
9702 unsigned long addr, unsigned len);
9703-};
9704+} __no_const;
9705
9706
9707 struct pv_lazy_ops {
9708 /* Set deferred update mode, used for batching operations. */
9709 void (*enter)(void);
9710 void (*leave)(void);
9711-};
9712+} __no_const;
9713
9714 struct pv_time_ops {
9715 unsigned long long (*sched_clock)(void);
9716 unsigned long (*get_tsc_khz)(void);
9717-};
9718+} __no_const;
9719
9720 struct pv_cpu_ops {
9721 /* hooks for various privileged instructions */
9722@@ -186,7 +186,7 @@ struct pv_cpu_ops {
9723
9724 void (*start_context_switch)(struct task_struct *prev);
9725 void (*end_context_switch)(struct task_struct *next);
9726-};
9727+} __no_const;
9728
9729 struct pv_irq_ops {
9730 /*
9731@@ -217,7 +217,7 @@ struct pv_apic_ops {
9732 unsigned long start_eip,
9733 unsigned long start_esp);
9734 #endif
9735-};
9736+} __no_const;
9737
9738 struct pv_mmu_ops {
9739 unsigned long (*read_cr2)(void);
9740@@ -301,6 +301,7 @@ struct pv_mmu_ops {
9741 struct paravirt_callee_save make_pud;
9742
9743 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
9744+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
9745 #endif /* PAGETABLE_LEVELS == 4 */
9746 #endif /* PAGETABLE_LEVELS >= 3 */
9747
9748@@ -316,6 +317,12 @@ struct pv_mmu_ops {
9749 an mfn. We can tell which is which from the index. */
9750 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9751 phys_addr_t phys, pgprot_t flags);
9752+
9753+#ifdef CONFIG_PAX_KERNEXEC
9754+ unsigned long (*pax_open_kernel)(void);
9755+ unsigned long (*pax_close_kernel)(void);
9756+#endif
9757+
9758 };
9759
9760 struct raw_spinlock;
9761@@ -326,7 +333,7 @@ struct pv_lock_ops {
9762 void (*spin_lock_flags)(struct raw_spinlock *lock, unsigned long flags);
9763 int (*spin_trylock)(struct raw_spinlock *lock);
9764 void (*spin_unlock)(struct raw_spinlock *lock);
9765-};
9766+} __no_const;
9767
9768 /* This contains all the paravirt structures: we get a convenient
9769 * number for each function using the offset which we use to indicate
9770diff -urNp linux-2.6.32.48/arch/x86/include/asm/pci_x86.h linux-2.6.32.48/arch/x86/include/asm/pci_x86.h
9771--- linux-2.6.32.48/arch/x86/include/asm/pci_x86.h 2011-11-08 19:02:43.000000000 -0500
9772+++ linux-2.6.32.48/arch/x86/include/asm/pci_x86.h 2011-11-15 19:59:42.000000000 -0500
9773@@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9774 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9775
9776 struct pci_raw_ops {
9777- int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9778+ int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9779 int reg, int len, u32 *val);
9780- int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9781+ int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9782 int reg, int len, u32 val);
9783 };
9784
9785-extern struct pci_raw_ops *raw_pci_ops;
9786-extern struct pci_raw_ops *raw_pci_ext_ops;
9787+extern const struct pci_raw_ops *raw_pci_ops;
9788+extern const struct pci_raw_ops *raw_pci_ext_ops;
9789
9790-extern struct pci_raw_ops pci_direct_conf1;
9791+extern const struct pci_raw_ops pci_direct_conf1;
9792 extern bool port_cf9_safe;
9793
9794 /* arch_initcall level */
9795diff -urNp linux-2.6.32.48/arch/x86/include/asm/percpu.h linux-2.6.32.48/arch/x86/include/asm/percpu.h
9796--- linux-2.6.32.48/arch/x86/include/asm/percpu.h 2011-11-08 19:02:43.000000000 -0500
9797+++ linux-2.6.32.48/arch/x86/include/asm/percpu.h 2011-11-15 19:59:42.000000000 -0500
9798@@ -78,6 +78,7 @@ do { \
9799 if (0) { \
9800 T__ tmp__; \
9801 tmp__ = (val); \
9802+ (void)tmp__; \
9803 } \
9804 switch (sizeof(var)) { \
9805 case 1: \
9806diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgalloc.h linux-2.6.32.48/arch/x86/include/asm/pgalloc.h
9807--- linux-2.6.32.48/arch/x86/include/asm/pgalloc.h 2011-11-08 19:02:43.000000000 -0500
9808+++ linux-2.6.32.48/arch/x86/include/asm/pgalloc.h 2011-11-15 19:59:42.000000000 -0500
9809@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9810 pmd_t *pmd, pte_t *pte)
9811 {
9812 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9813+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9814+}
9815+
9816+static inline void pmd_populate_user(struct mm_struct *mm,
9817+ pmd_t *pmd, pte_t *pte)
9818+{
9819+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9820 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9821 }
9822
9823diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.48/arch/x86/include/asm/pgtable-2level.h
9824--- linux-2.6.32.48/arch/x86/include/asm/pgtable-2level.h 2011-11-08 19:02:43.000000000 -0500
9825+++ linux-2.6.32.48/arch/x86/include/asm/pgtable-2level.h 2011-11-15 19:59:42.000000000 -0500
9826@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9827
9828 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9829 {
9830+ pax_open_kernel();
9831 *pmdp = pmd;
9832+ pax_close_kernel();
9833 }
9834
9835 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9836diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable_32.h linux-2.6.32.48/arch/x86/include/asm/pgtable_32.h
9837--- linux-2.6.32.48/arch/x86/include/asm/pgtable_32.h 2011-11-08 19:02:43.000000000 -0500
9838+++ linux-2.6.32.48/arch/x86/include/asm/pgtable_32.h 2011-11-15 19:59:42.000000000 -0500
9839@@ -26,9 +26,6 @@
9840 struct mm_struct;
9841 struct vm_area_struct;
9842
9843-extern pgd_t swapper_pg_dir[1024];
9844-extern pgd_t trampoline_pg_dir[1024];
9845-
9846 static inline void pgtable_cache_init(void) { }
9847 static inline void check_pgt_cache(void) { }
9848 void paging_init(void);
9849@@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9850 # include <asm/pgtable-2level.h>
9851 #endif
9852
9853+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9854+extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9855+#ifdef CONFIG_X86_PAE
9856+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9857+#endif
9858+
9859 #if defined(CONFIG_HIGHPTE)
9860 #define __KM_PTE \
9861 (in_nmi() ? KM_NMI_PTE : \
9862@@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9863 /* Clear a kernel PTE and flush it from the TLB */
9864 #define kpte_clear_flush(ptep, vaddr) \
9865 do { \
9866+ pax_open_kernel(); \
9867 pte_clear(&init_mm, (vaddr), (ptep)); \
9868+ pax_close_kernel(); \
9869 __flush_tlb_one((vaddr)); \
9870 } while (0)
9871
9872@@ -85,6 +90,9 @@ do { \
9873
9874 #endif /* !__ASSEMBLY__ */
9875
9876+#define HAVE_ARCH_UNMAPPED_AREA
9877+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9878+
9879 /*
9880 * kern_addr_valid() is (1) for FLATMEM and (0) for
9881 * SPARSEMEM and DISCONTIGMEM
9882diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.48/arch/x86/include/asm/pgtable_32_types.h
9883--- linux-2.6.32.48/arch/x86/include/asm/pgtable_32_types.h 2011-11-08 19:02:43.000000000 -0500
9884+++ linux-2.6.32.48/arch/x86/include/asm/pgtable_32_types.h 2011-11-15 19:59:42.000000000 -0500
9885@@ -8,7 +8,7 @@
9886 */
9887 #ifdef CONFIG_X86_PAE
9888 # include <asm/pgtable-3level_types.h>
9889-# define PMD_SIZE (1UL << PMD_SHIFT)
9890+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9891 # define PMD_MASK (~(PMD_SIZE - 1))
9892 #else
9893 # include <asm/pgtable-2level_types.h>
9894@@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9895 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9896 #endif
9897
9898+#ifdef CONFIG_PAX_KERNEXEC
9899+#ifndef __ASSEMBLY__
9900+extern unsigned char MODULES_EXEC_VADDR[];
9901+extern unsigned char MODULES_EXEC_END[];
9902+#endif
9903+#include <asm/boot.h>
9904+#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9905+#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9906+#else
9907+#define ktla_ktva(addr) (addr)
9908+#define ktva_ktla(addr) (addr)
9909+#endif
9910+
9911 #define MODULES_VADDR VMALLOC_START
9912 #define MODULES_END VMALLOC_END
9913 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9914diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.48/arch/x86/include/asm/pgtable-3level.h
9915--- linux-2.6.32.48/arch/x86/include/asm/pgtable-3level.h 2011-11-08 19:02:43.000000000 -0500
9916+++ linux-2.6.32.48/arch/x86/include/asm/pgtable-3level.h 2011-11-15 19:59:42.000000000 -0500
9917@@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9918
9919 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9920 {
9921+ pax_open_kernel();
9922 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9923+ pax_close_kernel();
9924 }
9925
9926 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9927 {
9928+ pax_open_kernel();
9929 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9930+ pax_close_kernel();
9931 }
9932
9933 /*
9934diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable_64.h linux-2.6.32.48/arch/x86/include/asm/pgtable_64.h
9935--- linux-2.6.32.48/arch/x86/include/asm/pgtable_64.h 2011-11-08 19:02:43.000000000 -0500
9936+++ linux-2.6.32.48/arch/x86/include/asm/pgtable_64.h 2011-11-15 19:59:42.000000000 -0500
9937@@ -16,10 +16,13 @@
9938
9939 extern pud_t level3_kernel_pgt[512];
9940 extern pud_t level3_ident_pgt[512];
9941+extern pud_t level3_vmalloc_pgt[512];
9942+extern pud_t level3_vmemmap_pgt[512];
9943+extern pud_t level2_vmemmap_pgt[512];
9944 extern pmd_t level2_kernel_pgt[512];
9945 extern pmd_t level2_fixmap_pgt[512];
9946-extern pmd_t level2_ident_pgt[512];
9947-extern pgd_t init_level4_pgt[];
9948+extern pmd_t level2_ident_pgt[512*2];
9949+extern pgd_t init_level4_pgt[512];
9950
9951 #define swapper_pg_dir init_level4_pgt
9952
9953@@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9954
9955 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9956 {
9957+ pax_open_kernel();
9958 *pmdp = pmd;
9959+ pax_close_kernel();
9960 }
9961
9962 static inline void native_pmd_clear(pmd_t *pmd)
9963@@ -94,6 +99,13 @@ static inline void native_pud_clear(pud_
9964
9965 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9966 {
9967+ pax_open_kernel();
9968+ *pgdp = pgd;
9969+ pax_close_kernel();
9970+}
9971+
9972+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
9973+{
9974 *pgdp = pgd;
9975 }
9976
9977diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.48/arch/x86/include/asm/pgtable_64_types.h
9978--- linux-2.6.32.48/arch/x86/include/asm/pgtable_64_types.h 2011-11-08 19:02:43.000000000 -0500
9979+++ linux-2.6.32.48/arch/x86/include/asm/pgtable_64_types.h 2011-11-15 19:59:42.000000000 -0500
9980@@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9981 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9982 #define MODULES_END _AC(0xffffffffff000000, UL)
9983 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9984+#define MODULES_EXEC_VADDR MODULES_VADDR
9985+#define MODULES_EXEC_END MODULES_END
9986+
9987+#define ktla_ktva(addr) (addr)
9988+#define ktva_ktla(addr) (addr)
9989
9990 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
9991diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable.h linux-2.6.32.48/arch/x86/include/asm/pgtable.h
9992--- linux-2.6.32.48/arch/x86/include/asm/pgtable.h 2011-11-08 19:02:43.000000000 -0500
9993+++ linux-2.6.32.48/arch/x86/include/asm/pgtable.h 2011-11-15 19:59:42.000000000 -0500
9994@@ -39,6 +39,7 @@ extern struct list_head pgd_list;
9995
9996 #ifndef __PAGETABLE_PUD_FOLDED
9997 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
9998+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
9999 #define pgd_clear(pgd) native_pgd_clear(pgd)
10000 #endif
10001
10002@@ -74,12 +75,51 @@ extern struct list_head pgd_list;
10003
10004 #define arch_end_context_switch(prev) do {} while(0)
10005
10006+#define pax_open_kernel() native_pax_open_kernel()
10007+#define pax_close_kernel() native_pax_close_kernel()
10008 #endif /* CONFIG_PARAVIRT */
10009
10010+#define __HAVE_ARCH_PAX_OPEN_KERNEL
10011+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
10012+
10013+#ifdef CONFIG_PAX_KERNEXEC
10014+static inline unsigned long native_pax_open_kernel(void)
10015+{
10016+ unsigned long cr0;
10017+
10018+ preempt_disable();
10019+ barrier();
10020+ cr0 = read_cr0() ^ X86_CR0_WP;
10021+ BUG_ON(unlikely(cr0 & X86_CR0_WP));
10022+ write_cr0(cr0);
10023+ return cr0 ^ X86_CR0_WP;
10024+}
10025+
10026+static inline unsigned long native_pax_close_kernel(void)
10027+{
10028+ unsigned long cr0;
10029+
10030+ cr0 = read_cr0() ^ X86_CR0_WP;
10031+ BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
10032+ write_cr0(cr0);
10033+ barrier();
10034+ preempt_enable_no_resched();
10035+ return cr0 ^ X86_CR0_WP;
10036+}
10037+#else
10038+static inline unsigned long native_pax_open_kernel(void) { return 0; }
10039+static inline unsigned long native_pax_close_kernel(void) { return 0; }
10040+#endif
10041+
10042 /*
10043 * The following only work if pte_present() is true.
10044 * Undefined behaviour if not..
10045 */
10046+static inline int pte_user(pte_t pte)
10047+{
10048+ return pte_val(pte) & _PAGE_USER;
10049+}
10050+
10051 static inline int pte_dirty(pte_t pte)
10052 {
10053 return pte_flags(pte) & _PAGE_DIRTY;
10054@@ -167,9 +207,29 @@ static inline pte_t pte_wrprotect(pte_t
10055 return pte_clear_flags(pte, _PAGE_RW);
10056 }
10057
10058+static inline pte_t pte_mkread(pte_t pte)
10059+{
10060+ return __pte(pte_val(pte) | _PAGE_USER);
10061+}
10062+
10063 static inline pte_t pte_mkexec(pte_t pte)
10064 {
10065- return pte_clear_flags(pte, _PAGE_NX);
10066+#ifdef CONFIG_X86_PAE
10067+ if (__supported_pte_mask & _PAGE_NX)
10068+ return pte_clear_flags(pte, _PAGE_NX);
10069+ else
10070+#endif
10071+ return pte_set_flags(pte, _PAGE_USER);
10072+}
10073+
10074+static inline pte_t pte_exprotect(pte_t pte)
10075+{
10076+#ifdef CONFIG_X86_PAE
10077+ if (__supported_pte_mask & _PAGE_NX)
10078+ return pte_set_flags(pte, _PAGE_NX);
10079+ else
10080+#endif
10081+ return pte_clear_flags(pte, _PAGE_USER);
10082 }
10083
10084 static inline pte_t pte_mkdirty(pte_t pte)
10085@@ -302,6 +362,15 @@ pte_t *populate_extra_pte(unsigned long
10086 #endif
10087
10088 #ifndef __ASSEMBLY__
10089+
10090+#ifdef CONFIG_PAX_PER_CPU_PGD
10091+extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
10092+static inline pgd_t *get_cpu_pgd(unsigned int cpu)
10093+{
10094+ return cpu_pgd[cpu];
10095+}
10096+#endif
10097+
10098 #include <linux/mm_types.h>
10099
10100 static inline int pte_none(pte_t pte)
10101@@ -472,7 +541,7 @@ static inline pud_t *pud_offset(pgd_t *p
10102
10103 static inline int pgd_bad(pgd_t pgd)
10104 {
10105- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
10106+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
10107 }
10108
10109 static inline int pgd_none(pgd_t pgd)
10110@@ -495,7 +564,12 @@ static inline int pgd_none(pgd_t pgd)
10111 * pgd_offset() returns a (pgd_t *)
10112 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
10113 */
10114-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
10115+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
10116+
10117+#ifdef CONFIG_PAX_PER_CPU_PGD
10118+#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
10119+#endif
10120+
10121 /*
10122 * a shortcut which implies the use of the kernel's pgd, instead
10123 * of a process's
10124@@ -506,6 +580,20 @@ static inline int pgd_none(pgd_t pgd)
10125 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
10126 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
10127
10128+#ifdef CONFIG_X86_32
10129+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
10130+#else
10131+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
10132+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
10133+
10134+#ifdef CONFIG_PAX_MEMORY_UDEREF
10135+#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
10136+#else
10137+#define PAX_USER_SHADOW_BASE (_AC(0,UL))
10138+#endif
10139+
10140+#endif
10141+
10142 #ifndef __ASSEMBLY__
10143
10144 extern int direct_gbpages;
10145@@ -611,11 +699,23 @@ static inline void ptep_set_wrprotect(st
10146 * dst and src can be on the same page, but the range must not overlap,
10147 * and must not cross a page boundary.
10148 */
10149-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
10150+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
10151 {
10152- memcpy(dst, src, count * sizeof(pgd_t));
10153+ pax_open_kernel();
10154+ while (count--)
10155+ *dst++ = *src++;
10156+ pax_close_kernel();
10157 }
10158
10159+#ifdef CONFIG_PAX_PER_CPU_PGD
10160+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10161+#endif
10162+
10163+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10164+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
10165+#else
10166+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
10167+#endif
10168
10169 #include <asm-generic/pgtable.h>
10170 #endif /* __ASSEMBLY__ */
10171diff -urNp linux-2.6.32.48/arch/x86/include/asm/pgtable_types.h linux-2.6.32.48/arch/x86/include/asm/pgtable_types.h
10172--- linux-2.6.32.48/arch/x86/include/asm/pgtable_types.h 2011-11-08 19:02:43.000000000 -0500
10173+++ linux-2.6.32.48/arch/x86/include/asm/pgtable_types.h 2011-11-15 19:59:42.000000000 -0500
10174@@ -16,12 +16,11 @@
10175 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
10176 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
10177 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
10178-#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
10179+#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
10180 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
10181 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
10182 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
10183-#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
10184-#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
10185+#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
10186 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
10187
10188 /* If _PAGE_BIT_PRESENT is clear, we use these: */
10189@@ -39,7 +38,6 @@
10190 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
10191 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
10192 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
10193-#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
10194 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
10195 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
10196 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
10197@@ -55,8 +53,10 @@
10198
10199 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
10200 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
10201-#else
10202+#elif defined(CONFIG_KMEMCHECK)
10203 #define _PAGE_NX (_AT(pteval_t, 0))
10204+#else
10205+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
10206 #endif
10207
10208 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
10209@@ -93,6 +93,9 @@
10210 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
10211 _PAGE_ACCESSED)
10212
10213+#define PAGE_READONLY_NOEXEC PAGE_READONLY
10214+#define PAGE_SHARED_NOEXEC PAGE_SHARED
10215+
10216 #define __PAGE_KERNEL_EXEC \
10217 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
10218 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
10219@@ -103,8 +106,8 @@
10220 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
10221 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
10222 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
10223-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
10224-#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
10225+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
10226+#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
10227 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
10228 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
10229 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
10230@@ -163,8 +166,8 @@
10231 * bits are combined, this will alow user to access the high address mapped
10232 * VDSO in the presence of CONFIG_COMPAT_VDSO
10233 */
10234-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
10235-#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
10236+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10237+#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
10238 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
10239 #endif
10240
10241@@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
10242 {
10243 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
10244 }
10245+#endif
10246
10247+#if PAGETABLE_LEVELS == 3
10248+#include <asm-generic/pgtable-nopud.h>
10249+#endif
10250+
10251+#if PAGETABLE_LEVELS == 2
10252+#include <asm-generic/pgtable-nopmd.h>
10253+#endif
10254+
10255+#ifndef __ASSEMBLY__
10256 #if PAGETABLE_LEVELS > 3
10257 typedef struct { pudval_t pud; } pud_t;
10258
10259@@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
10260 return pud.pud;
10261 }
10262 #else
10263-#include <asm-generic/pgtable-nopud.h>
10264-
10265 static inline pudval_t native_pud_val(pud_t pud)
10266 {
10267 return native_pgd_val(pud.pgd);
10268@@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
10269 return pmd.pmd;
10270 }
10271 #else
10272-#include <asm-generic/pgtable-nopmd.h>
10273-
10274 static inline pmdval_t native_pmd_val(pmd_t pmd)
10275 {
10276 return native_pgd_val(pmd.pud.pgd);
10277@@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
10278
10279 extern pteval_t __supported_pte_mask;
10280 extern void set_nx(void);
10281+
10282+#ifdef CONFIG_X86_32
10283+#ifdef CONFIG_X86_PAE
10284 extern int nx_enabled;
10285+#else
10286+#define nx_enabled (0)
10287+#endif
10288+#else
10289+#define nx_enabled (1)
10290+#endif
10291
10292 #define pgprot_writecombine pgprot_writecombine
10293 extern pgprot_t pgprot_writecombine(pgprot_t prot);
10294diff -urNp linux-2.6.32.48/arch/x86/include/asm/processor.h linux-2.6.32.48/arch/x86/include/asm/processor.h
10295--- linux-2.6.32.48/arch/x86/include/asm/processor.h 2011-11-08 19:02:43.000000000 -0500
10296+++ linux-2.6.32.48/arch/x86/include/asm/processor.h 2011-11-15 19:59:42.000000000 -0500
10297@@ -272,7 +272,7 @@ struct tss_struct {
10298
10299 } ____cacheline_aligned;
10300
10301-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
10302+extern struct tss_struct init_tss[NR_CPUS];
10303
10304 /*
10305 * Save the original ist values for checking stack pointers during debugging
10306@@ -911,11 +911,18 @@ static inline void spin_lock_prefetch(co
10307 */
10308 #define TASK_SIZE PAGE_OFFSET
10309 #define TASK_SIZE_MAX TASK_SIZE
10310+
10311+#ifdef CONFIG_PAX_SEGMEXEC
10312+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
10313+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
10314+#else
10315 #define STACK_TOP TASK_SIZE
10316-#define STACK_TOP_MAX STACK_TOP
10317+#endif
10318+
10319+#define STACK_TOP_MAX TASK_SIZE
10320
10321 #define INIT_THREAD { \
10322- .sp0 = sizeof(init_stack) + (long)&init_stack, \
10323+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10324 .vm86_info = NULL, \
10325 .sysenter_cs = __KERNEL_CS, \
10326 .io_bitmap_ptr = NULL, \
10327@@ -929,7 +936,7 @@ static inline void spin_lock_prefetch(co
10328 */
10329 #define INIT_TSS { \
10330 .x86_tss = { \
10331- .sp0 = sizeof(init_stack) + (long)&init_stack, \
10332+ .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
10333 .ss0 = __KERNEL_DS, \
10334 .ss1 = __KERNEL_CS, \
10335 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
10336@@ -940,11 +947,7 @@ static inline void spin_lock_prefetch(co
10337 extern unsigned long thread_saved_pc(struct task_struct *tsk);
10338
10339 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
10340-#define KSTK_TOP(info) \
10341-({ \
10342- unsigned long *__ptr = (unsigned long *)(info); \
10343- (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
10344-})
10345+#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
10346
10347 /*
10348 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
10349@@ -959,7 +962,7 @@ extern unsigned long thread_saved_pc(str
10350 #define task_pt_regs(task) \
10351 ({ \
10352 struct pt_regs *__regs__; \
10353- __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
10354+ __regs__ = (struct pt_regs *)((task)->thread.sp0); \
10355 __regs__ - 1; \
10356 })
10357
10358@@ -969,13 +972,13 @@ extern unsigned long thread_saved_pc(str
10359 /*
10360 * User space process size. 47bits minus one guard page.
10361 */
10362-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
10363+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
10364
10365 /* This decides where the kernel will search for a free chunk of vm
10366 * space during mmap's.
10367 */
10368 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
10369- 0xc0000000 : 0xFFFFe000)
10370+ 0xc0000000 : 0xFFFFf000)
10371
10372 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
10373 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
10374@@ -986,11 +989,11 @@ extern unsigned long thread_saved_pc(str
10375 #define STACK_TOP_MAX TASK_SIZE_MAX
10376
10377 #define INIT_THREAD { \
10378- .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10379+ .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10380 }
10381
10382 #define INIT_TSS { \
10383- .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
10384+ .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
10385 }
10386
10387 /*
10388@@ -1012,6 +1015,10 @@ extern void start_thread(struct pt_regs
10389 */
10390 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
10391
10392+#ifdef CONFIG_PAX_SEGMEXEC
10393+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
10394+#endif
10395+
10396 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
10397
10398 /* Get/set a process' ability to use the timestamp counter instruction */
10399diff -urNp linux-2.6.32.48/arch/x86/include/asm/ptrace.h linux-2.6.32.48/arch/x86/include/asm/ptrace.h
10400--- linux-2.6.32.48/arch/x86/include/asm/ptrace.h 2011-11-08 19:02:43.000000000 -0500
10401+++ linux-2.6.32.48/arch/x86/include/asm/ptrace.h 2011-11-15 19:59:42.000000000 -0500
10402@@ -151,28 +151,29 @@ static inline unsigned long regs_return_
10403 }
10404
10405 /*
10406- * user_mode_vm(regs) determines whether a register set came from user mode.
10407+ * user_mode(regs) determines whether a register set came from user mode.
10408 * This is true if V8086 mode was enabled OR if the register set was from
10409 * protected mode with RPL-3 CS value. This tricky test checks that with
10410 * one comparison. Many places in the kernel can bypass this full check
10411- * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
10412+ * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
10413+ * be used.
10414 */
10415-static inline int user_mode(struct pt_regs *regs)
10416+static inline int user_mode_novm(struct pt_regs *regs)
10417 {
10418 #ifdef CONFIG_X86_32
10419 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
10420 #else
10421- return !!(regs->cs & 3);
10422+ return !!(regs->cs & SEGMENT_RPL_MASK);
10423 #endif
10424 }
10425
10426-static inline int user_mode_vm(struct pt_regs *regs)
10427+static inline int user_mode(struct pt_regs *regs)
10428 {
10429 #ifdef CONFIG_X86_32
10430 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
10431 USER_RPL;
10432 #else
10433- return user_mode(regs);
10434+ return user_mode_novm(regs);
10435 #endif
10436 }
10437
10438diff -urNp linux-2.6.32.48/arch/x86/include/asm/reboot.h linux-2.6.32.48/arch/x86/include/asm/reboot.h
10439--- linux-2.6.32.48/arch/x86/include/asm/reboot.h 2011-11-08 19:02:43.000000000 -0500
10440+++ linux-2.6.32.48/arch/x86/include/asm/reboot.h 2011-11-15 19:59:42.000000000 -0500
10441@@ -6,19 +6,19 @@
10442 struct pt_regs;
10443
10444 struct machine_ops {
10445- void (*restart)(char *cmd);
10446- void (*halt)(void);
10447- void (*power_off)(void);
10448+ void (* __noreturn restart)(char *cmd);
10449+ void (* __noreturn halt)(void);
10450+ void (* __noreturn power_off)(void);
10451 void (*shutdown)(void);
10452 void (*crash_shutdown)(struct pt_regs *);
10453- void (*emergency_restart)(void);
10454-};
10455+ void (* __noreturn emergency_restart)(void);
10456+} __no_const;
10457
10458 extern struct machine_ops machine_ops;
10459
10460 void native_machine_crash_shutdown(struct pt_regs *regs);
10461 void native_machine_shutdown(void);
10462-void machine_real_restart(const unsigned char *code, int length);
10463+void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
10464
10465 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
10466 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
10467diff -urNp linux-2.6.32.48/arch/x86/include/asm/rwsem.h linux-2.6.32.48/arch/x86/include/asm/rwsem.h
10468--- linux-2.6.32.48/arch/x86/include/asm/rwsem.h 2011-11-08 19:02:43.000000000 -0500
10469+++ linux-2.6.32.48/arch/x86/include/asm/rwsem.h 2011-11-15 19:59:42.000000000 -0500
10470@@ -118,6 +118,14 @@ static inline void __down_read(struct rw
10471 {
10472 asm volatile("# beginning down_read\n\t"
10473 LOCK_PREFIX _ASM_INC "(%1)\n\t"
10474+
10475+#ifdef CONFIG_PAX_REFCOUNT
10476+ "jno 0f\n"
10477+ LOCK_PREFIX _ASM_DEC "(%1)\n\t"
10478+ "int $4\n0:\n"
10479+ _ASM_EXTABLE(0b, 0b)
10480+#endif
10481+
10482 /* adds 0x00000001, returns the old value */
10483 " jns 1f\n"
10484 " call call_rwsem_down_read_failed\n"
10485@@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
10486 "1:\n\t"
10487 " mov %1,%2\n\t"
10488 " add %3,%2\n\t"
10489+
10490+#ifdef CONFIG_PAX_REFCOUNT
10491+ "jno 0f\n"
10492+ "sub %3,%2\n"
10493+ "int $4\n0:\n"
10494+ _ASM_EXTABLE(0b, 0b)
10495+#endif
10496+
10497 " jle 2f\n\t"
10498 LOCK_PREFIX " cmpxchg %2,%0\n\t"
10499 " jnz 1b\n\t"
10500@@ -160,6 +176,14 @@ static inline void __down_write_nested(s
10501 tmp = RWSEM_ACTIVE_WRITE_BIAS;
10502 asm volatile("# beginning down_write\n\t"
10503 LOCK_PREFIX " xadd %1,(%2)\n\t"
10504+
10505+#ifdef CONFIG_PAX_REFCOUNT
10506+ "jno 0f\n"
10507+ "mov %1,(%2)\n"
10508+ "int $4\n0:\n"
10509+ _ASM_EXTABLE(0b, 0b)
10510+#endif
10511+
10512 /* subtract 0x0000ffff, returns the old value */
10513 " test %1,%1\n\t"
10514 /* was the count 0 before? */
10515@@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
10516 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
10517 asm volatile("# beginning __up_read\n\t"
10518 LOCK_PREFIX " xadd %1,(%2)\n\t"
10519+
10520+#ifdef CONFIG_PAX_REFCOUNT
10521+ "jno 0f\n"
10522+ "mov %1,(%2)\n"
10523+ "int $4\n0:\n"
10524+ _ASM_EXTABLE(0b, 0b)
10525+#endif
10526+
10527 /* subtracts 1, returns the old value */
10528 " jns 1f\n\t"
10529 " call call_rwsem_wake\n"
10530@@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
10531 rwsem_count_t tmp;
10532 asm volatile("# beginning __up_write\n\t"
10533 LOCK_PREFIX " xadd %1,(%2)\n\t"
10534+
10535+#ifdef CONFIG_PAX_REFCOUNT
10536+ "jno 0f\n"
10537+ "mov %1,(%2)\n"
10538+ "int $4\n0:\n"
10539+ _ASM_EXTABLE(0b, 0b)
10540+#endif
10541+
10542 /* tries to transition
10543 0xffff0001 -> 0x00000000 */
10544 " jz 1f\n"
10545@@ -234,6 +274,14 @@ static inline void __downgrade_write(str
10546 {
10547 asm volatile("# beginning __downgrade_write\n\t"
10548 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
10549+
10550+#ifdef CONFIG_PAX_REFCOUNT
10551+ "jno 0f\n"
10552+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
10553+ "int $4\n0:\n"
10554+ _ASM_EXTABLE(0b, 0b)
10555+#endif
10556+
10557 /*
10558 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
10559 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
10560@@ -253,7 +301,15 @@ static inline void __downgrade_write(str
10561 static inline void rwsem_atomic_add(rwsem_count_t delta,
10562 struct rw_semaphore *sem)
10563 {
10564- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
10565+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
10566+
10567+#ifdef CONFIG_PAX_REFCOUNT
10568+ "jno 0f\n"
10569+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
10570+ "int $4\n0:\n"
10571+ _ASM_EXTABLE(0b, 0b)
10572+#endif
10573+
10574 : "+m" (sem->count)
10575 : "er" (delta));
10576 }
10577@@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
10578 {
10579 rwsem_count_t tmp = delta;
10580
10581- asm volatile(LOCK_PREFIX "xadd %0,%1"
10582+ asm volatile(LOCK_PREFIX "xadd %0,%1\n"
10583+
10584+#ifdef CONFIG_PAX_REFCOUNT
10585+ "jno 0f\n"
10586+ "mov %0,%1\n"
10587+ "int $4\n0:\n"
10588+ _ASM_EXTABLE(0b, 0b)
10589+#endif
10590+
10591 : "+r" (tmp), "+m" (sem->count)
10592 : : "memory");
10593
10594diff -urNp linux-2.6.32.48/arch/x86/include/asm/segment.h linux-2.6.32.48/arch/x86/include/asm/segment.h
10595--- linux-2.6.32.48/arch/x86/include/asm/segment.h 2011-11-08 19:02:43.000000000 -0500
10596+++ linux-2.6.32.48/arch/x86/include/asm/segment.h 2011-11-15 19:59:42.000000000 -0500
10597@@ -62,10 +62,15 @@
10598 * 26 - ESPFIX small SS
10599 * 27 - per-cpu [ offset to per-cpu data area ]
10600 * 28 - stack_canary-20 [ for stack protector ]
10601- * 29 - unused
10602- * 30 - unused
10603+ * 29 - PCI BIOS CS
10604+ * 30 - PCI BIOS DS
10605 * 31 - TSS for double fault handler
10606 */
10607+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
10608+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
10609+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
10610+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
10611+
10612 #define GDT_ENTRY_TLS_MIN 6
10613 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
10614
10615@@ -77,6 +82,8 @@
10616
10617 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
10618
10619+#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
10620+
10621 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
10622
10623 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
10624@@ -88,7 +95,7 @@
10625 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
10626 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
10627
10628-#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10629+#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
10630 #ifdef CONFIG_SMP
10631 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
10632 #else
10633@@ -102,6 +109,12 @@
10634 #define __KERNEL_STACK_CANARY 0
10635 #endif
10636
10637+#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
10638+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
10639+
10640+#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
10641+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
10642+
10643 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
10644
10645 /*
10646@@ -139,7 +152,7 @@
10647 */
10648
10649 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
10650-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
10651+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
10652
10653
10654 #else
10655@@ -163,6 +176,8 @@
10656 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
10657 #define __USER32_DS __USER_DS
10658
10659+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
10660+
10661 #define GDT_ENTRY_TSS 8 /* needs two entries */
10662 #define GDT_ENTRY_LDT 10 /* needs two entries */
10663 #define GDT_ENTRY_TLS_MIN 12
10664@@ -183,6 +198,7 @@
10665 #endif
10666
10667 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
10668+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
10669 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
10670 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
10671 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
10672diff -urNp linux-2.6.32.48/arch/x86/include/asm/smp.h linux-2.6.32.48/arch/x86/include/asm/smp.h
10673--- linux-2.6.32.48/arch/x86/include/asm/smp.h 2011-11-08 19:02:43.000000000 -0500
10674+++ linux-2.6.32.48/arch/x86/include/asm/smp.h 2011-11-15 19:59:42.000000000 -0500
10675@@ -24,7 +24,7 @@ extern unsigned int num_processors;
10676 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
10677 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
10678 DECLARE_PER_CPU(u16, cpu_llc_id);
10679-DECLARE_PER_CPU(int, cpu_number);
10680+DECLARE_PER_CPU(unsigned int, cpu_number);
10681
10682 static inline struct cpumask *cpu_sibling_mask(int cpu)
10683 {
10684@@ -40,10 +40,7 @@ DECLARE_EARLY_PER_CPU(u16, x86_cpu_to_ap
10685 DECLARE_EARLY_PER_CPU(u16, x86_bios_cpu_apicid);
10686
10687 /* Static state in head.S used to set up a CPU */
10688-extern struct {
10689- void *sp;
10690- unsigned short ss;
10691-} stack_start;
10692+extern unsigned long stack_start; /* Initial stack pointer address */
10693
10694 struct smp_ops {
10695 void (*smp_prepare_boot_cpu)(void);
10696@@ -60,7 +57,7 @@ struct smp_ops {
10697
10698 void (*send_call_func_ipi)(const struct cpumask *mask);
10699 void (*send_call_func_single_ipi)(int cpu);
10700-};
10701+} __no_const;
10702
10703 /* Globals due to paravirt */
10704 extern void set_cpu_sibling_map(int cpu);
10705@@ -175,14 +172,8 @@ extern unsigned disabled_cpus __cpuinitd
10706 extern int safe_smp_processor_id(void);
10707
10708 #elif defined(CONFIG_X86_64_SMP)
10709-#define raw_smp_processor_id() (percpu_read(cpu_number))
10710-
10711-#define stack_smp_processor_id() \
10712-({ \
10713- struct thread_info *ti; \
10714- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
10715- ti->cpu; \
10716-})
10717+#define raw_smp_processor_id() (percpu_read(cpu_number))
10718+#define stack_smp_processor_id() raw_smp_processor_id()
10719 #define safe_smp_processor_id() smp_processor_id()
10720
10721 #endif
10722diff -urNp linux-2.6.32.48/arch/x86/include/asm/spinlock.h linux-2.6.32.48/arch/x86/include/asm/spinlock.h
10723--- linux-2.6.32.48/arch/x86/include/asm/spinlock.h 2011-11-08 19:02:43.000000000 -0500
10724+++ linux-2.6.32.48/arch/x86/include/asm/spinlock.h 2011-11-15 19:59:42.000000000 -0500
10725@@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
10726 static inline void __raw_read_lock(raw_rwlock_t *rw)
10727 {
10728 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
10729+
10730+#ifdef CONFIG_PAX_REFCOUNT
10731+ "jno 0f\n"
10732+ LOCK_PREFIX " addl $1,(%0)\n"
10733+ "int $4\n0:\n"
10734+ _ASM_EXTABLE(0b, 0b)
10735+#endif
10736+
10737 "jns 1f\n"
10738 "call __read_lock_failed\n\t"
10739 "1:\n"
10740@@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
10741 static inline void __raw_write_lock(raw_rwlock_t *rw)
10742 {
10743 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
10744+
10745+#ifdef CONFIG_PAX_REFCOUNT
10746+ "jno 0f\n"
10747+ LOCK_PREFIX " addl %1,(%0)\n"
10748+ "int $4\n0:\n"
10749+ _ASM_EXTABLE(0b, 0b)
10750+#endif
10751+
10752 "jz 1f\n"
10753 "call __write_lock_failed\n\t"
10754 "1:\n"
10755@@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10756
10757 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10758 {
10759- asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10760+ asm volatile(LOCK_PREFIX "incl %0\n"
10761+
10762+#ifdef CONFIG_PAX_REFCOUNT
10763+ "jno 0f\n"
10764+ LOCK_PREFIX "decl %0\n"
10765+ "int $4\n0:\n"
10766+ _ASM_EXTABLE(0b, 0b)
10767+#endif
10768+
10769+ :"+m" (rw->lock) : : "memory");
10770 }
10771
10772 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10773 {
10774- asm volatile(LOCK_PREFIX "addl %1, %0"
10775+ asm volatile(LOCK_PREFIX "addl %1, %0\n"
10776+
10777+#ifdef CONFIG_PAX_REFCOUNT
10778+ "jno 0f\n"
10779+ LOCK_PREFIX "subl %1, %0\n"
10780+ "int $4\n0:\n"
10781+ _ASM_EXTABLE(0b, 0b)
10782+#endif
10783+
10784 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10785 }
10786
10787diff -urNp linux-2.6.32.48/arch/x86/include/asm/stackprotector.h linux-2.6.32.48/arch/x86/include/asm/stackprotector.h
10788--- linux-2.6.32.48/arch/x86/include/asm/stackprotector.h 2011-11-08 19:02:43.000000000 -0500
10789+++ linux-2.6.32.48/arch/x86/include/asm/stackprotector.h 2011-11-15 19:59:42.000000000 -0500
10790@@ -48,7 +48,7 @@
10791 * head_32 for boot CPU and setup_per_cpu_areas() for others.
10792 */
10793 #define GDT_STACK_CANARY_INIT \
10794- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
10795+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
10796
10797 /*
10798 * Initialize the stackprotector canary value.
10799@@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10800
10801 static inline void load_stack_canary_segment(void)
10802 {
10803-#ifdef CONFIG_X86_32
10804+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10805 asm volatile ("mov %0, %%gs" : : "r" (0));
10806 #endif
10807 }
10808diff -urNp linux-2.6.32.48/arch/x86/include/asm/system.h linux-2.6.32.48/arch/x86/include/asm/system.h
10809--- linux-2.6.32.48/arch/x86/include/asm/system.h 2011-11-08 19:02:43.000000000 -0500
10810+++ linux-2.6.32.48/arch/x86/include/asm/system.h 2011-11-15 19:59:42.000000000 -0500
10811@@ -132,7 +132,7 @@ do { \
10812 "thread_return:\n\t" \
10813 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10814 __switch_canary \
10815- "movq %P[thread_info](%%rsi),%%r8\n\t" \
10816+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10817 "movq %%rax,%%rdi\n\t" \
10818 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10819 "jnz ret_from_fork\n\t" \
10820@@ -143,7 +143,7 @@ do { \
10821 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10822 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10823 [_tif_fork] "i" (_TIF_FORK), \
10824- [thread_info] "i" (offsetof(struct task_struct, stack)), \
10825+ [thread_info] "m" (per_cpu_var(current_tinfo)), \
10826 [current_task] "m" (per_cpu_var(current_task)) \
10827 __switch_canary_iparam \
10828 : "memory", "cc" __EXTRA_CLOBBER)
10829@@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10830 {
10831 unsigned long __limit;
10832 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10833- return __limit + 1;
10834+ return __limit;
10835 }
10836
10837 static inline void native_clts(void)
10838@@ -340,12 +340,12 @@ void enable_hlt(void);
10839
10840 void cpu_idle_wait(void);
10841
10842-extern unsigned long arch_align_stack(unsigned long sp);
10843+#define arch_align_stack(x) ((x) & ~0xfUL)
10844 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10845
10846 void default_idle(void);
10847
10848-void stop_this_cpu(void *dummy);
10849+void stop_this_cpu(void *dummy) __noreturn;
10850
10851 /*
10852 * Force strict CPU ordering.
10853diff -urNp linux-2.6.32.48/arch/x86/include/asm/thread_info.h linux-2.6.32.48/arch/x86/include/asm/thread_info.h
10854--- linux-2.6.32.48/arch/x86/include/asm/thread_info.h 2011-11-08 19:02:43.000000000 -0500
10855+++ linux-2.6.32.48/arch/x86/include/asm/thread_info.h 2011-11-15 19:59:42.000000000 -0500
10856@@ -10,6 +10,7 @@
10857 #include <linux/compiler.h>
10858 #include <asm/page.h>
10859 #include <asm/types.h>
10860+#include <asm/percpu.h>
10861
10862 /*
10863 * low level task data that entry.S needs immediate access to
10864@@ -24,7 +25,6 @@ struct exec_domain;
10865 #include <asm/atomic.h>
10866
10867 struct thread_info {
10868- struct task_struct *task; /* main task structure */
10869 struct exec_domain *exec_domain; /* execution domain */
10870 __u32 flags; /* low level flags */
10871 __u32 status; /* thread synchronous flags */
10872@@ -34,18 +34,12 @@ struct thread_info {
10873 mm_segment_t addr_limit;
10874 struct restart_block restart_block;
10875 void __user *sysenter_return;
10876-#ifdef CONFIG_X86_32
10877- unsigned long previous_esp; /* ESP of the previous stack in
10878- case of nested (IRQ) stacks
10879- */
10880- __u8 supervisor_stack[0];
10881-#endif
10882+ unsigned long lowest_stack;
10883 int uaccess_err;
10884 };
10885
10886-#define INIT_THREAD_INFO(tsk) \
10887+#define INIT_THREAD_INFO \
10888 { \
10889- .task = &tsk, \
10890 .exec_domain = &default_exec_domain, \
10891 .flags = 0, \
10892 .cpu = 0, \
10893@@ -56,7 +50,7 @@ struct thread_info {
10894 }, \
10895 }
10896
10897-#define init_thread_info (init_thread_union.thread_info)
10898+#define init_thread_info (init_thread_union.stack)
10899 #define init_stack (init_thread_union.stack)
10900
10901 #else /* !__ASSEMBLY__ */
10902@@ -163,6 +157,23 @@ struct thread_info {
10903 #define alloc_thread_info(tsk) \
10904 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10905
10906+#ifdef __ASSEMBLY__
10907+/* how to get the thread information struct from ASM */
10908+#define GET_THREAD_INFO(reg) \
10909+ mov PER_CPU_VAR(current_tinfo), reg
10910+
10911+/* use this one if reg already contains %esp */
10912+#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10913+#else
10914+/* how to get the thread information struct from C */
10915+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10916+
10917+static __always_inline struct thread_info *current_thread_info(void)
10918+{
10919+ return percpu_read_stable(current_tinfo);
10920+}
10921+#endif
10922+
10923 #ifdef CONFIG_X86_32
10924
10925 #define STACK_WARN (THREAD_SIZE/8)
10926@@ -173,35 +184,13 @@ struct thread_info {
10927 */
10928 #ifndef __ASSEMBLY__
10929
10930-
10931 /* how to get the current stack pointer from C */
10932 register unsigned long current_stack_pointer asm("esp") __used;
10933
10934-/* how to get the thread information struct from C */
10935-static inline struct thread_info *current_thread_info(void)
10936-{
10937- return (struct thread_info *)
10938- (current_stack_pointer & ~(THREAD_SIZE - 1));
10939-}
10940-
10941-#else /* !__ASSEMBLY__ */
10942-
10943-/* how to get the thread information struct from ASM */
10944-#define GET_THREAD_INFO(reg) \
10945- movl $-THREAD_SIZE, reg; \
10946- andl %esp, reg
10947-
10948-/* use this one if reg already contains %esp */
10949-#define GET_THREAD_INFO_WITH_ESP(reg) \
10950- andl $-THREAD_SIZE, reg
10951-
10952 #endif
10953
10954 #else /* X86_32 */
10955
10956-#include <asm/percpu.h>
10957-#define KERNEL_STACK_OFFSET (5*8)
10958-
10959 /*
10960 * macros/functions for gaining access to the thread information structure
10961 * preempt_count needs to be 1 initially, until the scheduler is functional.
10962@@ -209,21 +198,8 @@ static inline struct thread_info *curren
10963 #ifndef __ASSEMBLY__
10964 DECLARE_PER_CPU(unsigned long, kernel_stack);
10965
10966-static inline struct thread_info *current_thread_info(void)
10967-{
10968- struct thread_info *ti;
10969- ti = (void *)(percpu_read_stable(kernel_stack) +
10970- KERNEL_STACK_OFFSET - THREAD_SIZE);
10971- return ti;
10972-}
10973-
10974-#else /* !__ASSEMBLY__ */
10975-
10976-/* how to get the thread information struct from ASM */
10977-#define GET_THREAD_INFO(reg) \
10978- movq PER_CPU_VAR(kernel_stack),reg ; \
10979- subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10980-
10981+/* how to get the current stack pointer from C */
10982+register unsigned long current_stack_pointer asm("rsp") __used;
10983 #endif
10984
10985 #endif /* !X86_32 */
10986@@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10987 extern void free_thread_info(struct thread_info *ti);
10988 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
10989 #define arch_task_cache_init arch_task_cache_init
10990+
10991+#define __HAVE_THREAD_FUNCTIONS
10992+#define task_thread_info(task) (&(task)->tinfo)
10993+#define task_stack_page(task) ((task)->stack)
10994+#define setup_thread_stack(p, org) do {} while (0)
10995+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
10996+
10997+#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
10998+extern struct task_struct *alloc_task_struct(void);
10999+extern void free_task_struct(struct task_struct *);
11000+
11001 #endif
11002 #endif /* _ASM_X86_THREAD_INFO_H */
11003diff -urNp linux-2.6.32.48/arch/x86/include/asm/uaccess_32.h linux-2.6.32.48/arch/x86/include/asm/uaccess_32.h
11004--- linux-2.6.32.48/arch/x86/include/asm/uaccess_32.h 2011-11-08 19:02:43.000000000 -0500
11005+++ linux-2.6.32.48/arch/x86/include/asm/uaccess_32.h 2011-11-15 19:59:42.000000000 -0500
11006@@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
11007 static __always_inline unsigned long __must_check
11008 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
11009 {
11010+ pax_track_stack();
11011+
11012+ if ((long)n < 0)
11013+ return n;
11014+
11015 if (__builtin_constant_p(n)) {
11016 unsigned long ret;
11017
11018@@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
11019 return ret;
11020 }
11021 }
11022+ if (!__builtin_constant_p(n))
11023+ check_object_size(from, n, true);
11024 return __copy_to_user_ll(to, from, n);
11025 }
11026
11027@@ -83,12 +90,16 @@ static __always_inline unsigned long __m
11028 __copy_to_user(void __user *to, const void *from, unsigned long n)
11029 {
11030 might_fault();
11031+
11032 return __copy_to_user_inatomic(to, from, n);
11033 }
11034
11035 static __always_inline unsigned long
11036 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
11037 {
11038+ if ((long)n < 0)
11039+ return n;
11040+
11041 /* Avoid zeroing the tail if the copy fails..
11042 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
11043 * but as the zeroing behaviour is only significant when n is not
11044@@ -138,6 +149,12 @@ static __always_inline unsigned long
11045 __copy_from_user(void *to, const void __user *from, unsigned long n)
11046 {
11047 might_fault();
11048+
11049+ pax_track_stack();
11050+
11051+ if ((long)n < 0)
11052+ return n;
11053+
11054 if (__builtin_constant_p(n)) {
11055 unsigned long ret;
11056
11057@@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
11058 return ret;
11059 }
11060 }
11061+ if (!__builtin_constant_p(n))
11062+ check_object_size(to, n, false);
11063 return __copy_from_user_ll(to, from, n);
11064 }
11065
11066@@ -160,6 +179,10 @@ static __always_inline unsigned long __c
11067 const void __user *from, unsigned long n)
11068 {
11069 might_fault();
11070+
11071+ if ((long)n < 0)
11072+ return n;
11073+
11074 if (__builtin_constant_p(n)) {
11075 unsigned long ret;
11076
11077@@ -182,14 +205,62 @@ static __always_inline unsigned long
11078 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
11079 unsigned long n)
11080 {
11081- return __copy_from_user_ll_nocache_nozero(to, from, n);
11082+ if ((long)n < 0)
11083+ return n;
11084+
11085+ return __copy_from_user_ll_nocache_nozero(to, from, n);
11086+}
11087+
11088+/**
11089+ * copy_to_user: - Copy a block of data into user space.
11090+ * @to: Destination address, in user space.
11091+ * @from: Source address, in kernel space.
11092+ * @n: Number of bytes to copy.
11093+ *
11094+ * Context: User context only. This function may sleep.
11095+ *
11096+ * Copy data from kernel space to user space.
11097+ *
11098+ * Returns number of bytes that could not be copied.
11099+ * On success, this will be zero.
11100+ */
11101+static __always_inline unsigned long __must_check
11102+copy_to_user(void __user *to, const void *from, unsigned long n)
11103+{
11104+ if (access_ok(VERIFY_WRITE, to, n))
11105+ n = __copy_to_user(to, from, n);
11106+ return n;
11107+}
11108+
11109+/**
11110+ * copy_from_user: - Copy a block of data from user space.
11111+ * @to: Destination address, in kernel space.
11112+ * @from: Source address, in user space.
11113+ * @n: Number of bytes to copy.
11114+ *
11115+ * Context: User context only. This function may sleep.
11116+ *
11117+ * Copy data from user space to kernel space.
11118+ *
11119+ * Returns number of bytes that could not be copied.
11120+ * On success, this will be zero.
11121+ *
11122+ * If some data could not be copied, this function will pad the copied
11123+ * data to the requested size using zero bytes.
11124+ */
11125+static __always_inline unsigned long __must_check
11126+copy_from_user(void *to, const void __user *from, unsigned long n)
11127+{
11128+ if (access_ok(VERIFY_READ, from, n))
11129+ n = __copy_from_user(to, from, n);
11130+ else if ((long)n > 0) {
11131+ if (!__builtin_constant_p(n))
11132+ check_object_size(to, n, false);
11133+ memset(to, 0, n);
11134+ }
11135+ return n;
11136 }
11137
11138-unsigned long __must_check copy_to_user(void __user *to,
11139- const void *from, unsigned long n);
11140-unsigned long __must_check copy_from_user(void *to,
11141- const void __user *from,
11142- unsigned long n);
11143 long __must_check strncpy_from_user(char *dst, const char __user *src,
11144 long count);
11145 long __must_check __strncpy_from_user(char *dst,
11146diff -urNp linux-2.6.32.48/arch/x86/include/asm/uaccess_64.h linux-2.6.32.48/arch/x86/include/asm/uaccess_64.h
11147--- linux-2.6.32.48/arch/x86/include/asm/uaccess_64.h 2011-11-08 19:02:43.000000000 -0500
11148+++ linux-2.6.32.48/arch/x86/include/asm/uaccess_64.h 2011-11-15 19:59:42.000000000 -0500
11149@@ -9,6 +9,9 @@
11150 #include <linux/prefetch.h>
11151 #include <linux/lockdep.h>
11152 #include <asm/page.h>
11153+#include <asm/pgtable.h>
11154+
11155+#define set_fs(x) (current_thread_info()->addr_limit = (x))
11156
11157 /*
11158 * Copy To/From Userspace
11159@@ -19,113 +22,203 @@ __must_check unsigned long
11160 copy_user_generic(void *to, const void *from, unsigned len);
11161
11162 __must_check unsigned long
11163-copy_to_user(void __user *to, const void *from, unsigned len);
11164-__must_check unsigned long
11165-copy_from_user(void *to, const void __user *from, unsigned len);
11166-__must_check unsigned long
11167 copy_in_user(void __user *to, const void __user *from, unsigned len);
11168
11169 static __always_inline __must_check
11170-int __copy_from_user(void *dst, const void __user *src, unsigned size)
11171+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
11172 {
11173- int ret = 0;
11174+ unsigned ret = 0;
11175
11176 might_fault();
11177- if (!__builtin_constant_p(size))
11178- return copy_user_generic(dst, (__force void *)src, size);
11179+
11180+ if ((int)size < 0)
11181+ return size;
11182+
11183+#ifdef CONFIG_PAX_MEMORY_UDEREF
11184+ if (!__access_ok(VERIFY_READ, src, size))
11185+ return size;
11186+#endif
11187+
11188+ if (!__builtin_constant_p(size)) {
11189+ check_object_size(dst, size, false);
11190+
11191+#ifdef CONFIG_PAX_MEMORY_UDEREF
11192+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11193+ src += PAX_USER_SHADOW_BASE;
11194+#endif
11195+
11196+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
11197+ }
11198 switch (size) {
11199- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
11200+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
11201 ret, "b", "b", "=q", 1);
11202 return ret;
11203- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
11204+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
11205 ret, "w", "w", "=r", 2);
11206 return ret;
11207- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
11208+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
11209 ret, "l", "k", "=r", 4);
11210 return ret;
11211- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
11212+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11213 ret, "q", "", "=r", 8);
11214 return ret;
11215 case 10:
11216- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11217+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11218 ret, "q", "", "=r", 10);
11219 if (unlikely(ret))
11220 return ret;
11221 __get_user_asm(*(u16 *)(8 + (char *)dst),
11222- (u16 __user *)(8 + (char __user *)src),
11223+ (const u16 __user *)(8 + (const char __user *)src),
11224 ret, "w", "w", "=r", 2);
11225 return ret;
11226 case 16:
11227- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
11228+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
11229 ret, "q", "", "=r", 16);
11230 if (unlikely(ret))
11231 return ret;
11232 __get_user_asm(*(u64 *)(8 + (char *)dst),
11233- (u64 __user *)(8 + (char __user *)src),
11234+ (const u64 __user *)(8 + (const char __user *)src),
11235 ret, "q", "", "=r", 8);
11236 return ret;
11237 default:
11238- return copy_user_generic(dst, (__force void *)src, size);
11239+
11240+#ifdef CONFIG_PAX_MEMORY_UDEREF
11241+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11242+ src += PAX_USER_SHADOW_BASE;
11243+#endif
11244+
11245+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
11246 }
11247 }
11248
11249 static __always_inline __must_check
11250-int __copy_to_user(void __user *dst, const void *src, unsigned size)
11251+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
11252 {
11253- int ret = 0;
11254+ unsigned ret = 0;
11255
11256 might_fault();
11257- if (!__builtin_constant_p(size))
11258- return copy_user_generic((__force void *)dst, src, size);
11259+
11260+ pax_track_stack();
11261+
11262+ if ((int)size < 0)
11263+ return size;
11264+
11265+#ifdef CONFIG_PAX_MEMORY_UDEREF
11266+ if (!__access_ok(VERIFY_WRITE, dst, size))
11267+ return size;
11268+#endif
11269+
11270+ if (!__builtin_constant_p(size)) {
11271+ check_object_size(src, size, true);
11272+
11273+#ifdef CONFIG_PAX_MEMORY_UDEREF
11274+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11275+ dst += PAX_USER_SHADOW_BASE;
11276+#endif
11277+
11278+ return copy_user_generic((__force_kernel void *)dst, src, size);
11279+ }
11280 switch (size) {
11281- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
11282+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
11283 ret, "b", "b", "iq", 1);
11284 return ret;
11285- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
11286+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
11287 ret, "w", "w", "ir", 2);
11288 return ret;
11289- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
11290+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
11291 ret, "l", "k", "ir", 4);
11292 return ret;
11293- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
11294+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11295 ret, "q", "", "er", 8);
11296 return ret;
11297 case 10:
11298- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11299+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11300 ret, "q", "", "er", 10);
11301 if (unlikely(ret))
11302 return ret;
11303 asm("":::"memory");
11304- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
11305+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
11306 ret, "w", "w", "ir", 2);
11307 return ret;
11308 case 16:
11309- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
11310+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
11311 ret, "q", "", "er", 16);
11312 if (unlikely(ret))
11313 return ret;
11314 asm("":::"memory");
11315- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
11316+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
11317 ret, "q", "", "er", 8);
11318 return ret;
11319 default:
11320- return copy_user_generic((__force void *)dst, src, size);
11321+
11322+#ifdef CONFIG_PAX_MEMORY_UDEREF
11323+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11324+ dst += PAX_USER_SHADOW_BASE;
11325+#endif
11326+
11327+ return copy_user_generic((__force_kernel void *)dst, src, size);
11328+ }
11329+}
11330+
11331+static __always_inline __must_check
11332+unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
11333+{
11334+ if (access_ok(VERIFY_WRITE, to, len))
11335+ len = __copy_to_user(to, from, len);
11336+ return len;
11337+}
11338+
11339+static __always_inline __must_check
11340+unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
11341+{
11342+ if ((int)len < 0)
11343+ return len;
11344+
11345+ if (access_ok(VERIFY_READ, from, len))
11346+ len = __copy_from_user(to, from, len);
11347+ else if ((int)len > 0) {
11348+ if (!__builtin_constant_p(len))
11349+ check_object_size(to, len, false);
11350+ memset(to, 0, len);
11351 }
11352+ return len;
11353 }
11354
11355 static __always_inline __must_check
11356-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11357+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
11358 {
11359- int ret = 0;
11360+ unsigned ret = 0;
11361
11362 might_fault();
11363- if (!__builtin_constant_p(size))
11364- return copy_user_generic((__force void *)dst,
11365- (__force void *)src, size);
11366+
11367+ pax_track_stack();
11368+
11369+ if ((int)size < 0)
11370+ return size;
11371+
11372+#ifdef CONFIG_PAX_MEMORY_UDEREF
11373+ if (!__access_ok(VERIFY_READ, src, size))
11374+ return size;
11375+ if (!__access_ok(VERIFY_WRITE, dst, size))
11376+ return size;
11377+#endif
11378+
11379+ if (!__builtin_constant_p(size)) {
11380+
11381+#ifdef CONFIG_PAX_MEMORY_UDEREF
11382+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11383+ src += PAX_USER_SHADOW_BASE;
11384+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11385+ dst += PAX_USER_SHADOW_BASE;
11386+#endif
11387+
11388+ return copy_user_generic((__force_kernel void *)dst,
11389+ (__force_kernel const void *)src, size);
11390+ }
11391 switch (size) {
11392 case 1: {
11393 u8 tmp;
11394- __get_user_asm(tmp, (u8 __user *)src,
11395+ __get_user_asm(tmp, (const u8 __user *)src,
11396 ret, "b", "b", "=q", 1);
11397 if (likely(!ret))
11398 __put_user_asm(tmp, (u8 __user *)dst,
11399@@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
11400 }
11401 case 2: {
11402 u16 tmp;
11403- __get_user_asm(tmp, (u16 __user *)src,
11404+ __get_user_asm(tmp, (const u16 __user *)src,
11405 ret, "w", "w", "=r", 2);
11406 if (likely(!ret))
11407 __put_user_asm(tmp, (u16 __user *)dst,
11408@@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
11409
11410 case 4: {
11411 u32 tmp;
11412- __get_user_asm(tmp, (u32 __user *)src,
11413+ __get_user_asm(tmp, (const u32 __user *)src,
11414 ret, "l", "k", "=r", 4);
11415 if (likely(!ret))
11416 __put_user_asm(tmp, (u32 __user *)dst,
11417@@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
11418 }
11419 case 8: {
11420 u64 tmp;
11421- __get_user_asm(tmp, (u64 __user *)src,
11422+ __get_user_asm(tmp, (const u64 __user *)src,
11423 ret, "q", "", "=r", 8);
11424 if (likely(!ret))
11425 __put_user_asm(tmp, (u64 __user *)dst,
11426@@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
11427 return ret;
11428 }
11429 default:
11430- return copy_user_generic((__force void *)dst,
11431- (__force void *)src, size);
11432+
11433+#ifdef CONFIG_PAX_MEMORY_UDEREF
11434+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11435+ src += PAX_USER_SHADOW_BASE;
11436+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11437+ dst += PAX_USER_SHADOW_BASE;
11438+#endif
11439+
11440+ return copy_user_generic((__force_kernel void *)dst,
11441+ (__force_kernel const void *)src, size);
11442 }
11443 }
11444
11445@@ -176,33 +277,75 @@ __must_check long strlen_user(const char
11446 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
11447 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
11448
11449-__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
11450- unsigned size);
11451+static __must_check __always_inline unsigned long
11452+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
11453+{
11454+ pax_track_stack();
11455+
11456+ if ((int)size < 0)
11457+ return size;
11458+
11459+#ifdef CONFIG_PAX_MEMORY_UDEREF
11460+ if (!__access_ok(VERIFY_READ, src, size))
11461+ return size;
11462+
11463+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
11464+ src += PAX_USER_SHADOW_BASE;
11465+#endif
11466
11467-static __must_check __always_inline int
11468+ return copy_user_generic(dst, (__force_kernel const void *)src, size);
11469+}
11470+
11471+static __must_check __always_inline unsigned long
11472 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
11473 {
11474- return copy_user_generic((__force void *)dst, src, size);
11475+ if ((int)size < 0)
11476+ return size;
11477+
11478+#ifdef CONFIG_PAX_MEMORY_UDEREF
11479+ if (!__access_ok(VERIFY_WRITE, dst, size))
11480+ return size;
11481+
11482+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
11483+ dst += PAX_USER_SHADOW_BASE;
11484+#endif
11485+
11486+ return copy_user_generic((__force_kernel void *)dst, src, size);
11487 }
11488
11489-extern long __copy_user_nocache(void *dst, const void __user *src,
11490+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
11491 unsigned size, int zerorest);
11492
11493-static inline int
11494-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11495+static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
11496 {
11497 might_sleep();
11498+
11499+ if ((int)size < 0)
11500+ return size;
11501+
11502+#ifdef CONFIG_PAX_MEMORY_UDEREF
11503+ if (!__access_ok(VERIFY_READ, src, size))
11504+ return size;
11505+#endif
11506+
11507 return __copy_user_nocache(dst, src, size, 1);
11508 }
11509
11510-static inline int
11511-__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11512+static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
11513 unsigned size)
11514 {
11515+ if ((int)size < 0)
11516+ return size;
11517+
11518+#ifdef CONFIG_PAX_MEMORY_UDEREF
11519+ if (!__access_ok(VERIFY_READ, src, size))
11520+ return size;
11521+#endif
11522+
11523 return __copy_user_nocache(dst, src, size, 0);
11524 }
11525
11526-unsigned long
11527-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
11528+extern unsigned long
11529+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest);
11530
11531 #endif /* _ASM_X86_UACCESS_64_H */
11532diff -urNp linux-2.6.32.48/arch/x86/include/asm/uaccess.h linux-2.6.32.48/arch/x86/include/asm/uaccess.h
11533--- linux-2.6.32.48/arch/x86/include/asm/uaccess.h 2011-11-08 19:02:43.000000000 -0500
11534+++ linux-2.6.32.48/arch/x86/include/asm/uaccess.h 2011-11-15 19:59:42.000000000 -0500
11535@@ -8,12 +8,15 @@
11536 #include <linux/thread_info.h>
11537 #include <linux/prefetch.h>
11538 #include <linux/string.h>
11539+#include <linux/sched.h>
11540 #include <asm/asm.h>
11541 #include <asm/page.h>
11542
11543 #define VERIFY_READ 0
11544 #define VERIFY_WRITE 1
11545
11546+extern void check_object_size(const void *ptr, unsigned long n, bool to);
11547+
11548 /*
11549 * The fs value determines whether argument validity checking should be
11550 * performed or not. If get_fs() == USER_DS, checking is performed, with
11551@@ -29,7 +32,12 @@
11552
11553 #define get_ds() (KERNEL_DS)
11554 #define get_fs() (current_thread_info()->addr_limit)
11555+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11556+void __set_fs(mm_segment_t x);
11557+void set_fs(mm_segment_t x);
11558+#else
11559 #define set_fs(x) (current_thread_info()->addr_limit = (x))
11560+#endif
11561
11562 #define segment_eq(a, b) ((a).seg == (b).seg)
11563
11564@@ -77,7 +85,33 @@
11565 * checks that the pointer is in the user space range - after calling
11566 * this function, memory access functions may still return -EFAULT.
11567 */
11568-#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11569+#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
11570+#define access_ok(type, addr, size) \
11571+({ \
11572+ long __size = size; \
11573+ unsigned long __addr = (unsigned long)addr; \
11574+ unsigned long __addr_ao = __addr & PAGE_MASK; \
11575+ unsigned long __end_ao = __addr + __size - 1; \
11576+ bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
11577+ if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
11578+ while(__addr_ao <= __end_ao) { \
11579+ char __c_ao; \
11580+ __addr_ao += PAGE_SIZE; \
11581+ if (__size > PAGE_SIZE) \
11582+ cond_resched(); \
11583+ if (__get_user(__c_ao, (char __user *)__addr)) \
11584+ break; \
11585+ if (type != VERIFY_WRITE) { \
11586+ __addr = __addr_ao; \
11587+ continue; \
11588+ } \
11589+ if (__put_user(__c_ao, (char __user *)__addr)) \
11590+ break; \
11591+ __addr = __addr_ao; \
11592+ } \
11593+ } \
11594+ __ret_ao; \
11595+})
11596
11597 /*
11598 * The exception table consists of pairs of addresses: the first is the
11599@@ -183,12 +217,20 @@ extern int __get_user_bad(void);
11600 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
11601 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
11602
11603-
11604+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
11605+#define __copyuser_seg "gs;"
11606+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
11607+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
11608+#else
11609+#define __copyuser_seg
11610+#define __COPYUSER_SET_ES
11611+#define __COPYUSER_RESTORE_ES
11612+#endif
11613
11614 #ifdef CONFIG_X86_32
11615 #define __put_user_asm_u64(x, addr, err, errret) \
11616- asm volatile("1: movl %%eax,0(%2)\n" \
11617- "2: movl %%edx,4(%2)\n" \
11618+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
11619+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
11620 "3:\n" \
11621 ".section .fixup,\"ax\"\n" \
11622 "4: movl %3,%0\n" \
11623@@ -200,8 +242,8 @@ extern int __get_user_bad(void);
11624 : "A" (x), "r" (addr), "i" (errret), "0" (err))
11625
11626 #define __put_user_asm_ex_u64(x, addr) \
11627- asm volatile("1: movl %%eax,0(%1)\n" \
11628- "2: movl %%edx,4(%1)\n" \
11629+ asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
11630+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
11631 "3:\n" \
11632 _ASM_EXTABLE(1b, 2b - 1b) \
11633 _ASM_EXTABLE(2b, 3b - 2b) \
11634@@ -253,7 +295,7 @@ extern void __put_user_8(void);
11635 __typeof__(*(ptr)) __pu_val; \
11636 __chk_user_ptr(ptr); \
11637 might_fault(); \
11638- __pu_val = x; \
11639+ __pu_val = (x); \
11640 switch (sizeof(*(ptr))) { \
11641 case 1: \
11642 __put_user_x(1, __pu_val, ptr, __ret_pu); \
11643@@ -374,7 +416,7 @@ do { \
11644 } while (0)
11645
11646 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11647- asm volatile("1: mov"itype" %2,%"rtype"1\n" \
11648+ asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
11649 "2:\n" \
11650 ".section .fixup,\"ax\"\n" \
11651 "3: mov %3,%0\n" \
11652@@ -382,7 +424,7 @@ do { \
11653 " jmp 2b\n" \
11654 ".previous\n" \
11655 _ASM_EXTABLE(1b, 3b) \
11656- : "=r" (err), ltype(x) \
11657+ : "=r" (err), ltype (x) \
11658 : "m" (__m(addr)), "i" (errret), "0" (err))
11659
11660 #define __get_user_size_ex(x, ptr, size) \
11661@@ -407,7 +449,7 @@ do { \
11662 } while (0)
11663
11664 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
11665- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
11666+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
11667 "2:\n" \
11668 _ASM_EXTABLE(1b, 2b - 1b) \
11669 : ltype(x) : "m" (__m(addr)))
11670@@ -424,13 +466,24 @@ do { \
11671 int __gu_err; \
11672 unsigned long __gu_val; \
11673 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
11674- (x) = (__force __typeof__(*(ptr)))__gu_val; \
11675+ (x) = (__typeof__(*(ptr)))__gu_val; \
11676 __gu_err; \
11677 })
11678
11679 /* FIXME: this hack is definitely wrong -AK */
11680 struct __large_struct { unsigned long buf[100]; };
11681-#define __m(x) (*(struct __large_struct __user *)(x))
11682+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11683+#define ____m(x) \
11684+({ \
11685+ unsigned long ____x = (unsigned long)(x); \
11686+ if (____x < PAX_USER_SHADOW_BASE) \
11687+ ____x += PAX_USER_SHADOW_BASE; \
11688+ (void __user *)____x; \
11689+})
11690+#else
11691+#define ____m(x) (x)
11692+#endif
11693+#define __m(x) (*(struct __large_struct __user *)____m(x))
11694
11695 /*
11696 * Tell gcc we read from memory instead of writing: this is because
11697@@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
11698 * aliasing issues.
11699 */
11700 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
11701- asm volatile("1: mov"itype" %"rtype"1,%2\n" \
11702+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
11703 "2:\n" \
11704 ".section .fixup,\"ax\"\n" \
11705 "3: mov %3,%0\n" \
11706@@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
11707 ".previous\n" \
11708 _ASM_EXTABLE(1b, 3b) \
11709 : "=r"(err) \
11710- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
11711+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
11712
11713 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
11714- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
11715+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
11716 "2:\n" \
11717 _ASM_EXTABLE(1b, 2b - 1b) \
11718 : : ltype(x), "m" (__m(addr)))
11719@@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
11720 * On error, the variable @x is set to zero.
11721 */
11722
11723+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11724+#define __get_user(x, ptr) get_user((x), (ptr))
11725+#else
11726 #define __get_user(x, ptr) \
11727 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
11728+#endif
11729
11730 /**
11731 * __put_user: - Write a simple value into user space, with less checking.
11732@@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
11733 * Returns zero on success, or -EFAULT on error.
11734 */
11735
11736+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11737+#define __put_user(x, ptr) put_user((x), (ptr))
11738+#else
11739 #define __put_user(x, ptr) \
11740 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
11741+#endif
11742
11743 #define __get_user_unaligned __get_user
11744 #define __put_user_unaligned __put_user
11745@@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
11746 #define get_user_ex(x, ptr) do { \
11747 unsigned long __gue_val; \
11748 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
11749- (x) = (__force __typeof__(*(ptr)))__gue_val; \
11750+ (x) = (__typeof__(*(ptr)))__gue_val; \
11751 } while (0)
11752
11753 #ifdef CONFIG_X86_WP_WORKS_OK
11754@@ -567,6 +628,7 @@ extern struct movsl_mask {
11755
11756 #define ARCH_HAS_NOCACHE_UACCESS 1
11757
11758+#define ARCH_HAS_SORT_EXTABLE
11759 #ifdef CONFIG_X86_32
11760 # include "uaccess_32.h"
11761 #else
11762diff -urNp linux-2.6.32.48/arch/x86/include/asm/vdso.h linux-2.6.32.48/arch/x86/include/asm/vdso.h
11763--- linux-2.6.32.48/arch/x86/include/asm/vdso.h 2011-11-08 19:02:43.000000000 -0500
11764+++ linux-2.6.32.48/arch/x86/include/asm/vdso.h 2011-11-15 19:59:42.000000000 -0500
11765@@ -25,7 +25,7 @@ extern const char VDSO32_PRELINK[];
11766 #define VDSO32_SYMBOL(base, name) \
11767 ({ \
11768 extern const char VDSO32_##name[]; \
11769- (void *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11770+ (void __user *)(VDSO32_##name - VDSO32_PRELINK + (unsigned long)(base)); \
11771 })
11772 #endif
11773
11774diff -urNp linux-2.6.32.48/arch/x86/include/asm/vgtod.h linux-2.6.32.48/arch/x86/include/asm/vgtod.h
11775--- linux-2.6.32.48/arch/x86/include/asm/vgtod.h 2011-11-08 19:02:43.000000000 -0500
11776+++ linux-2.6.32.48/arch/x86/include/asm/vgtod.h 2011-11-15 19:59:42.000000000 -0500
11777@@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
11778 int sysctl_enabled;
11779 struct timezone sys_tz;
11780 struct { /* extract of a clocksource struct */
11781+ char name[8];
11782 cycle_t (*vread)(void);
11783 cycle_t cycle_last;
11784 cycle_t mask;
11785diff -urNp linux-2.6.32.48/arch/x86/include/asm/vmi.h linux-2.6.32.48/arch/x86/include/asm/vmi.h
11786--- linux-2.6.32.48/arch/x86/include/asm/vmi.h 2011-11-08 19:02:43.000000000 -0500
11787+++ linux-2.6.32.48/arch/x86/include/asm/vmi.h 2011-11-15 19:59:42.000000000 -0500
11788@@ -191,6 +191,7 @@ struct vrom_header {
11789 u8 reserved[96]; /* Reserved for headers */
11790 char vmi_init[8]; /* VMI_Init jump point */
11791 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11792+ char rom_data[8048]; /* rest of the option ROM */
11793 } __attribute__((packed));
11794
11795 struct pnp_header {
11796diff -urNp linux-2.6.32.48/arch/x86/include/asm/vmi_time.h linux-2.6.32.48/arch/x86/include/asm/vmi_time.h
11797--- linux-2.6.32.48/arch/x86/include/asm/vmi_time.h 2011-11-08 19:02:43.000000000 -0500
11798+++ linux-2.6.32.48/arch/x86/include/asm/vmi_time.h 2011-11-15 19:59:42.000000000 -0500
11799@@ -43,7 +43,7 @@ extern struct vmi_timer_ops {
11800 int (*wallclock_updated)(void);
11801 void (*set_alarm)(u32 flags, u64 expiry, u64 period);
11802 void (*cancel_alarm)(u32 flags);
11803-} vmi_timer_ops;
11804+} __no_const vmi_timer_ops;
11805
11806 /* Prototypes */
11807 extern void __init vmi_time_init(void);
11808diff -urNp linux-2.6.32.48/arch/x86/include/asm/vsyscall.h linux-2.6.32.48/arch/x86/include/asm/vsyscall.h
11809--- linux-2.6.32.48/arch/x86/include/asm/vsyscall.h 2011-11-08 19:02:43.000000000 -0500
11810+++ linux-2.6.32.48/arch/x86/include/asm/vsyscall.h 2011-11-15 19:59:42.000000000 -0500
11811@@ -15,9 +15,10 @@ enum vsyscall_num {
11812
11813 #ifdef __KERNEL__
11814 #include <linux/seqlock.h>
11815+#include <linux/getcpu.h>
11816+#include <linux/time.h>
11817
11818 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11819-#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11820
11821 /* Definitions for CONFIG_GENERIC_TIME definitions */
11822 #define __section_vsyscall_gtod_data __attribute__ \
11823@@ -31,7 +32,6 @@ enum vsyscall_num {
11824 #define VGETCPU_LSL 2
11825
11826 extern int __vgetcpu_mode;
11827-extern volatile unsigned long __jiffies;
11828
11829 /* kernel space (writeable) */
11830 extern int vgetcpu_mode;
11831@@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11832
11833 extern void map_vsyscall(void);
11834
11835+extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11836+extern time_t vtime(time_t *t);
11837+extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11838 #endif /* __KERNEL__ */
11839
11840 #endif /* _ASM_X86_VSYSCALL_H */
11841diff -urNp linux-2.6.32.48/arch/x86/include/asm/x86_init.h linux-2.6.32.48/arch/x86/include/asm/x86_init.h
11842--- linux-2.6.32.48/arch/x86/include/asm/x86_init.h 2011-11-08 19:02:43.000000000 -0500
11843+++ linux-2.6.32.48/arch/x86/include/asm/x86_init.h 2011-11-15 19:59:42.000000000 -0500
11844@@ -28,7 +28,7 @@ struct x86_init_mpparse {
11845 void (*mpc_oem_bus_info)(struct mpc_bus *m, char *name);
11846 void (*find_smp_config)(unsigned int reserve);
11847 void (*get_smp_config)(unsigned int early);
11848-};
11849+} __no_const;
11850
11851 /**
11852 * struct x86_init_resources - platform specific resource related ops
11853@@ -42,7 +42,7 @@ struct x86_init_resources {
11854 void (*probe_roms)(void);
11855 void (*reserve_resources)(void);
11856 char *(*memory_setup)(void);
11857-};
11858+} __no_const;
11859
11860 /**
11861 * struct x86_init_irqs - platform specific interrupt setup
11862@@ -55,7 +55,7 @@ struct x86_init_irqs {
11863 void (*pre_vector_init)(void);
11864 void (*intr_init)(void);
11865 void (*trap_init)(void);
11866-};
11867+} __no_const;
11868
11869 /**
11870 * struct x86_init_oem - oem platform specific customizing functions
11871@@ -65,7 +65,7 @@ struct x86_init_irqs {
11872 struct x86_init_oem {
11873 void (*arch_setup)(void);
11874 void (*banner)(void);
11875-};
11876+} __no_const;
11877
11878 /**
11879 * struct x86_init_paging - platform specific paging functions
11880@@ -75,7 +75,7 @@ struct x86_init_oem {
11881 struct x86_init_paging {
11882 void (*pagetable_setup_start)(pgd_t *base);
11883 void (*pagetable_setup_done)(pgd_t *base);
11884-};
11885+} __no_const;
11886
11887 /**
11888 * struct x86_init_timers - platform specific timer setup
11889@@ -88,7 +88,7 @@ struct x86_init_timers {
11890 void (*setup_percpu_clockev)(void);
11891 void (*tsc_pre_init)(void);
11892 void (*timer_init)(void);
11893-};
11894+} __no_const;
11895
11896 /**
11897 * struct x86_init_ops - functions for platform specific setup
11898@@ -101,7 +101,7 @@ struct x86_init_ops {
11899 struct x86_init_oem oem;
11900 struct x86_init_paging paging;
11901 struct x86_init_timers timers;
11902-};
11903+} __no_const;
11904
11905 /**
11906 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
11907@@ -109,7 +109,7 @@ struct x86_init_ops {
11908 */
11909 struct x86_cpuinit_ops {
11910 void (*setup_percpu_clockev)(void);
11911-};
11912+} __no_const;
11913
11914 /**
11915 * struct x86_platform_ops - platform specific runtime functions
11916@@ -121,7 +121,7 @@ struct x86_platform_ops {
11917 unsigned long (*calibrate_tsc)(void);
11918 unsigned long (*get_wallclock)(void);
11919 int (*set_wallclock)(unsigned long nowtime);
11920-};
11921+} __no_const;
11922
11923 extern struct x86_init_ops x86_init;
11924 extern struct x86_cpuinit_ops x86_cpuinit;
11925diff -urNp linux-2.6.32.48/arch/x86/include/asm/xsave.h linux-2.6.32.48/arch/x86/include/asm/xsave.h
11926--- linux-2.6.32.48/arch/x86/include/asm/xsave.h 2011-11-08 19:02:43.000000000 -0500
11927+++ linux-2.6.32.48/arch/x86/include/asm/xsave.h 2011-11-15 19:59:42.000000000 -0500
11928@@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11929 static inline int xsave_user(struct xsave_struct __user *buf)
11930 {
11931 int err;
11932+
11933+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11934+ if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11935+ buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11936+#endif
11937+
11938 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11939 "2:\n"
11940 ".section .fixup,\"ax\"\n"
11941@@ -78,10 +84,15 @@ static inline int xsave_user(struct xsav
11942 static inline int xrestore_user(struct xsave_struct __user *buf, u64 mask)
11943 {
11944 int err;
11945- struct xsave_struct *xstate = ((__force struct xsave_struct *)buf);
11946+ struct xsave_struct *xstate = ((__force_kernel struct xsave_struct *)buf);
11947 u32 lmask = mask;
11948 u32 hmask = mask >> 32;
11949
11950+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11951+ if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11952+ xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11953+#endif
11954+
11955 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11956 "2:\n"
11957 ".section .fixup,\"ax\"\n"
11958diff -urNp linux-2.6.32.48/arch/x86/Kconfig linux-2.6.32.48/arch/x86/Kconfig
11959--- linux-2.6.32.48/arch/x86/Kconfig 2011-11-08 19:02:43.000000000 -0500
11960+++ linux-2.6.32.48/arch/x86/Kconfig 2011-11-15 19:59:42.000000000 -0500
11961@@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11962
11963 config X86_32_LAZY_GS
11964 def_bool y
11965- depends on X86_32 && !CC_STACKPROTECTOR
11966+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11967
11968 config KTIME_SCALAR
11969 def_bool X86_32
11970@@ -1008,7 +1008,7 @@ choice
11971
11972 config NOHIGHMEM
11973 bool "off"
11974- depends on !X86_NUMAQ
11975+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11976 ---help---
11977 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11978 However, the address space of 32-bit x86 processors is only 4
11979@@ -1045,7 +1045,7 @@ config NOHIGHMEM
11980
11981 config HIGHMEM4G
11982 bool "4GB"
11983- depends on !X86_NUMAQ
11984+ depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11985 ---help---
11986 Select this if you have a 32-bit processor and between 1 and 4
11987 gigabytes of physical RAM.
11988@@ -1099,7 +1099,7 @@ config PAGE_OFFSET
11989 hex
11990 default 0xB0000000 if VMSPLIT_3G_OPT
11991 default 0x80000000 if VMSPLIT_2G
11992- default 0x78000000 if VMSPLIT_2G_OPT
11993+ default 0x70000000 if VMSPLIT_2G_OPT
11994 default 0x40000000 if VMSPLIT_1G
11995 default 0xC0000000
11996 depends on X86_32
11997@@ -1460,6 +1460,7 @@ config SECCOMP
11998
11999 config CC_STACKPROTECTOR
12000 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
12001+ depends on X86_64 || !PAX_MEMORY_UDEREF
12002 ---help---
12003 This option turns on the -fstack-protector GCC feature. This
12004 feature puts, at the beginning of functions, a canary value on
12005@@ -1517,6 +1518,7 @@ config KEXEC_JUMP
12006 config PHYSICAL_START
12007 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
12008 default "0x1000000"
12009+ range 0x400000 0x40000000
12010 ---help---
12011 This gives the physical address where the kernel is loaded.
12012
12013@@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
12014 hex
12015 prompt "Alignment value to which kernel should be aligned" if X86_32
12016 default "0x1000000"
12017+ range 0x400000 0x1000000 if PAX_KERNEXEC
12018 range 0x2000 0x1000000
12019 ---help---
12020 This value puts the alignment restrictions on physical address
12021@@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
12022 Say N if you want to disable CPU hotplug.
12023
12024 config COMPAT_VDSO
12025- def_bool y
12026+ def_bool n
12027 prompt "Compat VDSO support"
12028 depends on X86_32 || IA32_EMULATION
12029+ depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
12030 ---help---
12031 Map the 32-bit VDSO to the predictable old-style address too.
12032 ---help---
12033diff -urNp linux-2.6.32.48/arch/x86/Kconfig.cpu linux-2.6.32.48/arch/x86/Kconfig.cpu
12034--- linux-2.6.32.48/arch/x86/Kconfig.cpu 2011-11-08 19:02:43.000000000 -0500
12035+++ linux-2.6.32.48/arch/x86/Kconfig.cpu 2011-11-15 19:59:42.000000000 -0500
12036@@ -340,7 +340,7 @@ config X86_PPRO_FENCE
12037
12038 config X86_F00F_BUG
12039 def_bool y
12040- depends on M586MMX || M586TSC || M586 || M486 || M386
12041+ depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
12042
12043 config X86_WP_WORKS_OK
12044 def_bool y
12045@@ -360,7 +360,7 @@ config X86_POPAD_OK
12046
12047 config X86_ALIGNMENT_16
12048 def_bool y
12049- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12050+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12051
12052 config X86_INTEL_USERCOPY
12053 def_bool y
12054@@ -406,7 +406,7 @@ config X86_CMPXCHG64
12055 # generates cmov.
12056 config X86_CMOV
12057 def_bool y
12058- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12059+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
12060
12061 config X86_MINIMUM_CPU_FAMILY
12062 int
12063diff -urNp linux-2.6.32.48/arch/x86/Kconfig.debug linux-2.6.32.48/arch/x86/Kconfig.debug
12064--- linux-2.6.32.48/arch/x86/Kconfig.debug 2011-11-08 19:02:43.000000000 -0500
12065+++ linux-2.6.32.48/arch/x86/Kconfig.debug 2011-11-15 19:59:42.000000000 -0500
12066@@ -99,7 +99,7 @@ config X86_PTDUMP
12067 config DEBUG_RODATA
12068 bool "Write protect kernel read-only data structures"
12069 default y
12070- depends on DEBUG_KERNEL
12071+ depends on DEBUG_KERNEL && BROKEN
12072 ---help---
12073 Mark the kernel read-only data as write-protected in the pagetables,
12074 in order to catch accidental (and incorrect) writes to such const
12075diff -urNp linux-2.6.32.48/arch/x86/kernel/acpi/realmode/Makefile linux-2.6.32.48/arch/x86/kernel/acpi/realmode/Makefile
12076--- linux-2.6.32.48/arch/x86/kernel/acpi/realmode/Makefile 2011-11-08 19:02:43.000000000 -0500
12077+++ linux-2.6.32.48/arch/x86/kernel/acpi/realmode/Makefile 2011-11-15 19:59:42.000000000 -0500
12078@@ -41,6 +41,9 @@ KBUILD_CFLAGS := $(LINUXINCLUDE) -g -Os
12079 $(call cc-option, -fno-stack-protector) \
12080 $(call cc-option, -mpreferred-stack-boundary=2)
12081 KBUILD_CFLAGS += $(call cc-option, -m32)
12082+ifdef CONSTIFY_PLUGIN
12083+KBUILD_CFLAGS += $(CONSTIFY_PLUGIN) -fplugin-arg-constify_plugin-no-constify
12084+endif
12085 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12086 GCOV_PROFILE := n
12087
12088diff -urNp linux-2.6.32.48/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.48/arch/x86/kernel/acpi/realmode/wakeup.S
12089--- linux-2.6.32.48/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-08 19:02:43.000000000 -0500
12090+++ linux-2.6.32.48/arch/x86/kernel/acpi/realmode/wakeup.S 2011-11-15 19:59:42.000000000 -0500
12091@@ -91,6 +91,9 @@ _start:
12092 /* Do any other stuff... */
12093
12094 #ifndef CONFIG_64BIT
12095+ /* Recheck NX bit overrides (64bit path does this in trampoline) */
12096+ call verify_cpu
12097+
12098 /* This could also be done in C code... */
12099 movl pmode_cr3, %eax
12100 movl %eax, %cr3
12101@@ -104,7 +107,7 @@ _start:
12102 movl %eax, %ecx
12103 orl %edx, %ecx
12104 jz 1f
12105- movl $0xc0000080, %ecx
12106+ mov $MSR_EFER, %ecx
12107 wrmsr
12108 1:
12109
12110@@ -114,6 +117,7 @@ _start:
12111 movl pmode_cr0, %eax
12112 movl %eax, %cr0
12113 jmp pmode_return
12114+# include "../../verify_cpu.S"
12115 #else
12116 pushw $0
12117 pushw trampoline_segment
12118diff -urNp linux-2.6.32.48/arch/x86/kernel/acpi/sleep.c linux-2.6.32.48/arch/x86/kernel/acpi/sleep.c
12119--- linux-2.6.32.48/arch/x86/kernel/acpi/sleep.c 2011-11-08 19:02:43.000000000 -0500
12120+++ linux-2.6.32.48/arch/x86/kernel/acpi/sleep.c 2011-11-15 19:59:42.000000000 -0500
12121@@ -11,11 +11,12 @@
12122 #include <linux/cpumask.h>
12123 #include <asm/segment.h>
12124 #include <asm/desc.h>
12125+#include <asm/e820.h>
12126
12127 #include "realmode/wakeup.h"
12128 #include "sleep.h"
12129
12130-unsigned long acpi_wakeup_address;
12131+unsigned long acpi_wakeup_address = 0x2000;
12132 unsigned long acpi_realmode_flags;
12133
12134 /* address in low memory of the wakeup routine. */
12135@@ -98,9 +99,13 @@ int acpi_save_state_mem(void)
12136 #else /* CONFIG_64BIT */
12137 header->trampoline_segment = setup_trampoline() >> 4;
12138 #ifdef CONFIG_SMP
12139- stack_start.sp = temp_stack + sizeof(temp_stack);
12140+ stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
12141+
12142+ pax_open_kernel();
12143 early_gdt_descr.address =
12144 (unsigned long)get_cpu_gdt_table(smp_processor_id());
12145+ pax_close_kernel();
12146+
12147 initial_gs = per_cpu_offset(smp_processor_id());
12148 #endif
12149 initial_code = (unsigned long)wakeup_long64;
12150@@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
12151 return;
12152 }
12153
12154- acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
12155-
12156- if (!acpi_realmode) {
12157- printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
12158- return;
12159- }
12160-
12161- acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
12162+ reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
12163+ acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
12164 }
12165
12166
12167diff -urNp linux-2.6.32.48/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.48/arch/x86/kernel/acpi/wakeup_32.S
12168--- linux-2.6.32.48/arch/x86/kernel/acpi/wakeup_32.S 2011-11-08 19:02:43.000000000 -0500
12169+++ linux-2.6.32.48/arch/x86/kernel/acpi/wakeup_32.S 2011-11-15 19:59:42.000000000 -0500
12170@@ -30,13 +30,11 @@ wakeup_pmode_return:
12171 # and restore the stack ... but you need gdt for this to work
12172 movl saved_context_esp, %esp
12173
12174- movl %cs:saved_magic, %eax
12175- cmpl $0x12345678, %eax
12176+ cmpl $0x12345678, saved_magic
12177 jne bogus_magic
12178
12179 # jump to place where we left off
12180- movl saved_eip, %eax
12181- jmp *%eax
12182+ jmp *(saved_eip)
12183
12184 bogus_magic:
12185 jmp bogus_magic
12186diff -urNp linux-2.6.32.48/arch/x86/kernel/alternative.c linux-2.6.32.48/arch/x86/kernel/alternative.c
12187--- linux-2.6.32.48/arch/x86/kernel/alternative.c 2011-11-08 19:02:43.000000000 -0500
12188+++ linux-2.6.32.48/arch/x86/kernel/alternative.c 2011-11-15 19:59:42.000000000 -0500
12189@@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
12190
12191 BUG_ON(p->len > MAX_PATCH_LEN);
12192 /* prep the buffer with the original instructions */
12193- memcpy(insnbuf, p->instr, p->len);
12194+ memcpy(insnbuf, ktla_ktva(p->instr), p->len);
12195 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
12196 (unsigned long)p->instr, p->len);
12197
12198@@ -475,7 +475,7 @@ void __init alternative_instructions(voi
12199 if (smp_alt_once)
12200 free_init_pages("SMP alternatives",
12201 (unsigned long)__smp_locks,
12202- (unsigned long)__smp_locks_end);
12203+ PAGE_ALIGN((unsigned long)__smp_locks_end));
12204
12205 restart_nmi();
12206 }
12207@@ -492,13 +492,17 @@ void __init alternative_instructions(voi
12208 * instructions. And on the local CPU you need to be protected again NMI or MCE
12209 * handlers seeing an inconsistent instruction while you patch.
12210 */
12211-static void *__init_or_module text_poke_early(void *addr, const void *opcode,
12212+static void *__kprobes text_poke_early(void *addr, const void *opcode,
12213 size_t len)
12214 {
12215 unsigned long flags;
12216 local_irq_save(flags);
12217- memcpy(addr, opcode, len);
12218+
12219+ pax_open_kernel();
12220+ memcpy(ktla_ktva(addr), opcode, len);
12221 sync_core();
12222+ pax_close_kernel();
12223+
12224 local_irq_restore(flags);
12225 /* Could also do a CLFLUSH here to speed up CPU recovery; but
12226 that causes hangs on some VIA CPUs. */
12227@@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
12228 */
12229 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
12230 {
12231- unsigned long flags;
12232- char *vaddr;
12233+ unsigned char *vaddr = ktla_ktva(addr);
12234 struct page *pages[2];
12235- int i;
12236+ size_t i;
12237
12238 if (!core_kernel_text((unsigned long)addr)) {
12239- pages[0] = vmalloc_to_page(addr);
12240- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
12241+ pages[0] = vmalloc_to_page(vaddr);
12242+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
12243 } else {
12244- pages[0] = virt_to_page(addr);
12245+ pages[0] = virt_to_page(vaddr);
12246 WARN_ON(!PageReserved(pages[0]));
12247- pages[1] = virt_to_page(addr + PAGE_SIZE);
12248+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
12249 }
12250 BUG_ON(!pages[0]);
12251- local_irq_save(flags);
12252- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
12253- if (pages[1])
12254- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
12255- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
12256- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
12257- clear_fixmap(FIX_TEXT_POKE0);
12258- if (pages[1])
12259- clear_fixmap(FIX_TEXT_POKE1);
12260- local_flush_tlb();
12261- sync_core();
12262- /* Could also do a CLFLUSH here to speed up CPU recovery; but
12263- that causes hangs on some VIA CPUs. */
12264+ text_poke_early(addr, opcode, len);
12265 for (i = 0; i < len; i++)
12266- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
12267- local_irq_restore(flags);
12268+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
12269 return addr;
12270 }
12271diff -urNp linux-2.6.32.48/arch/x86/kernel/amd_iommu.c linux-2.6.32.48/arch/x86/kernel/amd_iommu.c
12272--- linux-2.6.32.48/arch/x86/kernel/amd_iommu.c 2011-11-08 19:02:43.000000000 -0500
12273+++ linux-2.6.32.48/arch/x86/kernel/amd_iommu.c 2011-11-15 19:59:42.000000000 -0500
12274@@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
12275 }
12276 }
12277
12278-static struct dma_map_ops amd_iommu_dma_ops = {
12279+static const struct dma_map_ops amd_iommu_dma_ops = {
12280 .alloc_coherent = alloc_coherent,
12281 .free_coherent = free_coherent,
12282 .map_page = map_page,
12283diff -urNp linux-2.6.32.48/arch/x86/kernel/apic/apic.c linux-2.6.32.48/arch/x86/kernel/apic/apic.c
12284--- linux-2.6.32.48/arch/x86/kernel/apic/apic.c 2011-11-08 19:02:43.000000000 -0500
12285+++ linux-2.6.32.48/arch/x86/kernel/apic/apic.c 2011-11-15 19:59:42.000000000 -0500
12286@@ -170,7 +170,7 @@ int first_system_vector = 0xfe;
12287 /*
12288 * Debug level, exported for io_apic.c
12289 */
12290-unsigned int apic_verbosity;
12291+int apic_verbosity;
12292
12293 int pic_mode;
12294
12295@@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
12296 apic_write(APIC_ESR, 0);
12297 v1 = apic_read(APIC_ESR);
12298 ack_APIC_irq();
12299- atomic_inc(&irq_err_count);
12300+ atomic_inc_unchecked(&irq_err_count);
12301
12302 /*
12303 * Here is what the APIC error bits mean:
12304@@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
12305 u16 *bios_cpu_apicid;
12306 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
12307
12308+ pax_track_stack();
12309+
12310 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
12311 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
12312
12313diff -urNp linux-2.6.32.48/arch/x86/kernel/apic/io_apic.c linux-2.6.32.48/arch/x86/kernel/apic/io_apic.c
12314--- linux-2.6.32.48/arch/x86/kernel/apic/io_apic.c 2011-11-08 19:02:43.000000000 -0500
12315+++ linux-2.6.32.48/arch/x86/kernel/apic/io_apic.c 2011-11-15 19:59:42.000000000 -0500
12316@@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
12317 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
12318 GFP_ATOMIC);
12319 if (!ioapic_entries)
12320- return 0;
12321+ return NULL;
12322
12323 for (apic = 0; apic < nr_ioapics; apic++) {
12324 ioapic_entries[apic] =
12325@@ -733,7 +733,7 @@ nomem:
12326 kfree(ioapic_entries[apic]);
12327 kfree(ioapic_entries);
12328
12329- return 0;
12330+ return NULL;
12331 }
12332
12333 /*
12334@@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
12335 }
12336 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
12337
12338-void lock_vector_lock(void)
12339+void lock_vector_lock(void) __acquires(vector_lock)
12340 {
12341 /* Used to the online set of cpus does not change
12342 * during assign_irq_vector.
12343@@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
12344 spin_lock(&vector_lock);
12345 }
12346
12347-void unlock_vector_lock(void)
12348+void unlock_vector_lock(void) __releases(vector_lock)
12349 {
12350 spin_unlock(&vector_lock);
12351 }
12352@@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
12353 ack_APIC_irq();
12354 }
12355
12356-atomic_t irq_mis_count;
12357+atomic_unchecked_t irq_mis_count;
12358
12359 static void ack_apic_level(unsigned int irq)
12360 {
12361@@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
12362
12363 /* Tail end of version 0x11 I/O APIC bug workaround */
12364 if (!(v & (1 << (i & 0x1f)))) {
12365- atomic_inc(&irq_mis_count);
12366+ atomic_inc_unchecked(&irq_mis_count);
12367 spin_lock(&ioapic_lock);
12368 __mask_and_edge_IO_APIC_irq(cfg);
12369 __unmask_and_level_IO_APIC_irq(cfg);
12370diff -urNp linux-2.6.32.48/arch/x86/kernel/apm_32.c linux-2.6.32.48/arch/x86/kernel/apm_32.c
12371--- linux-2.6.32.48/arch/x86/kernel/apm_32.c 2011-11-08 19:02:43.000000000 -0500
12372+++ linux-2.6.32.48/arch/x86/kernel/apm_32.c 2011-11-15 19:59:42.000000000 -0500
12373@@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
12374 * This is for buggy BIOS's that refer to (real mode) segment 0x40
12375 * even though they are called in protected mode.
12376 */
12377-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
12378+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
12379 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
12380
12381 static const char driver_version[] = "1.16ac"; /* no spaces */
12382@@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
12383 BUG_ON(cpu != 0);
12384 gdt = get_cpu_gdt_table(cpu);
12385 save_desc_40 = gdt[0x40 / 8];
12386+
12387+ pax_open_kernel();
12388 gdt[0x40 / 8] = bad_bios_desc;
12389+ pax_close_kernel();
12390
12391 apm_irq_save(flags);
12392 APM_DO_SAVE_SEGS;
12393@@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
12394 &call->esi);
12395 APM_DO_RESTORE_SEGS;
12396 apm_irq_restore(flags);
12397+
12398+ pax_open_kernel();
12399 gdt[0x40 / 8] = save_desc_40;
12400+ pax_close_kernel();
12401+
12402 put_cpu();
12403
12404 return call->eax & 0xff;
12405@@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
12406 BUG_ON(cpu != 0);
12407 gdt = get_cpu_gdt_table(cpu);
12408 save_desc_40 = gdt[0x40 / 8];
12409+
12410+ pax_open_kernel();
12411 gdt[0x40 / 8] = bad_bios_desc;
12412+ pax_close_kernel();
12413
12414 apm_irq_save(flags);
12415 APM_DO_SAVE_SEGS;
12416@@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
12417 &call->eax);
12418 APM_DO_RESTORE_SEGS;
12419 apm_irq_restore(flags);
12420+
12421+ pax_open_kernel();
12422 gdt[0x40 / 8] = save_desc_40;
12423+ pax_close_kernel();
12424+
12425 put_cpu();
12426 return error;
12427 }
12428@@ -975,7 +989,7 @@ recalc:
12429
12430 static void apm_power_off(void)
12431 {
12432- unsigned char po_bios_call[] = {
12433+ const unsigned char po_bios_call[] = {
12434 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
12435 0x8e, 0xd0, /* movw ax,ss */
12436 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
12437@@ -2357,12 +2371,15 @@ static int __init apm_init(void)
12438 * code to that CPU.
12439 */
12440 gdt = get_cpu_gdt_table(0);
12441+
12442+ pax_open_kernel();
12443 set_desc_base(&gdt[APM_CS >> 3],
12444 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
12445 set_desc_base(&gdt[APM_CS_16 >> 3],
12446 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
12447 set_desc_base(&gdt[APM_DS >> 3],
12448 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
12449+ pax_close_kernel();
12450
12451 proc_create("apm", 0, NULL, &apm_file_ops);
12452
12453diff -urNp linux-2.6.32.48/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.48/arch/x86/kernel/asm-offsets_32.c
12454--- linux-2.6.32.48/arch/x86/kernel/asm-offsets_32.c 2011-11-08 19:02:43.000000000 -0500
12455+++ linux-2.6.32.48/arch/x86/kernel/asm-offsets_32.c 2011-11-15 19:59:42.000000000 -0500
12456@@ -51,7 +51,6 @@ void foo(void)
12457 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
12458 BLANK();
12459
12460- OFFSET(TI_task, thread_info, task);
12461 OFFSET(TI_exec_domain, thread_info, exec_domain);
12462 OFFSET(TI_flags, thread_info, flags);
12463 OFFSET(TI_status, thread_info, status);
12464@@ -60,6 +59,8 @@ void foo(void)
12465 OFFSET(TI_restart_block, thread_info, restart_block);
12466 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
12467 OFFSET(TI_cpu, thread_info, cpu);
12468+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
12469+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12470 BLANK();
12471
12472 OFFSET(GDS_size, desc_ptr, size);
12473@@ -99,6 +100,7 @@ void foo(void)
12474
12475 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12476 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
12477+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12478 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
12479 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
12480 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
12481@@ -115,6 +117,11 @@ void foo(void)
12482 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
12483 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12484 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12485+
12486+#ifdef CONFIG_PAX_KERNEXEC
12487+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12488+#endif
12489+
12490 #endif
12491
12492 #ifdef CONFIG_XEN
12493diff -urNp linux-2.6.32.48/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.48/arch/x86/kernel/asm-offsets_64.c
12494--- linux-2.6.32.48/arch/x86/kernel/asm-offsets_64.c 2011-11-08 19:02:43.000000000 -0500
12495+++ linux-2.6.32.48/arch/x86/kernel/asm-offsets_64.c 2011-11-15 19:59:42.000000000 -0500
12496@@ -44,6 +44,8 @@ int main(void)
12497 ENTRY(addr_limit);
12498 ENTRY(preempt_count);
12499 ENTRY(status);
12500+ ENTRY(lowest_stack);
12501+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
12502 #ifdef CONFIG_IA32_EMULATION
12503 ENTRY(sysenter_return);
12504 #endif
12505@@ -63,6 +65,18 @@ int main(void)
12506 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
12507 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
12508 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
12509+
12510+#ifdef CONFIG_PAX_KERNEXEC
12511+ OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
12512+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
12513+#endif
12514+
12515+#ifdef CONFIG_PAX_MEMORY_UDEREF
12516+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
12517+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
12518+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
12519+#endif
12520+
12521 #endif
12522
12523
12524@@ -115,6 +129,7 @@ int main(void)
12525 ENTRY(cr8);
12526 BLANK();
12527 #undef ENTRY
12528+ DEFINE(TSS_size, sizeof(struct tss_struct));
12529 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
12530 BLANK();
12531 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
12532@@ -130,6 +145,7 @@ int main(void)
12533
12534 BLANK();
12535 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
12536+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
12537 #ifdef CONFIG_XEN
12538 BLANK();
12539 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
12540diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/amd.c linux-2.6.32.48/arch/x86/kernel/cpu/amd.c
12541--- linux-2.6.32.48/arch/x86/kernel/cpu/amd.c 2011-11-08 19:02:43.000000000 -0500
12542+++ linux-2.6.32.48/arch/x86/kernel/cpu/amd.c 2011-11-15 19:59:42.000000000 -0500
12543@@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
12544 unsigned int size)
12545 {
12546 /* AMD errata T13 (order #21922) */
12547- if ((c->x86 == 6)) {
12548+ if (c->x86 == 6) {
12549 /* Duron Rev A0 */
12550 if (c->x86_model == 3 && c->x86_mask == 0)
12551 size = 64;
12552diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/common.c linux-2.6.32.48/arch/x86/kernel/cpu/common.c
12553--- linux-2.6.32.48/arch/x86/kernel/cpu/common.c 2011-11-08 19:02:43.000000000 -0500
12554+++ linux-2.6.32.48/arch/x86/kernel/cpu/common.c 2011-11-15 19:59:42.000000000 -0500
12555@@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
12556
12557 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
12558
12559-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
12560-#ifdef CONFIG_X86_64
12561- /*
12562- * We need valid kernel segments for data and code in long mode too
12563- * IRET will check the segment types kkeil 2000/10/28
12564- * Also sysret mandates a special GDT layout
12565- *
12566- * TLS descriptors are currently at a different place compared to i386.
12567- * Hopefully nobody expects them at a fixed place (Wine?)
12568- */
12569- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
12570- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
12571- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
12572- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
12573- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
12574- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
12575-#else
12576- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
12577- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12578- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
12579- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
12580- /*
12581- * Segments used for calling PnP BIOS have byte granularity.
12582- * They code segments and data segments have fixed 64k limits,
12583- * the transfer segment sizes are set at run time.
12584- */
12585- /* 32-bit code */
12586- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12587- /* 16-bit code */
12588- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12589- /* 16-bit data */
12590- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
12591- /* 16-bit data */
12592- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
12593- /* 16-bit data */
12594- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
12595- /*
12596- * The APM segments have byte granularity and their bases
12597- * are set at run time. All have 64k limits.
12598- */
12599- /* 32-bit code */
12600- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
12601- /* 16-bit code */
12602- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
12603- /* data */
12604- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
12605-
12606- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12607- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
12608- GDT_STACK_CANARY_INIT
12609-#endif
12610-} };
12611-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
12612-
12613 static int __init x86_xsave_setup(char *s)
12614 {
12615 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
12616@@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
12617 {
12618 struct desc_ptr gdt_descr;
12619
12620- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
12621+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
12622 gdt_descr.size = GDT_SIZE - 1;
12623 load_gdt(&gdt_descr);
12624 /* Reload the per-cpu base */
12625@@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
12626 /* Filter out anything that depends on CPUID levels we don't have */
12627 filter_cpuid_features(c, true);
12628
12629+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
12630+ setup_clear_cpu_cap(X86_FEATURE_SEP);
12631+#endif
12632+
12633 /* If the model name is still unset, do table lookup. */
12634 if (!c->x86_model_id[0]) {
12635 const char *p;
12636@@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
12637 }
12638 __setup("clearcpuid=", setup_disablecpuid);
12639
12640+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
12641+EXPORT_PER_CPU_SYMBOL(current_tinfo);
12642+
12643 #ifdef CONFIG_X86_64
12644 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
12645
12646@@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
12647 EXPORT_PER_CPU_SYMBOL(current_task);
12648
12649 DEFINE_PER_CPU(unsigned long, kernel_stack) =
12650- (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
12651+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
12652 EXPORT_PER_CPU_SYMBOL(kernel_stack);
12653
12654 DEFINE_PER_CPU(char *, irq_stack_ptr) =
12655@@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
12656 {
12657 memset(regs, 0, sizeof(struct pt_regs));
12658 regs->fs = __KERNEL_PERCPU;
12659- regs->gs = __KERNEL_STACK_CANARY;
12660+ savesegment(gs, regs->gs);
12661
12662 return regs;
12663 }
12664@@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
12665 int i;
12666
12667 cpu = stack_smp_processor_id();
12668- t = &per_cpu(init_tss, cpu);
12669+ t = init_tss + cpu;
12670 orig_ist = &per_cpu(orig_ist, cpu);
12671
12672 #ifdef CONFIG_NUMA
12673@@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
12674 switch_to_new_gdt(cpu);
12675 loadsegment(fs, 0);
12676
12677- load_idt((const struct desc_ptr *)&idt_descr);
12678+ load_idt(&idt_descr);
12679
12680 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
12681 syscall_init();
12682@@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
12683 wrmsrl(MSR_KERNEL_GS_BASE, 0);
12684 barrier();
12685
12686- check_efer();
12687 if (cpu != 0)
12688 enable_x2apic();
12689
12690@@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
12691 {
12692 int cpu = smp_processor_id();
12693 struct task_struct *curr = current;
12694- struct tss_struct *t = &per_cpu(init_tss, cpu);
12695+ struct tss_struct *t = init_tss + cpu;
12696 struct thread_struct *thread = &curr->thread;
12697
12698 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
12699diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/intel.c linux-2.6.32.48/arch/x86/kernel/cpu/intel.c
12700--- linux-2.6.32.48/arch/x86/kernel/cpu/intel.c 2011-11-08 19:02:43.000000000 -0500
12701+++ linux-2.6.32.48/arch/x86/kernel/cpu/intel.c 2011-11-15 19:59:42.000000000 -0500
12702@@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
12703 * Update the IDT descriptor and reload the IDT so that
12704 * it uses the read-only mapped virtual address.
12705 */
12706- idt_descr.address = fix_to_virt(FIX_F00F_IDT);
12707+ idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
12708 load_idt(&idt_descr);
12709 }
12710 #endif
12711diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.48/arch/x86/kernel/cpu/intel_cacheinfo.c
12712--- linux-2.6.32.48/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-11-08 19:02:43.000000000 -0500
12713+++ linux-2.6.32.48/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-11-15 19:59:42.000000000 -0500
12714@@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
12715 return ret;
12716 }
12717
12718-static struct sysfs_ops sysfs_ops = {
12719+static const struct sysfs_ops sysfs_ops = {
12720 .show = show,
12721 .store = store,
12722 };
12723diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/Makefile linux-2.6.32.48/arch/x86/kernel/cpu/Makefile
12724--- linux-2.6.32.48/arch/x86/kernel/cpu/Makefile 2011-11-08 19:02:43.000000000 -0500
12725+++ linux-2.6.32.48/arch/x86/kernel/cpu/Makefile 2011-11-15 19:59:42.000000000 -0500
12726@@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
12727 CFLAGS_REMOVE_common.o = -pg
12728 endif
12729
12730-# Make sure load_percpu_segment has no stackprotector
12731-nostackp := $(call cc-option, -fno-stack-protector)
12732-CFLAGS_common.o := $(nostackp)
12733-
12734 obj-y := intel_cacheinfo.o addon_cpuid_features.o
12735 obj-y += proc.o capflags.o powerflags.o common.o
12736 obj-y += vmware.o hypervisor.o sched.o
12737diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce_amd.c
12738--- linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-11-08 19:02:43.000000000 -0500
12739+++ linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-11-15 19:59:42.000000000 -0500
12740@@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
12741 return ret;
12742 }
12743
12744-static struct sysfs_ops threshold_ops = {
12745+static const struct sysfs_ops threshold_ops = {
12746 .show = show,
12747 .store = store,
12748 };
12749diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce.c
12750--- linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-08 19:02:43.000000000 -0500
12751+++ linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce.c 2011-11-15 19:59:42.000000000 -0500
12752@@ -43,6 +43,7 @@
12753 #include <asm/ipi.h>
12754 #include <asm/mce.h>
12755 #include <asm/msr.h>
12756+#include <asm/local.h>
12757
12758 #include "mce-internal.h"
12759
12760@@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
12761 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
12762 m->cs, m->ip);
12763
12764- if (m->cs == __KERNEL_CS)
12765+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
12766 print_symbol("{%s}", m->ip);
12767 pr_cont("\n");
12768 }
12769@@ -221,10 +222,10 @@ static void print_mce_tail(void)
12770
12771 #define PANIC_TIMEOUT 5 /* 5 seconds */
12772
12773-static atomic_t mce_paniced;
12774+static atomic_unchecked_t mce_paniced;
12775
12776 static int fake_panic;
12777-static atomic_t mce_fake_paniced;
12778+static atomic_unchecked_t mce_fake_paniced;
12779
12780 /* Panic in progress. Enable interrupts and wait for final IPI */
12781 static void wait_for_panic(void)
12782@@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
12783 /*
12784 * Make sure only one CPU runs in machine check panic
12785 */
12786- if (atomic_inc_return(&mce_paniced) > 1)
12787+ if (atomic_inc_return_unchecked(&mce_paniced) > 1)
12788 wait_for_panic();
12789 barrier();
12790
12791@@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
12792 console_verbose();
12793 } else {
12794 /* Don't log too much for fake panic */
12795- if (atomic_inc_return(&mce_fake_paniced) > 1)
12796+ if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
12797 return;
12798 }
12799 print_mce_head();
12800@@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
12801 * might have been modified by someone else.
12802 */
12803 rmb();
12804- if (atomic_read(&mce_paniced))
12805+ if (atomic_read_unchecked(&mce_paniced))
12806 wait_for_panic();
12807 if (!monarch_timeout)
12808 goto out;
12809@@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
12810 */
12811
12812 static DEFINE_SPINLOCK(mce_state_lock);
12813-static int open_count; /* #times opened */
12814+static local_t open_count; /* #times opened */
12815 static int open_exclu; /* already open exclusive? */
12816
12817 static int mce_open(struct inode *inode, struct file *file)
12818 {
12819 spin_lock(&mce_state_lock);
12820
12821- if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
12822+ if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
12823 spin_unlock(&mce_state_lock);
12824
12825 return -EBUSY;
12826@@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
12827
12828 if (file->f_flags & O_EXCL)
12829 open_exclu = 1;
12830- open_count++;
12831+ local_inc(&open_count);
12832
12833 spin_unlock(&mce_state_lock);
12834
12835@@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
12836 {
12837 spin_lock(&mce_state_lock);
12838
12839- open_count--;
12840+ local_dec(&open_count);
12841 open_exclu = 0;
12842
12843 spin_unlock(&mce_state_lock);
12844@@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
12845 static void mce_reset(void)
12846 {
12847 cpu_missing = 0;
12848- atomic_set(&mce_fake_paniced, 0);
12849+ atomic_set_unchecked(&mce_fake_paniced, 0);
12850 atomic_set(&mce_executing, 0);
12851 atomic_set(&mce_callin, 0);
12852 atomic_set(&global_nwo, 0);
12853diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce-inject.c linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce-inject.c
12854--- linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-08 19:02:43.000000000 -0500
12855+++ linux-2.6.32.48/arch/x86/kernel/cpu/mcheck/mce-inject.c 2011-11-15 19:59:42.000000000 -0500
12856@@ -211,7 +211,9 @@ static ssize_t mce_write(struct file *fi
12857 static int inject_init(void)
12858 {
12859 printk(KERN_INFO "Machine check injector initialized\n");
12860- mce_chrdev_ops.write = mce_write;
12861+ pax_open_kernel();
12862+ *(void **)&mce_chrdev_ops.write = mce_write;
12863+ pax_close_kernel();
12864 register_die_notifier(&mce_raise_nb);
12865 return 0;
12866 }
12867diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/amd.c
12868--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/amd.c 2011-11-08 19:02:43.000000000 -0500
12869+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/amd.c 2011-11-15 19:59:42.000000000 -0500
12870@@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
12871 return 0;
12872 }
12873
12874-static struct mtrr_ops amd_mtrr_ops = {
12875+static const struct mtrr_ops amd_mtrr_ops = {
12876 .vendor = X86_VENDOR_AMD,
12877 .set = amd_set_mtrr,
12878 .get = amd_get_mtrr,
12879diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/centaur.c
12880--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/centaur.c 2011-11-08 19:02:43.000000000 -0500
12881+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/centaur.c 2011-11-15 19:59:42.000000000 -0500
12882@@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
12883 return 0;
12884 }
12885
12886-static struct mtrr_ops centaur_mtrr_ops = {
12887+static const struct mtrr_ops centaur_mtrr_ops = {
12888 .vendor = X86_VENDOR_CENTAUR,
12889 .set = centaur_set_mcr,
12890 .get = centaur_get_mcr,
12891diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/cyrix.c
12892--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-11-08 19:02:43.000000000 -0500
12893+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-11-15 19:59:42.000000000 -0500
12894@@ -265,7 +265,7 @@ static void cyrix_set_all(void)
12895 post_set();
12896 }
12897
12898-static struct mtrr_ops cyrix_mtrr_ops = {
12899+static const struct mtrr_ops cyrix_mtrr_ops = {
12900 .vendor = X86_VENDOR_CYRIX,
12901 .set_all = cyrix_set_all,
12902 .set = cyrix_set_arr,
12903diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/generic.c
12904--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/generic.c 2011-11-08 19:02:43.000000000 -0500
12905+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/generic.c 2011-11-15 19:59:42.000000000 -0500
12906@@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
12907 /*
12908 * Generic structure...
12909 */
12910-struct mtrr_ops generic_mtrr_ops = {
12911+const struct mtrr_ops generic_mtrr_ops = {
12912 .use_intel_if = 1,
12913 .set_all = generic_set_all,
12914 .get = generic_get_mtrr,
12915diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/main.c
12916--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/main.c 2011-11-08 19:02:43.000000000 -0500
12917+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/main.c 2011-11-15 19:59:42.000000000 -0500
12918@@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
12919 u64 size_or_mask, size_and_mask;
12920 static bool mtrr_aps_delayed_init;
12921
12922-static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
12923+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
12924
12925-struct mtrr_ops *mtrr_if;
12926+const struct mtrr_ops *mtrr_if;
12927
12928 static void set_mtrr(unsigned int reg, unsigned long base,
12929 unsigned long size, mtrr_type type);
12930
12931-void set_mtrr_ops(struct mtrr_ops *ops)
12932+void set_mtrr_ops(const struct mtrr_ops *ops)
12933 {
12934 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12935 mtrr_ops[ops->vendor] = ops;
12936diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/mtrr.h
12937--- linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-08 19:02:43.000000000 -0500
12938+++ linux-2.6.32.48/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-11-15 19:59:42.000000000 -0500
12939@@ -25,14 +25,14 @@ struct mtrr_ops {
12940 int (*validate_add_page)(unsigned long base, unsigned long size,
12941 unsigned int type);
12942 int (*have_wrcomb)(void);
12943-};
12944+} __do_const;
12945
12946 extern int generic_get_free_region(unsigned long base, unsigned long size,
12947 int replace_reg);
12948 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12949 unsigned int type);
12950
12951-extern struct mtrr_ops generic_mtrr_ops;
12952+extern const struct mtrr_ops generic_mtrr_ops;
12953
12954 extern int positive_have_wrcomb(void);
12955
12956@@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12957 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12958 void get_mtrr_state(void);
12959
12960-extern void set_mtrr_ops(struct mtrr_ops *ops);
12961+extern void set_mtrr_ops(const struct mtrr_ops *ops);
12962
12963 extern u64 size_or_mask, size_and_mask;
12964-extern struct mtrr_ops *mtrr_if;
12965+extern const struct mtrr_ops *mtrr_if;
12966
12967 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12968 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12969diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.48/arch/x86/kernel/cpu/perfctr-watchdog.c
12970--- linux-2.6.32.48/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-11-08 19:02:43.000000000 -0500
12971+++ linux-2.6.32.48/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-11-15 19:59:42.000000000 -0500
12972@@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12973
12974 /* Interface defining a CPU specific perfctr watchdog */
12975 struct wd_ops {
12976- int (*reserve)(void);
12977- void (*unreserve)(void);
12978- int (*setup)(unsigned nmi_hz);
12979- void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12980- void (*stop)(void);
12981+ int (* const reserve)(void);
12982+ void (* const unreserve)(void);
12983+ int (* const setup)(unsigned nmi_hz);
12984+ void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12985+ void (* const stop)(void);
12986 unsigned perfctr;
12987 unsigned evntsel;
12988 u64 checkbit;
12989@@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
12990 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
12991 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
12992
12993+/* cannot be const */
12994 static struct wd_ops intel_arch_wd_ops;
12995
12996 static int setup_intel_arch_watchdog(unsigned nmi_hz)
12997@@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
12998 return 1;
12999 }
13000
13001+/* cannot be const */
13002 static struct wd_ops intel_arch_wd_ops __read_mostly = {
13003 .reserve = single_msr_reserve,
13004 .unreserve = single_msr_unreserve,
13005diff -urNp linux-2.6.32.48/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.48/arch/x86/kernel/cpu/perf_event.c
13006--- linux-2.6.32.48/arch/x86/kernel/cpu/perf_event.c 2011-11-08 19:02:43.000000000 -0500
13007+++ linux-2.6.32.48/arch/x86/kernel/cpu/perf_event.c 2011-11-15 19:59:42.000000000 -0500
13008@@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
13009 * count to the generic event atomically:
13010 */
13011 again:
13012- prev_raw_count = atomic64_read(&hwc->prev_count);
13013+ prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
13014 rdmsrl(hwc->event_base + idx, new_raw_count);
13015
13016- if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
13017+ if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
13018 new_raw_count) != prev_raw_count)
13019 goto again;
13020
13021@@ -741,7 +741,7 @@ again:
13022 delta = (new_raw_count << shift) - (prev_raw_count << shift);
13023 delta >>= shift;
13024
13025- atomic64_add(delta, &event->count);
13026+ atomic64_add_unchecked(delta, &event->count);
13027 atomic64_sub(delta, &hwc->period_left);
13028
13029 return new_raw_count;
13030@@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
13031 * The hw event starts counting from this event offset,
13032 * mark it to be able to extra future deltas:
13033 */
13034- atomic64_set(&hwc->prev_count, (u64)-left);
13035+ atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
13036
13037 err = checking_wrmsrl(hwc->event_base + idx,
13038 (u64)(-left) & x86_pmu.event_mask);
13039@@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
13040 break;
13041
13042 callchain_store(entry, frame.return_address);
13043- fp = frame.next_frame;
13044+ fp = (__force const void __user *)frame.next_frame;
13045 }
13046 }
13047
13048diff -urNp linux-2.6.32.48/arch/x86/kernel/crash.c linux-2.6.32.48/arch/x86/kernel/crash.c
13049--- linux-2.6.32.48/arch/x86/kernel/crash.c 2011-11-08 19:02:43.000000000 -0500
13050+++ linux-2.6.32.48/arch/x86/kernel/crash.c 2011-11-15 19:59:42.000000000 -0500
13051@@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
13052 regs = args->regs;
13053
13054 #ifdef CONFIG_X86_32
13055- if (!user_mode_vm(regs)) {
13056+ if (!user_mode(regs)) {
13057 crash_fixup_ss_esp(&fixed_regs, regs);
13058 regs = &fixed_regs;
13059 }
13060diff -urNp linux-2.6.32.48/arch/x86/kernel/doublefault_32.c linux-2.6.32.48/arch/x86/kernel/doublefault_32.c
13061--- linux-2.6.32.48/arch/x86/kernel/doublefault_32.c 2011-11-08 19:02:43.000000000 -0500
13062+++ linux-2.6.32.48/arch/x86/kernel/doublefault_32.c 2011-11-15 19:59:42.000000000 -0500
13063@@ -11,7 +11,7 @@
13064
13065 #define DOUBLEFAULT_STACKSIZE (1024)
13066 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
13067-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
13068+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
13069
13070 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
13071
13072@@ -21,7 +21,7 @@ static void doublefault_fn(void)
13073 unsigned long gdt, tss;
13074
13075 store_gdt(&gdt_desc);
13076- gdt = gdt_desc.address;
13077+ gdt = (unsigned long)gdt_desc.address;
13078
13079 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
13080
13081@@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
13082 /* 0x2 bit is always set */
13083 .flags = X86_EFLAGS_SF | 0x2,
13084 .sp = STACK_START,
13085- .es = __USER_DS,
13086+ .es = __KERNEL_DS,
13087 .cs = __KERNEL_CS,
13088 .ss = __KERNEL_DS,
13089- .ds = __USER_DS,
13090+ .ds = __KERNEL_DS,
13091 .fs = __KERNEL_PERCPU,
13092
13093 .__cr3 = __pa_nodebug(swapper_pg_dir),
13094diff -urNp linux-2.6.32.48/arch/x86/kernel/dumpstack_32.c linux-2.6.32.48/arch/x86/kernel/dumpstack_32.c
13095--- linux-2.6.32.48/arch/x86/kernel/dumpstack_32.c 2011-11-08 19:02:43.000000000 -0500
13096+++ linux-2.6.32.48/arch/x86/kernel/dumpstack_32.c 2011-11-18 18:10:09.000000000 -0500
13097@@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
13098 #endif
13099
13100 for (;;) {
13101- struct thread_info *context;
13102+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13103+ bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13104
13105- context = (struct thread_info *)
13106- ((unsigned long)stack & (~(THREAD_SIZE - 1)));
13107- bp = print_context_stack(context, stack, bp, ops,
13108- data, NULL, &graph);
13109-
13110- stack = (unsigned long *)context->previous_esp;
13111- if (!stack)
13112+ if (stack_start == task_stack_page(task))
13113 break;
13114+ stack = *(unsigned long **)stack_start;
13115 if (ops->stack(data, "IRQ") < 0)
13116 break;
13117 touch_nmi_watchdog();
13118@@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
13119 * When in-kernel, we also print out the stack and code at the
13120 * time of the fault..
13121 */
13122- if (!user_mode_vm(regs)) {
13123+ if (!user_mode(regs)) {
13124 unsigned int code_prologue = code_bytes * 43 / 64;
13125 unsigned int code_len = code_bytes;
13126 unsigned char c;
13127 u8 *ip;
13128+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
13129
13130 printk(KERN_EMERG "Stack:\n");
13131 show_stack_log_lvl(NULL, regs, &regs->sp,
13132@@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
13133
13134 printk(KERN_EMERG "Code: ");
13135
13136- ip = (u8 *)regs->ip - code_prologue;
13137+ ip = (u8 *)regs->ip - code_prologue + cs_base;
13138 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
13139 /* try starting at IP */
13140- ip = (u8 *)regs->ip;
13141+ ip = (u8 *)regs->ip + cs_base;
13142 code_len = code_len - code_prologue + 1;
13143 }
13144 for (i = 0; i < code_len; i++, ip++) {
13145@@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
13146 printk(" Bad EIP value.");
13147 break;
13148 }
13149- if (ip == (u8 *)regs->ip)
13150+ if (ip == (u8 *)regs->ip + cs_base)
13151 printk("<%02x> ", c);
13152 else
13153 printk("%02x ", c);
13154@@ -145,10 +142,23 @@ void show_registers(struct pt_regs *regs
13155 printk("\n");
13156 }
13157
13158+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13159+void pax_check_alloca(unsigned long size)
13160+{
13161+ unsigned long sp = (unsigned long)&sp, stack_left;
13162+
13163+ /* all kernel stacks are of the same size */
13164+ stack_left = sp & (THREAD_SIZE - 1);
13165+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
13166+}
13167+EXPORT_SYMBOL(pax_check_alloca);
13168+#endif
13169+
13170 int is_valid_bugaddr(unsigned long ip)
13171 {
13172 unsigned short ud2;
13173
13174+ ip = ktla_ktva(ip);
13175 if (ip < PAGE_OFFSET)
13176 return 0;
13177 if (probe_kernel_address((unsigned short *)ip, ud2))
13178diff -urNp linux-2.6.32.48/arch/x86/kernel/dumpstack_64.c linux-2.6.32.48/arch/x86/kernel/dumpstack_64.c
13179--- linux-2.6.32.48/arch/x86/kernel/dumpstack_64.c 2011-11-08 19:02:43.000000000 -0500
13180+++ linux-2.6.32.48/arch/x86/kernel/dumpstack_64.c 2011-11-18 18:01:52.000000000 -0500
13181@@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
13182 unsigned long *irq_stack_end =
13183 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
13184 unsigned used = 0;
13185- struct thread_info *tinfo;
13186 int graph = 0;
13187+ void *stack_start;
13188
13189 if (!task)
13190 task = current;
13191@@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
13192 * current stack address. If the stacks consist of nested
13193 * exceptions
13194 */
13195- tinfo = task_thread_info(task);
13196 for (;;) {
13197 char *id;
13198 unsigned long *estack_end;
13199+
13200 estack_end = in_exception_stack(cpu, (unsigned long)stack,
13201 &used, &id);
13202
13203@@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
13204 if (ops->stack(data, id) < 0)
13205 break;
13206
13207- bp = print_context_stack(tinfo, stack, bp, ops,
13208+ bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
13209 data, estack_end, &graph);
13210 ops->stack(data, "<EOE>");
13211 /*
13212@@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
13213 if (stack >= irq_stack && stack < irq_stack_end) {
13214 if (ops->stack(data, "IRQ") < 0)
13215 break;
13216- bp = print_context_stack(tinfo, stack, bp,
13217+ bp = print_context_stack(task, irq_stack, stack, bp,
13218 ops, data, irq_stack_end, &graph);
13219 /*
13220 * We link to the next stack (which would be
13221@@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
13222 /*
13223 * This handles the process stack:
13224 */
13225- bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
13226+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
13227+ bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
13228 put_cpu();
13229 }
13230 EXPORT_SYMBOL(dump_trace);
13231@@ -304,3 +305,50 @@ int is_valid_bugaddr(unsigned long ip)
13232 return ud2 == 0x0b0f;
13233 }
13234
13235+
13236+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13237+void pax_check_alloca(unsigned long size)
13238+{
13239+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
13240+ unsigned cpu, used;
13241+ char *id;
13242+
13243+ /* check the process stack first */
13244+ stack_start = (unsigned long)task_stack_page(current);
13245+ stack_end = stack_start + THREAD_SIZE;
13246+ if (likely(stack_start <= sp && sp < stack_end)) {
13247+ unsigned long stack_left = sp & (THREAD_SIZE - 1);
13248+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
13249+ return;
13250+ }
13251+
13252+ cpu = get_cpu();
13253+
13254+ /* check the irq stacks */
13255+ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
13256+ stack_start = stack_end - IRQ_STACK_SIZE;
13257+ if (stack_start <= sp && sp < stack_end) {
13258+ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
13259+ put_cpu();
13260+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
13261+ return;
13262+ }
13263+
13264+ /* check the exception stacks */
13265+ used = 0;
13266+ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
13267+ stack_start = stack_end - EXCEPTION_STKSZ;
13268+ if (stack_end && stack_start <= sp && sp < stack_end) {
13269+ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
13270+ put_cpu();
13271+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
13272+ return;
13273+ }
13274+
13275+ put_cpu();
13276+
13277+ /* unknown stack */
13278+ BUG();
13279+}
13280+EXPORT_SYMBOL(pax_check_alloca);
13281+#endif
13282diff -urNp linux-2.6.32.48/arch/x86/kernel/dumpstack.c linux-2.6.32.48/arch/x86/kernel/dumpstack.c
13283--- linux-2.6.32.48/arch/x86/kernel/dumpstack.c 2011-11-08 19:02:43.000000000 -0500
13284+++ linux-2.6.32.48/arch/x86/kernel/dumpstack.c 2011-11-15 19:59:43.000000000 -0500
13285@@ -2,6 +2,9 @@
13286 * Copyright (C) 1991, 1992 Linus Torvalds
13287 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
13288 */
13289+#ifdef CONFIG_GRKERNSEC_HIDESYM
13290+#define __INCLUDED_BY_HIDESYM 1
13291+#endif
13292 #include <linux/kallsyms.h>
13293 #include <linux/kprobes.h>
13294 #include <linux/uaccess.h>
13295@@ -28,7 +31,7 @@ static int die_counter;
13296
13297 void printk_address(unsigned long address, int reliable)
13298 {
13299- printk(" [<%p>] %s%pS\n", (void *) address,
13300+ printk(" [<%p>] %s%pA\n", (void *) address,
13301 reliable ? "" : "? ", (void *) address);
13302 }
13303
13304@@ -36,9 +39,8 @@ void printk_address(unsigned long addres
13305 static void
13306 print_ftrace_graph_addr(unsigned long addr, void *data,
13307 const struct stacktrace_ops *ops,
13308- struct thread_info *tinfo, int *graph)
13309+ struct task_struct *task, int *graph)
13310 {
13311- struct task_struct *task = tinfo->task;
13312 unsigned long ret_addr;
13313 int index = task->curr_ret_stack;
13314
13315@@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
13316 static inline void
13317 print_ftrace_graph_addr(unsigned long addr, void *data,
13318 const struct stacktrace_ops *ops,
13319- struct thread_info *tinfo, int *graph)
13320+ struct task_struct *task, int *graph)
13321 { }
13322 #endif
13323
13324@@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
13325 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
13326 */
13327
13328-static inline int valid_stack_ptr(struct thread_info *tinfo,
13329- void *p, unsigned int size, void *end)
13330+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
13331 {
13332- void *t = tinfo;
13333 if (end) {
13334 if (p < end && p >= (end-THREAD_SIZE))
13335 return 1;
13336@@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
13337 }
13338
13339 unsigned long
13340-print_context_stack(struct thread_info *tinfo,
13341+print_context_stack(struct task_struct *task, void *stack_start,
13342 unsigned long *stack, unsigned long bp,
13343 const struct stacktrace_ops *ops, void *data,
13344 unsigned long *end, int *graph)
13345 {
13346 struct stack_frame *frame = (struct stack_frame *)bp;
13347
13348- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
13349+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
13350 unsigned long addr;
13351
13352 addr = *stack;
13353@@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
13354 } else {
13355 ops->address(data, addr, 0);
13356 }
13357- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
13358+ print_ftrace_graph_addr(addr, data, ops, task, graph);
13359 }
13360 stack++;
13361 }
13362@@ -180,7 +180,7 @@ void dump_stack(void)
13363 #endif
13364
13365 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
13366- current->pid, current->comm, print_tainted(),
13367+ task_pid_nr(current), current->comm, print_tainted(),
13368 init_utsname()->release,
13369 (int)strcspn(init_utsname()->version, " "),
13370 init_utsname()->version);
13371@@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
13372 return flags;
13373 }
13374
13375+extern void gr_handle_kernel_exploit(void);
13376+
13377 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
13378 {
13379 if (regs && kexec_should_crash(current))
13380@@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
13381 panic("Fatal exception in interrupt");
13382 if (panic_on_oops)
13383 panic("Fatal exception");
13384- do_exit(signr);
13385+
13386+ gr_handle_kernel_exploit();
13387+
13388+ do_group_exit(signr);
13389 }
13390
13391 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
13392@@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
13393 unsigned long flags = oops_begin();
13394 int sig = SIGSEGV;
13395
13396- if (!user_mode_vm(regs))
13397+ if (!user_mode(regs))
13398 report_bug(regs->ip, regs);
13399
13400 if (__die(str, regs, err))
13401diff -urNp linux-2.6.32.48/arch/x86/kernel/dumpstack.h linux-2.6.32.48/arch/x86/kernel/dumpstack.h
13402--- linux-2.6.32.48/arch/x86/kernel/dumpstack.h 2011-11-08 19:02:43.000000000 -0500
13403+++ linux-2.6.32.48/arch/x86/kernel/dumpstack.h 2011-11-15 19:59:43.000000000 -0500
13404@@ -15,7 +15,7 @@
13405 #endif
13406
13407 extern unsigned long
13408-print_context_stack(struct thread_info *tinfo,
13409+print_context_stack(struct task_struct *task, void *stack_start,
13410 unsigned long *stack, unsigned long bp,
13411 const struct stacktrace_ops *ops, void *data,
13412 unsigned long *end, int *graph);
13413diff -urNp linux-2.6.32.48/arch/x86/kernel/e820.c linux-2.6.32.48/arch/x86/kernel/e820.c
13414--- linux-2.6.32.48/arch/x86/kernel/e820.c 2011-11-08 19:02:43.000000000 -0500
13415+++ linux-2.6.32.48/arch/x86/kernel/e820.c 2011-11-15 19:59:43.000000000 -0500
13416@@ -733,7 +733,7 @@ struct early_res {
13417 };
13418 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
13419 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
13420- {}
13421+ { 0, 0, {0}, 0 }
13422 };
13423
13424 static int __init find_overlapped_early(u64 start, u64 end)
13425diff -urNp linux-2.6.32.48/arch/x86/kernel/early_printk.c linux-2.6.32.48/arch/x86/kernel/early_printk.c
13426--- linux-2.6.32.48/arch/x86/kernel/early_printk.c 2011-11-08 19:02:43.000000000 -0500
13427+++ linux-2.6.32.48/arch/x86/kernel/early_printk.c 2011-11-15 19:59:43.000000000 -0500
13428@@ -7,6 +7,7 @@
13429 #include <linux/pci_regs.h>
13430 #include <linux/pci_ids.h>
13431 #include <linux/errno.h>
13432+#include <linux/sched.h>
13433 #include <asm/io.h>
13434 #include <asm/processor.h>
13435 #include <asm/fcntl.h>
13436@@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
13437 int n;
13438 va_list ap;
13439
13440+ pax_track_stack();
13441+
13442 va_start(ap, fmt);
13443 n = vscnprintf(buf, sizeof(buf), fmt, ap);
13444 early_console->write(early_console, buf, n);
13445diff -urNp linux-2.6.32.48/arch/x86/kernel/efi_32.c linux-2.6.32.48/arch/x86/kernel/efi_32.c
13446--- linux-2.6.32.48/arch/x86/kernel/efi_32.c 2011-11-08 19:02:43.000000000 -0500
13447+++ linux-2.6.32.48/arch/x86/kernel/efi_32.c 2011-11-15 19:59:43.000000000 -0500
13448@@ -38,70 +38,56 @@
13449 */
13450
13451 static unsigned long efi_rt_eflags;
13452-static pgd_t efi_bak_pg_dir_pointer[2];
13453+static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
13454
13455-void efi_call_phys_prelog(void)
13456+void __init efi_call_phys_prelog(void)
13457 {
13458- unsigned long cr4;
13459- unsigned long temp;
13460 struct desc_ptr gdt_descr;
13461
13462- local_irq_save(efi_rt_eflags);
13463+#ifdef CONFIG_PAX_KERNEXEC
13464+ struct desc_struct d;
13465+#endif
13466
13467- /*
13468- * If I don't have PAE, I should just duplicate two entries in page
13469- * directory. If I have PAE, I just need to duplicate one entry in
13470- * page directory.
13471- */
13472- cr4 = read_cr4_safe();
13473+ local_irq_save(efi_rt_eflags);
13474
13475- if (cr4 & X86_CR4_PAE) {
13476- efi_bak_pg_dir_pointer[0].pgd =
13477- swapper_pg_dir[pgd_index(0)].pgd;
13478- swapper_pg_dir[0].pgd =
13479- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13480- } else {
13481- efi_bak_pg_dir_pointer[0].pgd =
13482- swapper_pg_dir[pgd_index(0)].pgd;
13483- efi_bak_pg_dir_pointer[1].pgd =
13484- swapper_pg_dir[pgd_index(0x400000)].pgd;
13485- swapper_pg_dir[pgd_index(0)].pgd =
13486- swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
13487- temp = PAGE_OFFSET + 0x400000;
13488- swapper_pg_dir[pgd_index(0x400000)].pgd =
13489- swapper_pg_dir[pgd_index(temp)].pgd;
13490- }
13491+ clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
13492+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13493+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13494
13495 /*
13496 * After the lock is released, the original page table is restored.
13497 */
13498 __flush_tlb_all();
13499
13500+#ifdef CONFIG_PAX_KERNEXEC
13501+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
13502+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13503+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
13504+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13505+#endif
13506+
13507 gdt_descr.address = __pa(get_cpu_gdt_table(0));
13508 gdt_descr.size = GDT_SIZE - 1;
13509 load_gdt(&gdt_descr);
13510 }
13511
13512-void efi_call_phys_epilog(void)
13513+void __init efi_call_phys_epilog(void)
13514 {
13515- unsigned long cr4;
13516 struct desc_ptr gdt_descr;
13517
13518+#ifdef CONFIG_PAX_KERNEXEC
13519+ struct desc_struct d;
13520+
13521+ memset(&d, 0, sizeof d);
13522+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
13523+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
13524+#endif
13525+
13526 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
13527 gdt_descr.size = GDT_SIZE - 1;
13528 load_gdt(&gdt_descr);
13529
13530- cr4 = read_cr4_safe();
13531-
13532- if (cr4 & X86_CR4_PAE) {
13533- swapper_pg_dir[pgd_index(0)].pgd =
13534- efi_bak_pg_dir_pointer[0].pgd;
13535- } else {
13536- swapper_pg_dir[pgd_index(0)].pgd =
13537- efi_bak_pg_dir_pointer[0].pgd;
13538- swapper_pg_dir[pgd_index(0x400000)].pgd =
13539- efi_bak_pg_dir_pointer[1].pgd;
13540- }
13541+ clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
13542
13543 /*
13544 * After the lock is released, the original page table is restored.
13545diff -urNp linux-2.6.32.48/arch/x86/kernel/efi_stub_32.S linux-2.6.32.48/arch/x86/kernel/efi_stub_32.S
13546--- linux-2.6.32.48/arch/x86/kernel/efi_stub_32.S 2011-11-08 19:02:43.000000000 -0500
13547+++ linux-2.6.32.48/arch/x86/kernel/efi_stub_32.S 2011-11-15 19:59:43.000000000 -0500
13548@@ -6,7 +6,9 @@
13549 */
13550
13551 #include <linux/linkage.h>
13552+#include <linux/init.h>
13553 #include <asm/page_types.h>
13554+#include <asm/segment.h>
13555
13556 /*
13557 * efi_call_phys(void *, ...) is a function with variable parameters.
13558@@ -20,7 +22,7 @@
13559 * service functions will comply with gcc calling convention, too.
13560 */
13561
13562-.text
13563+__INIT
13564 ENTRY(efi_call_phys)
13565 /*
13566 * 0. The function can only be called in Linux kernel. So CS has been
13567@@ -36,9 +38,11 @@ ENTRY(efi_call_phys)
13568 * The mapping of lower virtual memory has been created in prelog and
13569 * epilog.
13570 */
13571- movl $1f, %edx
13572- subl $__PAGE_OFFSET, %edx
13573- jmp *%edx
13574+ movl $(__KERNEXEC_EFI_DS), %edx
13575+ mov %edx, %ds
13576+ mov %edx, %es
13577+ mov %edx, %ss
13578+ ljmp $(__KERNEXEC_EFI_CS),$1f-__PAGE_OFFSET
13579 1:
13580
13581 /*
13582@@ -47,14 +51,8 @@ ENTRY(efi_call_phys)
13583 * parameter 2, ..., param n. To make things easy, we save the return
13584 * address of efi_call_phys in a global variable.
13585 */
13586- popl %edx
13587- movl %edx, saved_return_addr
13588- /* get the function pointer into ECX*/
13589- popl %ecx
13590- movl %ecx, efi_rt_function_ptr
13591- movl $2f, %edx
13592- subl $__PAGE_OFFSET, %edx
13593- pushl %edx
13594+ popl (saved_return_addr)
13595+ popl (efi_rt_function_ptr)
13596
13597 /*
13598 * 3. Clear PG bit in %CR0.
13599@@ -73,9 +71,8 @@ ENTRY(efi_call_phys)
13600 /*
13601 * 5. Call the physical function.
13602 */
13603- jmp *%ecx
13604+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
13605
13606-2:
13607 /*
13608 * 6. After EFI runtime service returns, control will return to
13609 * following instruction. We'd better readjust stack pointer first.
13610@@ -88,35 +85,32 @@ ENTRY(efi_call_phys)
13611 movl %cr0, %edx
13612 orl $0x80000000, %edx
13613 movl %edx, %cr0
13614- jmp 1f
13615-1:
13616+
13617 /*
13618 * 8. Now restore the virtual mode from flat mode by
13619 * adding EIP with PAGE_OFFSET.
13620 */
13621- movl $1f, %edx
13622- jmp *%edx
13623+ ljmp $(__KERNEL_CS),$1f+__PAGE_OFFSET
13624 1:
13625+ movl $(__KERNEL_DS), %edx
13626+ mov %edx, %ds
13627+ mov %edx, %es
13628+ mov %edx, %ss
13629
13630 /*
13631 * 9. Balance the stack. And because EAX contain the return value,
13632 * we'd better not clobber it.
13633 */
13634- leal efi_rt_function_ptr, %edx
13635- movl (%edx), %ecx
13636- pushl %ecx
13637+ pushl (efi_rt_function_ptr)
13638
13639 /*
13640- * 10. Push the saved return address onto the stack and return.
13641+ * 10. Return to the saved return address.
13642 */
13643- leal saved_return_addr, %edx
13644- movl (%edx), %ecx
13645- pushl %ecx
13646- ret
13647+ jmpl *(saved_return_addr)
13648 ENDPROC(efi_call_phys)
13649 .previous
13650
13651-.data
13652+__INITDATA
13653 saved_return_addr:
13654 .long 0
13655 efi_rt_function_ptr:
13656diff -urNp linux-2.6.32.48/arch/x86/kernel/efi_stub_64.S linux-2.6.32.48/arch/x86/kernel/efi_stub_64.S
13657--- linux-2.6.32.48/arch/x86/kernel/efi_stub_64.S 2011-11-08 19:02:43.000000000 -0500
13658+++ linux-2.6.32.48/arch/x86/kernel/efi_stub_64.S 2011-11-15 19:59:43.000000000 -0500
13659@@ -7,6 +7,7 @@
13660 */
13661
13662 #include <linux/linkage.h>
13663+#include <asm/alternative-asm.h>
13664
13665 #define SAVE_XMM \
13666 mov %rsp, %rax; \
13667@@ -40,6 +41,7 @@ ENTRY(efi_call0)
13668 call *%rdi
13669 addq $32, %rsp
13670 RESTORE_XMM
13671+ pax_force_retaddr
13672 ret
13673 ENDPROC(efi_call0)
13674
13675@@ -50,6 +52,7 @@ ENTRY(efi_call1)
13676 call *%rdi
13677 addq $32, %rsp
13678 RESTORE_XMM
13679+ pax_force_retaddr
13680 ret
13681 ENDPROC(efi_call1)
13682
13683@@ -60,6 +63,7 @@ ENTRY(efi_call2)
13684 call *%rdi
13685 addq $32, %rsp
13686 RESTORE_XMM
13687+ pax_force_retaddr
13688 ret
13689 ENDPROC(efi_call2)
13690
13691@@ -71,6 +75,7 @@ ENTRY(efi_call3)
13692 call *%rdi
13693 addq $32, %rsp
13694 RESTORE_XMM
13695+ pax_force_retaddr
13696 ret
13697 ENDPROC(efi_call3)
13698
13699@@ -83,6 +88,7 @@ ENTRY(efi_call4)
13700 call *%rdi
13701 addq $32, %rsp
13702 RESTORE_XMM
13703+ pax_force_retaddr
13704 ret
13705 ENDPROC(efi_call4)
13706
13707@@ -96,6 +102,7 @@ ENTRY(efi_call5)
13708 call *%rdi
13709 addq $48, %rsp
13710 RESTORE_XMM
13711+ pax_force_retaddr
13712 ret
13713 ENDPROC(efi_call5)
13714
13715@@ -112,5 +119,6 @@ ENTRY(efi_call6)
13716 call *%rdi
13717 addq $48, %rsp
13718 RESTORE_XMM
13719+ pax_force_retaddr
13720 ret
13721 ENDPROC(efi_call6)
13722diff -urNp linux-2.6.32.48/arch/x86/kernel/entry_32.S linux-2.6.32.48/arch/x86/kernel/entry_32.S
13723--- linux-2.6.32.48/arch/x86/kernel/entry_32.S 2011-11-08 19:02:43.000000000 -0500
13724+++ linux-2.6.32.48/arch/x86/kernel/entry_32.S 2011-11-18 18:01:52.000000000 -0500
13725@@ -185,13 +185,146 @@
13726 /*CFI_REL_OFFSET gs, PT_GS*/
13727 .endm
13728 .macro SET_KERNEL_GS reg
13729+
13730+#ifdef CONFIG_CC_STACKPROTECTOR
13731 movl $(__KERNEL_STACK_CANARY), \reg
13732+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
13733+ movl $(__USER_DS), \reg
13734+#else
13735+ xorl \reg, \reg
13736+#endif
13737+
13738 movl \reg, %gs
13739 .endm
13740
13741 #endif /* CONFIG_X86_32_LAZY_GS */
13742
13743-.macro SAVE_ALL
13744+.macro pax_enter_kernel
13745+#ifdef CONFIG_PAX_KERNEXEC
13746+ call pax_enter_kernel
13747+#endif
13748+.endm
13749+
13750+.macro pax_exit_kernel
13751+#ifdef CONFIG_PAX_KERNEXEC
13752+ call pax_exit_kernel
13753+#endif
13754+.endm
13755+
13756+#ifdef CONFIG_PAX_KERNEXEC
13757+ENTRY(pax_enter_kernel)
13758+#ifdef CONFIG_PARAVIRT
13759+ pushl %eax
13760+ pushl %ecx
13761+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
13762+ mov %eax, %esi
13763+#else
13764+ mov %cr0, %esi
13765+#endif
13766+ bts $16, %esi
13767+ jnc 1f
13768+ mov %cs, %esi
13769+ cmp $__KERNEL_CS, %esi
13770+ jz 3f
13771+ ljmp $__KERNEL_CS, $3f
13772+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
13773+2:
13774+#ifdef CONFIG_PARAVIRT
13775+ mov %esi, %eax
13776+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
13777+#else
13778+ mov %esi, %cr0
13779+#endif
13780+3:
13781+#ifdef CONFIG_PARAVIRT
13782+ popl %ecx
13783+ popl %eax
13784+#endif
13785+ ret
13786+ENDPROC(pax_enter_kernel)
13787+
13788+ENTRY(pax_exit_kernel)
13789+#ifdef CONFIG_PARAVIRT
13790+ pushl %eax
13791+ pushl %ecx
13792+#endif
13793+ mov %cs, %esi
13794+ cmp $__KERNEXEC_KERNEL_CS, %esi
13795+ jnz 2f
13796+#ifdef CONFIG_PARAVIRT
13797+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
13798+ mov %eax, %esi
13799+#else
13800+ mov %cr0, %esi
13801+#endif
13802+ btr $16, %esi
13803+ ljmp $__KERNEL_CS, $1f
13804+1:
13805+#ifdef CONFIG_PARAVIRT
13806+ mov %esi, %eax
13807+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
13808+#else
13809+ mov %esi, %cr0
13810+#endif
13811+2:
13812+#ifdef CONFIG_PARAVIRT
13813+ popl %ecx
13814+ popl %eax
13815+#endif
13816+ ret
13817+ENDPROC(pax_exit_kernel)
13818+#endif
13819+
13820+.macro pax_erase_kstack
13821+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13822+ call pax_erase_kstack
13823+#endif
13824+.endm
13825+
13826+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13827+/*
13828+ * ebp: thread_info
13829+ * ecx, edx: can be clobbered
13830+ */
13831+ENTRY(pax_erase_kstack)
13832+ pushl %edi
13833+ pushl %eax
13834+
13835+ mov TI_lowest_stack(%ebp), %edi
13836+ mov $-0xBEEF, %eax
13837+ std
13838+
13839+1: mov %edi, %ecx
13840+ and $THREAD_SIZE_asm - 1, %ecx
13841+ shr $2, %ecx
13842+ repne scasl
13843+ jecxz 2f
13844+
13845+ cmp $2*16, %ecx
13846+ jc 2f
13847+
13848+ mov $2*16, %ecx
13849+ repe scasl
13850+ jecxz 2f
13851+ jne 1b
13852+
13853+2: cld
13854+ mov %esp, %ecx
13855+ sub %edi, %ecx
13856+ shr $2, %ecx
13857+ rep stosl
13858+
13859+ mov TI_task_thread_sp0(%ebp), %edi
13860+ sub $128, %edi
13861+ mov %edi, TI_lowest_stack(%ebp)
13862+
13863+ popl %eax
13864+ popl %edi
13865+ ret
13866+ENDPROC(pax_erase_kstack)
13867+#endif
13868+
13869+.macro __SAVE_ALL _DS
13870 cld
13871 PUSH_GS
13872 pushl %fs
13873@@ -224,7 +357,7 @@
13874 pushl %ebx
13875 CFI_ADJUST_CFA_OFFSET 4
13876 CFI_REL_OFFSET ebx, 0
13877- movl $(__USER_DS), %edx
13878+ movl $\_DS, %edx
13879 movl %edx, %ds
13880 movl %edx, %es
13881 movl $(__KERNEL_PERCPU), %edx
13882@@ -232,6 +365,15 @@
13883 SET_KERNEL_GS %edx
13884 .endm
13885
13886+.macro SAVE_ALL
13887+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
13888+ __SAVE_ALL __KERNEL_DS
13889+ pax_enter_kernel
13890+#else
13891+ __SAVE_ALL __USER_DS
13892+#endif
13893+.endm
13894+
13895 .macro RESTORE_INT_REGS
13896 popl %ebx
13897 CFI_ADJUST_CFA_OFFSET -4
13898@@ -331,7 +473,7 @@ ENTRY(ret_from_fork)
13899 CFI_ADJUST_CFA_OFFSET -4
13900 jmp syscall_exit
13901 CFI_ENDPROC
13902-END(ret_from_fork)
13903+ENDPROC(ret_from_fork)
13904
13905 /*
13906 * Return to user mode is not as complex as all this looks,
13907@@ -352,7 +494,15 @@ check_userspace:
13908 movb PT_CS(%esp), %al
13909 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
13910 cmpl $USER_RPL, %eax
13911+
13912+#ifdef CONFIG_PAX_KERNEXEC
13913+ jae resume_userspace
13914+
13915+ PAX_EXIT_KERNEL
13916+ jmp resume_kernel
13917+#else
13918 jb resume_kernel # not returning to v8086 or userspace
13919+#endif
13920
13921 ENTRY(resume_userspace)
13922 LOCKDEP_SYS_EXIT
13923@@ -364,8 +514,8 @@ ENTRY(resume_userspace)
13924 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
13925 # int/exception return?
13926 jne work_pending
13927- jmp restore_all
13928-END(ret_from_exception)
13929+ jmp restore_all_pax
13930+ENDPROC(ret_from_exception)
13931
13932 #ifdef CONFIG_PREEMPT
13933 ENTRY(resume_kernel)
13934@@ -380,7 +530,7 @@ need_resched:
13935 jz restore_all
13936 call preempt_schedule_irq
13937 jmp need_resched
13938-END(resume_kernel)
13939+ENDPROC(resume_kernel)
13940 #endif
13941 CFI_ENDPROC
13942
13943@@ -414,25 +564,36 @@ sysenter_past_esp:
13944 /*CFI_REL_OFFSET cs, 0*/
13945 /*
13946 * Push current_thread_info()->sysenter_return to the stack.
13947- * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
13948- * pushed above; +8 corresponds to copy_thread's esp0 setting.
13949 */
13950- pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
13951+ pushl $0
13952 CFI_ADJUST_CFA_OFFSET 4
13953 CFI_REL_OFFSET eip, 0
13954
13955 pushl %eax
13956 CFI_ADJUST_CFA_OFFSET 4
13957 SAVE_ALL
13958+ GET_THREAD_INFO(%ebp)
13959+ movl TI_sysenter_return(%ebp),%ebp
13960+ movl %ebp,PT_EIP(%esp)
13961 ENABLE_INTERRUPTS(CLBR_NONE)
13962
13963 /*
13964 * Load the potential sixth argument from user stack.
13965 * Careful about security.
13966 */
13967+ movl PT_OLDESP(%esp),%ebp
13968+
13969+#ifdef CONFIG_PAX_MEMORY_UDEREF
13970+ mov PT_OLDSS(%esp),%ds
13971+1: movl %ds:(%ebp),%ebp
13972+ push %ss
13973+ pop %ds
13974+#else
13975 cmpl $__PAGE_OFFSET-3,%ebp
13976 jae syscall_fault
13977 1: movl (%ebp),%ebp
13978+#endif
13979+
13980 movl %ebp,PT_EBP(%esp)
13981 .section __ex_table,"a"
13982 .align 4
13983@@ -455,12 +616,24 @@ sysenter_do_call:
13984 testl $_TIF_ALLWORK_MASK, %ecx
13985 jne sysexit_audit
13986 sysenter_exit:
13987+
13988+#ifdef CONFIG_PAX_RANDKSTACK
13989+ pushl_cfi %eax
13990+ movl %esp, %eax
13991+ call pax_randomize_kstack
13992+ popl_cfi %eax
13993+#endif
13994+
13995+ pax_erase_kstack
13996+
13997 /* if something modifies registers it must also disable sysexit */
13998 movl PT_EIP(%esp), %edx
13999 movl PT_OLDESP(%esp), %ecx
14000 xorl %ebp,%ebp
14001 TRACE_IRQS_ON
14002 1: mov PT_FS(%esp), %fs
14003+2: mov PT_DS(%esp), %ds
14004+3: mov PT_ES(%esp), %es
14005 PTGS_TO_GS
14006 ENABLE_INTERRUPTS_SYSEXIT
14007
14008@@ -477,6 +650,9 @@ sysenter_audit:
14009 movl %eax,%edx /* 2nd arg: syscall number */
14010 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
14011 call audit_syscall_entry
14012+
14013+ pax_erase_kstack
14014+
14015 pushl %ebx
14016 CFI_ADJUST_CFA_OFFSET 4
14017 movl PT_EAX(%esp),%eax /* reload syscall number */
14018@@ -504,11 +680,17 @@ sysexit_audit:
14019
14020 CFI_ENDPROC
14021 .pushsection .fixup,"ax"
14022-2: movl $0,PT_FS(%esp)
14023+4: movl $0,PT_FS(%esp)
14024+ jmp 1b
14025+5: movl $0,PT_DS(%esp)
14026+ jmp 1b
14027+6: movl $0,PT_ES(%esp)
14028 jmp 1b
14029 .section __ex_table,"a"
14030 .align 4
14031- .long 1b,2b
14032+ .long 1b,4b
14033+ .long 2b,5b
14034+ .long 3b,6b
14035 .popsection
14036 PTGS_TO_GS_EX
14037 ENDPROC(ia32_sysenter_target)
14038@@ -538,6 +720,15 @@ syscall_exit:
14039 testl $_TIF_ALLWORK_MASK, %ecx # current->work
14040 jne syscall_exit_work
14041
14042+restore_all_pax:
14043+
14044+#ifdef CONFIG_PAX_RANDKSTACK
14045+ movl %esp, %eax
14046+ call pax_randomize_kstack
14047+#endif
14048+
14049+ pax_erase_kstack
14050+
14051 restore_all:
14052 TRACE_IRQS_IRET
14053 restore_all_notrace:
14054@@ -602,10 +793,29 @@ ldt_ss:
14055 mov PT_OLDESP(%esp), %eax /* load userspace esp */
14056 mov %dx, %ax /* eax: new kernel esp */
14057 sub %eax, %edx /* offset (low word is 0) */
14058- PER_CPU(gdt_page, %ebx)
14059+#ifdef CONFIG_SMP
14060+ movl PER_CPU_VAR(cpu_number), %ebx
14061+ shll $PAGE_SHIFT_asm, %ebx
14062+ addl $cpu_gdt_table, %ebx
14063+#else
14064+ movl $cpu_gdt_table, %ebx
14065+#endif
14066 shr $16, %edx
14067+
14068+#ifdef CONFIG_PAX_KERNEXEC
14069+ mov %cr0, %esi
14070+ btr $16, %esi
14071+ mov %esi, %cr0
14072+#endif
14073+
14074 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
14075 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
14076+
14077+#ifdef CONFIG_PAX_KERNEXEC
14078+ bts $16, %esi
14079+ mov %esi, %cr0
14080+#endif
14081+
14082 pushl $__ESPFIX_SS
14083 CFI_ADJUST_CFA_OFFSET 4
14084 push %eax /* new kernel esp */
14085@@ -636,36 +846,30 @@ work_resched:
14086 movl TI_flags(%ebp), %ecx
14087 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
14088 # than syscall tracing?
14089- jz restore_all
14090+ jz restore_all_pax
14091 testb $_TIF_NEED_RESCHED, %cl
14092 jnz work_resched
14093
14094 work_notifysig: # deal with pending signals and
14095 # notify-resume requests
14096+ movl %esp, %eax
14097 #ifdef CONFIG_VM86
14098 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
14099- movl %esp, %eax
14100- jne work_notifysig_v86 # returning to kernel-space or
14101+ jz 1f # returning to kernel-space or
14102 # vm86-space
14103- xorl %edx, %edx
14104- call do_notify_resume
14105- jmp resume_userspace_sig
14106
14107- ALIGN
14108-work_notifysig_v86:
14109 pushl %ecx # save ti_flags for do_notify_resume
14110 CFI_ADJUST_CFA_OFFSET 4
14111 call save_v86_state # %eax contains pt_regs pointer
14112 popl %ecx
14113 CFI_ADJUST_CFA_OFFSET -4
14114 movl %eax, %esp
14115-#else
14116- movl %esp, %eax
14117+1:
14118 #endif
14119 xorl %edx, %edx
14120 call do_notify_resume
14121 jmp resume_userspace_sig
14122-END(work_pending)
14123+ENDPROC(work_pending)
14124
14125 # perform syscall exit tracing
14126 ALIGN
14127@@ -673,11 +877,14 @@ syscall_trace_entry:
14128 movl $-ENOSYS,PT_EAX(%esp)
14129 movl %esp, %eax
14130 call syscall_trace_enter
14131+
14132+ pax_erase_kstack
14133+
14134 /* What it returned is what we'll actually use. */
14135 cmpl $(nr_syscalls), %eax
14136 jnae syscall_call
14137 jmp syscall_exit
14138-END(syscall_trace_entry)
14139+ENDPROC(syscall_trace_entry)
14140
14141 # perform syscall exit tracing
14142 ALIGN
14143@@ -690,20 +897,24 @@ syscall_exit_work:
14144 movl %esp, %eax
14145 call syscall_trace_leave
14146 jmp resume_userspace
14147-END(syscall_exit_work)
14148+ENDPROC(syscall_exit_work)
14149 CFI_ENDPROC
14150
14151 RING0_INT_FRAME # can't unwind into user space anyway
14152 syscall_fault:
14153+#ifdef CONFIG_PAX_MEMORY_UDEREF
14154+ push %ss
14155+ pop %ds
14156+#endif
14157 GET_THREAD_INFO(%ebp)
14158 movl $-EFAULT,PT_EAX(%esp)
14159 jmp resume_userspace
14160-END(syscall_fault)
14161+ENDPROC(syscall_fault)
14162
14163 syscall_badsys:
14164 movl $-ENOSYS,PT_EAX(%esp)
14165 jmp resume_userspace
14166-END(syscall_badsys)
14167+ENDPROC(syscall_badsys)
14168 CFI_ENDPROC
14169
14170 /*
14171@@ -726,6 +937,33 @@ PTREGSCALL(rt_sigreturn)
14172 PTREGSCALL(vm86)
14173 PTREGSCALL(vm86old)
14174
14175+ ALIGN;
14176+ENTRY(kernel_execve)
14177+ push %ebp
14178+ sub $PT_OLDSS+4,%esp
14179+ push %edi
14180+ push %ecx
14181+ push %eax
14182+ lea 3*4(%esp),%edi
14183+ mov $PT_OLDSS/4+1,%ecx
14184+ xorl %eax,%eax
14185+ rep stosl
14186+ pop %eax
14187+ pop %ecx
14188+ pop %edi
14189+ movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
14190+ mov %eax,PT_EBX(%esp)
14191+ mov %edx,PT_ECX(%esp)
14192+ mov %ecx,PT_EDX(%esp)
14193+ mov %esp,%eax
14194+ call sys_execve
14195+ GET_THREAD_INFO(%ebp)
14196+ test %eax,%eax
14197+ jz syscall_exit
14198+ add $PT_OLDSS+4,%esp
14199+ pop %ebp
14200+ ret
14201+
14202 .macro FIXUP_ESPFIX_STACK
14203 /*
14204 * Switch back for ESPFIX stack to the normal zerobased stack
14205@@ -735,7 +973,13 @@ PTREGSCALL(vm86old)
14206 * normal stack and adjusts ESP with the matching offset.
14207 */
14208 /* fixup the stack */
14209- PER_CPU(gdt_page, %ebx)
14210+#ifdef CONFIG_SMP
14211+ movl PER_CPU_VAR(cpu_number), %ebx
14212+ shll $PAGE_SHIFT_asm, %ebx
14213+ addl $cpu_gdt_table, %ebx
14214+#else
14215+ movl $cpu_gdt_table, %ebx
14216+#endif
14217 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
14218 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
14219 shl $16, %eax
14220@@ -793,7 +1037,7 @@ vector=vector+1
14221 .endr
14222 2: jmp common_interrupt
14223 .endr
14224-END(irq_entries_start)
14225+ENDPROC(irq_entries_start)
14226
14227 .previous
14228 END(interrupt)
14229@@ -840,7 +1084,7 @@ ENTRY(coprocessor_error)
14230 CFI_ADJUST_CFA_OFFSET 4
14231 jmp error_code
14232 CFI_ENDPROC
14233-END(coprocessor_error)
14234+ENDPROC(coprocessor_error)
14235
14236 ENTRY(simd_coprocessor_error)
14237 RING0_INT_FRAME
14238@@ -850,7 +1094,7 @@ ENTRY(simd_coprocessor_error)
14239 CFI_ADJUST_CFA_OFFSET 4
14240 jmp error_code
14241 CFI_ENDPROC
14242-END(simd_coprocessor_error)
14243+ENDPROC(simd_coprocessor_error)
14244
14245 ENTRY(device_not_available)
14246 RING0_INT_FRAME
14247@@ -860,7 +1104,7 @@ ENTRY(device_not_available)
14248 CFI_ADJUST_CFA_OFFSET 4
14249 jmp error_code
14250 CFI_ENDPROC
14251-END(device_not_available)
14252+ENDPROC(device_not_available)
14253
14254 #ifdef CONFIG_PARAVIRT
14255 ENTRY(native_iret)
14256@@ -869,12 +1113,12 @@ ENTRY(native_iret)
14257 .align 4
14258 .long native_iret, iret_exc
14259 .previous
14260-END(native_iret)
14261+ENDPROC(native_iret)
14262
14263 ENTRY(native_irq_enable_sysexit)
14264 sti
14265 sysexit
14266-END(native_irq_enable_sysexit)
14267+ENDPROC(native_irq_enable_sysexit)
14268 #endif
14269
14270 ENTRY(overflow)
14271@@ -885,7 +1129,7 @@ ENTRY(overflow)
14272 CFI_ADJUST_CFA_OFFSET 4
14273 jmp error_code
14274 CFI_ENDPROC
14275-END(overflow)
14276+ENDPROC(overflow)
14277
14278 ENTRY(bounds)
14279 RING0_INT_FRAME
14280@@ -895,7 +1139,7 @@ ENTRY(bounds)
14281 CFI_ADJUST_CFA_OFFSET 4
14282 jmp error_code
14283 CFI_ENDPROC
14284-END(bounds)
14285+ENDPROC(bounds)
14286
14287 ENTRY(invalid_op)
14288 RING0_INT_FRAME
14289@@ -905,7 +1149,7 @@ ENTRY(invalid_op)
14290 CFI_ADJUST_CFA_OFFSET 4
14291 jmp error_code
14292 CFI_ENDPROC
14293-END(invalid_op)
14294+ENDPROC(invalid_op)
14295
14296 ENTRY(coprocessor_segment_overrun)
14297 RING0_INT_FRAME
14298@@ -915,7 +1159,7 @@ ENTRY(coprocessor_segment_overrun)
14299 CFI_ADJUST_CFA_OFFSET 4
14300 jmp error_code
14301 CFI_ENDPROC
14302-END(coprocessor_segment_overrun)
14303+ENDPROC(coprocessor_segment_overrun)
14304
14305 ENTRY(invalid_TSS)
14306 RING0_EC_FRAME
14307@@ -923,7 +1167,7 @@ ENTRY(invalid_TSS)
14308 CFI_ADJUST_CFA_OFFSET 4
14309 jmp error_code
14310 CFI_ENDPROC
14311-END(invalid_TSS)
14312+ENDPROC(invalid_TSS)
14313
14314 ENTRY(segment_not_present)
14315 RING0_EC_FRAME
14316@@ -931,7 +1175,7 @@ ENTRY(segment_not_present)
14317 CFI_ADJUST_CFA_OFFSET 4
14318 jmp error_code
14319 CFI_ENDPROC
14320-END(segment_not_present)
14321+ENDPROC(segment_not_present)
14322
14323 ENTRY(stack_segment)
14324 RING0_EC_FRAME
14325@@ -939,7 +1183,7 @@ ENTRY(stack_segment)
14326 CFI_ADJUST_CFA_OFFSET 4
14327 jmp error_code
14328 CFI_ENDPROC
14329-END(stack_segment)
14330+ENDPROC(stack_segment)
14331
14332 ENTRY(alignment_check)
14333 RING0_EC_FRAME
14334@@ -947,7 +1191,7 @@ ENTRY(alignment_check)
14335 CFI_ADJUST_CFA_OFFSET 4
14336 jmp error_code
14337 CFI_ENDPROC
14338-END(alignment_check)
14339+ENDPROC(alignment_check)
14340
14341 ENTRY(divide_error)
14342 RING0_INT_FRAME
14343@@ -957,7 +1201,7 @@ ENTRY(divide_error)
14344 CFI_ADJUST_CFA_OFFSET 4
14345 jmp error_code
14346 CFI_ENDPROC
14347-END(divide_error)
14348+ENDPROC(divide_error)
14349
14350 #ifdef CONFIG_X86_MCE
14351 ENTRY(machine_check)
14352@@ -968,7 +1212,7 @@ ENTRY(machine_check)
14353 CFI_ADJUST_CFA_OFFSET 4
14354 jmp error_code
14355 CFI_ENDPROC
14356-END(machine_check)
14357+ENDPROC(machine_check)
14358 #endif
14359
14360 ENTRY(spurious_interrupt_bug)
14361@@ -979,7 +1223,7 @@ ENTRY(spurious_interrupt_bug)
14362 CFI_ADJUST_CFA_OFFSET 4
14363 jmp error_code
14364 CFI_ENDPROC
14365-END(spurious_interrupt_bug)
14366+ENDPROC(spurious_interrupt_bug)
14367
14368 ENTRY(kernel_thread_helper)
14369 pushl $0 # fake return address for unwinder
14370@@ -1095,7 +1339,7 @@ ENDPROC(xen_failsafe_callback)
14371
14372 ENTRY(mcount)
14373 ret
14374-END(mcount)
14375+ENDPROC(mcount)
14376
14377 ENTRY(ftrace_caller)
14378 cmpl $0, function_trace_stop
14379@@ -1124,7 +1368,7 @@ ftrace_graph_call:
14380 .globl ftrace_stub
14381 ftrace_stub:
14382 ret
14383-END(ftrace_caller)
14384+ENDPROC(ftrace_caller)
14385
14386 #else /* ! CONFIG_DYNAMIC_FTRACE */
14387
14388@@ -1160,7 +1404,7 @@ trace:
14389 popl %ecx
14390 popl %eax
14391 jmp ftrace_stub
14392-END(mcount)
14393+ENDPROC(mcount)
14394 #endif /* CONFIG_DYNAMIC_FTRACE */
14395 #endif /* CONFIG_FUNCTION_TRACER */
14396
14397@@ -1181,7 +1425,7 @@ ENTRY(ftrace_graph_caller)
14398 popl %ecx
14399 popl %eax
14400 ret
14401-END(ftrace_graph_caller)
14402+ENDPROC(ftrace_graph_caller)
14403
14404 .globl return_to_handler
14405 return_to_handler:
14406@@ -1198,7 +1442,6 @@ return_to_handler:
14407 ret
14408 #endif
14409
14410-.section .rodata,"a"
14411 #include "syscall_table_32.S"
14412
14413 syscall_table_size=(.-sys_call_table)
14414@@ -1255,15 +1498,18 @@ error_code:
14415 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
14416 REG_TO_PTGS %ecx
14417 SET_KERNEL_GS %ecx
14418- movl $(__USER_DS), %ecx
14419+ movl $(__KERNEL_DS), %ecx
14420 movl %ecx, %ds
14421 movl %ecx, %es
14422+
14423+ pax_enter_kernel
14424+
14425 TRACE_IRQS_OFF
14426 movl %esp,%eax # pt_regs pointer
14427 call *%edi
14428 jmp ret_from_exception
14429 CFI_ENDPROC
14430-END(page_fault)
14431+ENDPROC(page_fault)
14432
14433 /*
14434 * Debug traps and NMI can happen at the one SYSENTER instruction
14435@@ -1309,7 +1555,7 @@ debug_stack_correct:
14436 call do_debug
14437 jmp ret_from_exception
14438 CFI_ENDPROC
14439-END(debug)
14440+ENDPROC(debug)
14441
14442 /*
14443 * NMI is doubly nasty. It can happen _while_ we're handling
14444@@ -1351,6 +1597,9 @@ nmi_stack_correct:
14445 xorl %edx,%edx # zero error code
14446 movl %esp,%eax # pt_regs pointer
14447 call do_nmi
14448+
14449+ pax_exit_kernel
14450+
14451 jmp restore_all_notrace
14452 CFI_ENDPROC
14453
14454@@ -1391,12 +1640,15 @@ nmi_espfix_stack:
14455 FIXUP_ESPFIX_STACK # %eax == %esp
14456 xorl %edx,%edx # zero error code
14457 call do_nmi
14458+
14459+ pax_exit_kernel
14460+
14461 RESTORE_REGS
14462 lss 12+4(%esp), %esp # back to espfix stack
14463 CFI_ADJUST_CFA_OFFSET -24
14464 jmp irq_return
14465 CFI_ENDPROC
14466-END(nmi)
14467+ENDPROC(nmi)
14468
14469 ENTRY(int3)
14470 RING0_INT_FRAME
14471@@ -1409,7 +1661,7 @@ ENTRY(int3)
14472 call do_int3
14473 jmp ret_from_exception
14474 CFI_ENDPROC
14475-END(int3)
14476+ENDPROC(int3)
14477
14478 ENTRY(general_protection)
14479 RING0_EC_FRAME
14480@@ -1417,7 +1669,7 @@ ENTRY(general_protection)
14481 CFI_ADJUST_CFA_OFFSET 4
14482 jmp error_code
14483 CFI_ENDPROC
14484-END(general_protection)
14485+ENDPROC(general_protection)
14486
14487 /*
14488 * End of kprobes section
14489diff -urNp linux-2.6.32.48/arch/x86/kernel/entry_64.S linux-2.6.32.48/arch/x86/kernel/entry_64.S
14490--- linux-2.6.32.48/arch/x86/kernel/entry_64.S 2011-11-08 19:02:43.000000000 -0500
14491+++ linux-2.6.32.48/arch/x86/kernel/entry_64.S 2011-11-18 18:01:52.000000000 -0500
14492@@ -53,6 +53,8 @@
14493 #include <asm/paravirt.h>
14494 #include <asm/ftrace.h>
14495 #include <asm/percpu.h>
14496+#include <asm/pgtable.h>
14497+#include <asm/alternative-asm.h>
14498
14499 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
14500 #include <linux/elf-em.h>
14501@@ -64,8 +66,9 @@
14502 #ifdef CONFIG_FUNCTION_TRACER
14503 #ifdef CONFIG_DYNAMIC_FTRACE
14504 ENTRY(mcount)
14505+ pax_force_retaddr
14506 retq
14507-END(mcount)
14508+ENDPROC(mcount)
14509
14510 ENTRY(ftrace_caller)
14511 cmpl $0, function_trace_stop
14512@@ -88,8 +91,9 @@ GLOBAL(ftrace_graph_call)
14513 #endif
14514
14515 GLOBAL(ftrace_stub)
14516+ pax_force_retaddr
14517 retq
14518-END(ftrace_caller)
14519+ENDPROC(ftrace_caller)
14520
14521 #else /* ! CONFIG_DYNAMIC_FTRACE */
14522 ENTRY(mcount)
14523@@ -108,6 +112,7 @@ ENTRY(mcount)
14524 #endif
14525
14526 GLOBAL(ftrace_stub)
14527+ pax_force_retaddr
14528 retq
14529
14530 trace:
14531@@ -117,12 +122,13 @@ trace:
14532 movq 8(%rbp), %rsi
14533 subq $MCOUNT_INSN_SIZE, %rdi
14534
14535+ pax_force_fptr ftrace_trace_function
14536 call *ftrace_trace_function
14537
14538 MCOUNT_RESTORE_FRAME
14539
14540 jmp ftrace_stub
14541-END(mcount)
14542+ENDPROC(mcount)
14543 #endif /* CONFIG_DYNAMIC_FTRACE */
14544 #endif /* CONFIG_FUNCTION_TRACER */
14545
14546@@ -142,8 +148,9 @@ ENTRY(ftrace_graph_caller)
14547
14548 MCOUNT_RESTORE_FRAME
14549
14550+ pax_force_retaddr
14551 retq
14552-END(ftrace_graph_caller)
14553+ENDPROC(ftrace_graph_caller)
14554
14555 GLOBAL(return_to_handler)
14556 subq $24, %rsp
14557@@ -159,6 +166,7 @@ GLOBAL(return_to_handler)
14558 movq 8(%rsp), %rdx
14559 movq (%rsp), %rax
14560 addq $16, %rsp
14561+ pax_force_retaddr
14562 retq
14563 #endif
14564
14565@@ -174,6 +182,269 @@ ENTRY(native_usergs_sysret64)
14566 ENDPROC(native_usergs_sysret64)
14567 #endif /* CONFIG_PARAVIRT */
14568
14569+ .macro ljmpq sel, off
14570+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
14571+ .byte 0x48; ljmp *1234f(%rip)
14572+ .pushsection .rodata
14573+ .align 16
14574+ 1234: .quad \off; .word \sel
14575+ .popsection
14576+#else
14577+ pushq $\sel
14578+ pushq $\off
14579+ lretq
14580+#endif
14581+ .endm
14582+
14583+ .macro pax_enter_kernel
14584+#ifdef CONFIG_PAX_KERNEXEC
14585+ call pax_enter_kernel
14586+#endif
14587+ .endm
14588+
14589+ .macro pax_exit_kernel
14590+#ifdef CONFIG_PAX_KERNEXEC
14591+ call pax_exit_kernel
14592+#endif
14593+ .endm
14594+
14595+#ifdef CONFIG_PAX_KERNEXEC
14596+ENTRY(pax_enter_kernel)
14597+ pushq %rdi
14598+
14599+#ifdef CONFIG_PARAVIRT
14600+ PV_SAVE_REGS(CLBR_RDI)
14601+#endif
14602+
14603+ GET_CR0_INTO_RDI
14604+ bts $16,%rdi
14605+ jnc 1f
14606+ mov %cs,%edi
14607+ cmp $__KERNEL_CS,%edi
14608+ jz 3f
14609+ ljmpq __KERNEL_CS,3f
14610+1: ljmpq __KERNEXEC_KERNEL_CS,2f
14611+2: SET_RDI_INTO_CR0
14612+3:
14613+
14614+#ifdef CONFIG_PARAVIRT
14615+ PV_RESTORE_REGS(CLBR_RDI)
14616+#endif
14617+
14618+ popq %rdi
14619+ pax_force_retaddr
14620+ retq
14621+ENDPROC(pax_enter_kernel)
14622+
14623+ENTRY(pax_exit_kernel)
14624+ pushq %rdi
14625+
14626+#ifdef CONFIG_PARAVIRT
14627+ PV_SAVE_REGS(CLBR_RDI)
14628+#endif
14629+
14630+ mov %cs,%rdi
14631+ cmp $__KERNEXEC_KERNEL_CS,%edi
14632+ jnz 2f
14633+ GET_CR0_INTO_RDI
14634+ btr $16,%rdi
14635+ ljmpq __KERNEL_CS,1f
14636+1: SET_RDI_INTO_CR0
14637+2:
14638+
14639+#ifdef CONFIG_PARAVIRT
14640+ PV_RESTORE_REGS(CLBR_RDI);
14641+#endif
14642+
14643+ popq %rdi
14644+ pax_force_retaddr
14645+ retq
14646+ENDPROC(pax_exit_kernel)
14647+#endif
14648+
14649+ .macro pax_enter_kernel_user
14650+#ifdef CONFIG_PAX_MEMORY_UDEREF
14651+ call pax_enter_kernel_user
14652+#endif
14653+ .endm
14654+
14655+ .macro pax_exit_kernel_user
14656+#ifdef CONFIG_PAX_MEMORY_UDEREF
14657+ call pax_exit_kernel_user
14658+#endif
14659+#ifdef CONFIG_PAX_RANDKSTACK
14660+ push %rax
14661+ call pax_randomize_kstack
14662+ pop %rax
14663+#endif
14664+ .endm
14665+
14666+#ifdef CONFIG_PAX_MEMORY_UDEREF
14667+ENTRY(pax_enter_kernel_user)
14668+ pushq %rdi
14669+ pushq %rbx
14670+
14671+#ifdef CONFIG_PARAVIRT
14672+ PV_SAVE_REGS(CLBR_RDI)
14673+#endif
14674+
14675+ GET_CR3_INTO_RDI
14676+ mov %rdi,%rbx
14677+ add $__START_KERNEL_map,%rbx
14678+ sub phys_base(%rip),%rbx
14679+
14680+#ifdef CONFIG_PARAVIRT
14681+ pushq %rdi
14682+ cmpl $0, pv_info+PARAVIRT_enabled
14683+ jz 1f
14684+ i = 0
14685+ .rept USER_PGD_PTRS
14686+ mov i*8(%rbx),%rsi
14687+ mov $0,%sil
14688+ lea i*8(%rbx),%rdi
14689+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14690+ i = i + 1
14691+ .endr
14692+ jmp 2f
14693+1:
14694+#endif
14695+
14696+ i = 0
14697+ .rept USER_PGD_PTRS
14698+ movb $0,i*8(%rbx)
14699+ i = i + 1
14700+ .endr
14701+
14702+#ifdef CONFIG_PARAVIRT
14703+2: popq %rdi
14704+#endif
14705+ SET_RDI_INTO_CR3
14706+
14707+#ifdef CONFIG_PAX_KERNEXEC
14708+ GET_CR0_INTO_RDI
14709+ bts $16,%rdi
14710+ SET_RDI_INTO_CR0
14711+#endif
14712+
14713+#ifdef CONFIG_PARAVIRT
14714+ PV_RESTORE_REGS(CLBR_RDI)
14715+#endif
14716+
14717+ popq %rbx
14718+ popq %rdi
14719+ pax_force_retaddr
14720+ retq
14721+ENDPROC(pax_enter_kernel_user)
14722+
14723+ENTRY(pax_exit_kernel_user)
14724+ push %rdi
14725+
14726+#ifdef CONFIG_PARAVIRT
14727+ pushq %rbx
14728+ PV_SAVE_REGS(CLBR_RDI)
14729+#endif
14730+
14731+#ifdef CONFIG_PAX_KERNEXEC
14732+ GET_CR0_INTO_RDI
14733+ btr $16,%rdi
14734+ SET_RDI_INTO_CR0
14735+#endif
14736+
14737+ GET_CR3_INTO_RDI
14738+ add $__START_KERNEL_map,%rdi
14739+ sub phys_base(%rip),%rdi
14740+
14741+#ifdef CONFIG_PARAVIRT
14742+ cmpl $0, pv_info+PARAVIRT_enabled
14743+ jz 1f
14744+ mov %rdi,%rbx
14745+ i = 0
14746+ .rept USER_PGD_PTRS
14747+ mov i*8(%rbx),%rsi
14748+ mov $0x67,%sil
14749+ lea i*8(%rbx),%rdi
14750+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
14751+ i = i + 1
14752+ .endr
14753+ jmp 2f
14754+1:
14755+#endif
14756+
14757+ i = 0
14758+ .rept USER_PGD_PTRS
14759+ movb $0x67,i*8(%rdi)
14760+ i = i + 1
14761+ .endr
14762+
14763+#ifdef CONFIG_PARAVIRT
14764+2: PV_RESTORE_REGS(CLBR_RDI)
14765+ popq %rbx
14766+#endif
14767+
14768+ popq %rdi
14769+ pax_force_retaddr
14770+ retq
14771+ENDPROC(pax_exit_kernel_user)
14772+#endif
14773+
14774+.macro pax_erase_kstack
14775+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14776+ call pax_erase_kstack
14777+#endif
14778+.endm
14779+
14780+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
14781+/*
14782+ * r10: thread_info
14783+ * rcx, rdx: can be clobbered
14784+ */
14785+ENTRY(pax_erase_kstack)
14786+ pushq %rdi
14787+ pushq %rax
14788+ pushq %r10
14789+
14790+ GET_THREAD_INFO(%r10)
14791+ mov TI_lowest_stack(%r10), %rdi
14792+ mov $-0xBEEF, %rax
14793+ std
14794+
14795+1: mov %edi, %ecx
14796+ and $THREAD_SIZE_asm - 1, %ecx
14797+ shr $3, %ecx
14798+ repne scasq
14799+ jecxz 2f
14800+
14801+ cmp $2*8, %ecx
14802+ jc 2f
14803+
14804+ mov $2*8, %ecx
14805+ repe scasq
14806+ jecxz 2f
14807+ jne 1b
14808+
14809+2: cld
14810+ mov %esp, %ecx
14811+ sub %edi, %ecx
14812+
14813+ cmp $THREAD_SIZE_asm, %rcx
14814+ jb 3f
14815+ ud2
14816+3:
14817+
14818+ shr $3, %ecx
14819+ rep stosq
14820+
14821+ mov TI_task_thread_sp0(%r10), %rdi
14822+ sub $256, %rdi
14823+ mov %rdi, TI_lowest_stack(%r10)
14824+
14825+ popq %r10
14826+ popq %rax
14827+ popq %rdi
14828+ pax_force_retaddr
14829+ ret
14830+ENDPROC(pax_erase_kstack)
14831+#endif
14832
14833 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
14834 #ifdef CONFIG_TRACE_IRQFLAGS
14835@@ -317,7 +588,7 @@ ENTRY(save_args)
14836 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
14837 movq_cfi rbp, 8 /* push %rbp */
14838 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
14839- testl $3, CS(%rdi)
14840+ testb $3, CS(%rdi)
14841 je 1f
14842 SWAPGS
14843 /*
14844@@ -337,9 +608,10 @@ ENTRY(save_args)
14845 * We entered an interrupt context - irqs are off:
14846 */
14847 2: TRACE_IRQS_OFF
14848+ pax_force_retaddr
14849 ret
14850 CFI_ENDPROC
14851-END(save_args)
14852+ENDPROC(save_args)
14853
14854 ENTRY(save_rest)
14855 PARTIAL_FRAME 1 REST_SKIP+8
14856@@ -352,9 +624,10 @@ ENTRY(save_rest)
14857 movq_cfi r15, R15+16
14858 movq %r11, 8(%rsp) /* return address */
14859 FIXUP_TOP_OF_STACK %r11, 16
14860+ pax_force_retaddr
14861 ret
14862 CFI_ENDPROC
14863-END(save_rest)
14864+ENDPROC(save_rest)
14865
14866 /* save complete stack frame */
14867 .pushsection .kprobes.text, "ax"
14868@@ -383,9 +656,10 @@ ENTRY(save_paranoid)
14869 js 1f /* negative -> in kernel */
14870 SWAPGS
14871 xorl %ebx,%ebx
14872-1: ret
14873+1: pax_force_retaddr
14874+ ret
14875 CFI_ENDPROC
14876-END(save_paranoid)
14877+ENDPROC(save_paranoid)
14878 .popsection
14879
14880 /*
14881@@ -409,7 +683,7 @@ ENTRY(ret_from_fork)
14882
14883 RESTORE_REST
14884
14885- testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14886+ testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
14887 je int_ret_from_sys_call
14888
14889 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
14890@@ -419,7 +693,7 @@ ENTRY(ret_from_fork)
14891 jmp ret_from_sys_call # go to the SYSRET fastpath
14892
14893 CFI_ENDPROC
14894-END(ret_from_fork)
14895+ENDPROC(ret_from_fork)
14896
14897 /*
14898 * System call entry. Upto 6 arguments in registers are supported.
14899@@ -455,7 +729,7 @@ END(ret_from_fork)
14900 ENTRY(system_call)
14901 CFI_STARTPROC simple
14902 CFI_SIGNAL_FRAME
14903- CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
14904+ CFI_DEF_CFA rsp,0
14905 CFI_REGISTER rip,rcx
14906 /*CFI_REGISTER rflags,r11*/
14907 SWAPGS_UNSAFE_STACK
14908@@ -468,12 +742,13 @@ ENTRY(system_call_after_swapgs)
14909
14910 movq %rsp,PER_CPU_VAR(old_rsp)
14911 movq PER_CPU_VAR(kernel_stack),%rsp
14912+ pax_enter_kernel_user
14913 /*
14914 * No need to follow this irqs off/on section - it's straight
14915 * and short:
14916 */
14917 ENABLE_INTERRUPTS(CLBR_NONE)
14918- SAVE_ARGS 8,1
14919+ SAVE_ARGS 8*6,1
14920 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
14921 movq %rcx,RIP-ARGOFFSET(%rsp)
14922 CFI_REL_OFFSET rip,RIP-ARGOFFSET
14923@@ -502,6 +777,8 @@ sysret_check:
14924 andl %edi,%edx
14925 jnz sysret_careful
14926 CFI_REMEMBER_STATE
14927+ pax_exit_kernel_user
14928+ pax_erase_kstack
14929 /*
14930 * sysretq will re-enable interrupts:
14931 */
14932@@ -562,6 +839,9 @@ auditsys:
14933 movq %rax,%rsi /* 2nd arg: syscall number */
14934 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
14935 call audit_syscall_entry
14936+
14937+ pax_erase_kstack
14938+
14939 LOAD_ARGS 0 /* reload call-clobbered registers */
14940 jmp system_call_fastpath
14941
14942@@ -592,6 +872,9 @@ tracesys:
14943 FIXUP_TOP_OF_STACK %rdi
14944 movq %rsp,%rdi
14945 call syscall_trace_enter
14946+
14947+ pax_erase_kstack
14948+
14949 /*
14950 * Reload arg registers from stack in case ptrace changed them.
14951 * We don't reload %rax because syscall_trace_enter() returned
14952@@ -613,7 +896,7 @@ tracesys:
14953 GLOBAL(int_ret_from_sys_call)
14954 DISABLE_INTERRUPTS(CLBR_NONE)
14955 TRACE_IRQS_OFF
14956- testl $3,CS-ARGOFFSET(%rsp)
14957+ testb $3,CS-ARGOFFSET(%rsp)
14958 je retint_restore_args
14959 movl $_TIF_ALLWORK_MASK,%edi
14960 /* edi: mask to check */
14961@@ -674,7 +957,7 @@ int_restore_rest:
14962 TRACE_IRQS_OFF
14963 jmp int_with_check
14964 CFI_ENDPROC
14965-END(system_call)
14966+ENDPROC(system_call)
14967
14968 /*
14969 * Certain special system calls that need to save a complete full stack frame.
14970@@ -690,7 +973,7 @@ ENTRY(\label)
14971 call \func
14972 jmp ptregscall_common
14973 CFI_ENDPROC
14974-END(\label)
14975+ENDPROC(\label)
14976 .endm
14977
14978 PTREGSCALL stub_clone, sys_clone, %r8
14979@@ -708,9 +991,10 @@ ENTRY(ptregscall_common)
14980 movq_cfi_restore R12+8, r12
14981 movq_cfi_restore RBP+8, rbp
14982 movq_cfi_restore RBX+8, rbx
14983+ pax_force_retaddr
14984 ret $REST_SKIP /* pop extended registers */
14985 CFI_ENDPROC
14986-END(ptregscall_common)
14987+ENDPROC(ptregscall_common)
14988
14989 ENTRY(stub_execve)
14990 CFI_STARTPROC
14991@@ -726,7 +1010,7 @@ ENTRY(stub_execve)
14992 RESTORE_REST
14993 jmp int_ret_from_sys_call
14994 CFI_ENDPROC
14995-END(stub_execve)
14996+ENDPROC(stub_execve)
14997
14998 /*
14999 * sigreturn is special because it needs to restore all registers on return.
15000@@ -744,7 +1028,7 @@ ENTRY(stub_rt_sigreturn)
15001 RESTORE_REST
15002 jmp int_ret_from_sys_call
15003 CFI_ENDPROC
15004-END(stub_rt_sigreturn)
15005+ENDPROC(stub_rt_sigreturn)
15006
15007 /*
15008 * Build the entry stubs and pointer table with some assembler magic.
15009@@ -780,7 +1064,7 @@ vector=vector+1
15010 2: jmp common_interrupt
15011 .endr
15012 CFI_ENDPROC
15013-END(irq_entries_start)
15014+ENDPROC(irq_entries_start)
15015
15016 .previous
15017 END(interrupt)
15018@@ -800,6 +1084,16 @@ END(interrupt)
15019 CFI_ADJUST_CFA_OFFSET 10*8
15020 call save_args
15021 PARTIAL_FRAME 0
15022+#ifdef CONFIG_PAX_MEMORY_UDEREF
15023+ testb $3, CS(%rdi)
15024+ jnz 1f
15025+ pax_enter_kernel
15026+ jmp 2f
15027+1: pax_enter_kernel_user
15028+2:
15029+#else
15030+ pax_enter_kernel
15031+#endif
15032 call \func
15033 .endm
15034
15035@@ -822,7 +1116,7 @@ ret_from_intr:
15036 CFI_ADJUST_CFA_OFFSET -8
15037 exit_intr:
15038 GET_THREAD_INFO(%rcx)
15039- testl $3,CS-ARGOFFSET(%rsp)
15040+ testb $3,CS-ARGOFFSET(%rsp)
15041 je retint_kernel
15042
15043 /* Interrupt came from user space */
15044@@ -844,12 +1138,16 @@ retint_swapgs: /* return to user-space
15045 * The iretq could re-enable interrupts:
15046 */
15047 DISABLE_INTERRUPTS(CLBR_ANY)
15048+ pax_exit_kernel_user
15049+ pax_erase_kstack
15050 TRACE_IRQS_IRETQ
15051 SWAPGS
15052 jmp restore_args
15053
15054 retint_restore_args: /* return to kernel space */
15055 DISABLE_INTERRUPTS(CLBR_ANY)
15056+ pax_exit_kernel
15057+ pax_force_retaddr RIP-ARGOFFSET
15058 /*
15059 * The iretq could re-enable interrupts:
15060 */
15061@@ -940,7 +1238,7 @@ ENTRY(retint_kernel)
15062 #endif
15063
15064 CFI_ENDPROC
15065-END(common_interrupt)
15066+ENDPROC(common_interrupt)
15067
15068 /*
15069 * APIC interrupts.
15070@@ -953,7 +1251,7 @@ ENTRY(\sym)
15071 interrupt \do_sym
15072 jmp ret_from_intr
15073 CFI_ENDPROC
15074-END(\sym)
15075+ENDPROC(\sym)
15076 .endm
15077
15078 #ifdef CONFIG_SMP
15079@@ -1032,12 +1330,22 @@ ENTRY(\sym)
15080 CFI_ADJUST_CFA_OFFSET 15*8
15081 call error_entry
15082 DEFAULT_FRAME 0
15083+#ifdef CONFIG_PAX_MEMORY_UDEREF
15084+ testb $3, CS(%rsp)
15085+ jnz 1f
15086+ pax_enter_kernel
15087+ jmp 2f
15088+1: pax_enter_kernel_user
15089+2:
15090+#else
15091+ pax_enter_kernel
15092+#endif
15093 movq %rsp,%rdi /* pt_regs pointer */
15094 xorl %esi,%esi /* no error code */
15095 call \do_sym
15096 jmp error_exit /* %ebx: no swapgs flag */
15097 CFI_ENDPROC
15098-END(\sym)
15099+ENDPROC(\sym)
15100 .endm
15101
15102 .macro paranoidzeroentry sym do_sym
15103@@ -1049,12 +1357,22 @@ ENTRY(\sym)
15104 subq $15*8, %rsp
15105 call save_paranoid
15106 TRACE_IRQS_OFF
15107+#ifdef CONFIG_PAX_MEMORY_UDEREF
15108+ testb $3, CS(%rsp)
15109+ jnz 1f
15110+ pax_enter_kernel
15111+ jmp 2f
15112+1: pax_enter_kernel_user
15113+2:
15114+#else
15115+ pax_enter_kernel
15116+#endif
15117 movq %rsp,%rdi /* pt_regs pointer */
15118 xorl %esi,%esi /* no error code */
15119 call \do_sym
15120 jmp paranoid_exit /* %ebx: no swapgs flag */
15121 CFI_ENDPROC
15122-END(\sym)
15123+ENDPROC(\sym)
15124 .endm
15125
15126 .macro paranoidzeroentry_ist sym do_sym ist
15127@@ -1066,15 +1384,30 @@ ENTRY(\sym)
15128 subq $15*8, %rsp
15129 call save_paranoid
15130 TRACE_IRQS_OFF
15131+#ifdef CONFIG_PAX_MEMORY_UDEREF
15132+ testb $3, CS(%rsp)
15133+ jnz 1f
15134+ pax_enter_kernel
15135+ jmp 2f
15136+1: pax_enter_kernel_user
15137+2:
15138+#else
15139+ pax_enter_kernel
15140+#endif
15141 movq %rsp,%rdi /* pt_regs pointer */
15142 xorl %esi,%esi /* no error code */
15143- PER_CPU(init_tss, %rbp)
15144+#ifdef CONFIG_SMP
15145+ imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
15146+ lea init_tss(%rbp), %rbp
15147+#else
15148+ lea init_tss(%rip), %rbp
15149+#endif
15150 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15151 call \do_sym
15152 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
15153 jmp paranoid_exit /* %ebx: no swapgs flag */
15154 CFI_ENDPROC
15155-END(\sym)
15156+ENDPROC(\sym)
15157 .endm
15158
15159 .macro errorentry sym do_sym
15160@@ -1085,13 +1418,23 @@ ENTRY(\sym)
15161 CFI_ADJUST_CFA_OFFSET 15*8
15162 call error_entry
15163 DEFAULT_FRAME 0
15164+#ifdef CONFIG_PAX_MEMORY_UDEREF
15165+ testb $3, CS(%rsp)
15166+ jnz 1f
15167+ pax_enter_kernel
15168+ jmp 2f
15169+1: pax_enter_kernel_user
15170+2:
15171+#else
15172+ pax_enter_kernel
15173+#endif
15174 movq %rsp,%rdi /* pt_regs pointer */
15175 movq ORIG_RAX(%rsp),%rsi /* get error code */
15176 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15177 call \do_sym
15178 jmp error_exit /* %ebx: no swapgs flag */
15179 CFI_ENDPROC
15180-END(\sym)
15181+ENDPROC(\sym)
15182 .endm
15183
15184 /* error code is on the stack already */
15185@@ -1104,13 +1447,23 @@ ENTRY(\sym)
15186 call save_paranoid
15187 DEFAULT_FRAME 0
15188 TRACE_IRQS_OFF
15189+#ifdef CONFIG_PAX_MEMORY_UDEREF
15190+ testb $3, CS(%rsp)
15191+ jnz 1f
15192+ pax_enter_kernel
15193+ jmp 2f
15194+1: pax_enter_kernel_user
15195+2:
15196+#else
15197+ pax_enter_kernel
15198+#endif
15199 movq %rsp,%rdi /* pt_regs pointer */
15200 movq ORIG_RAX(%rsp),%rsi /* get error code */
15201 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
15202 call \do_sym
15203 jmp paranoid_exit /* %ebx: no swapgs flag */
15204 CFI_ENDPROC
15205-END(\sym)
15206+ENDPROC(\sym)
15207 .endm
15208
15209 zeroentry divide_error do_divide_error
15210@@ -1141,9 +1494,10 @@ gs_change:
15211 SWAPGS
15212 popf
15213 CFI_ADJUST_CFA_OFFSET -8
15214+ pax_force_retaddr
15215 ret
15216 CFI_ENDPROC
15217-END(native_load_gs_index)
15218+ENDPROC(native_load_gs_index)
15219
15220 .section __ex_table,"a"
15221 .align 8
15222@@ -1195,9 +1549,10 @@ ENTRY(kernel_thread)
15223 */
15224 RESTORE_ALL
15225 UNFAKE_STACK_FRAME
15226+ pax_force_retaddr
15227 ret
15228 CFI_ENDPROC
15229-END(kernel_thread)
15230+ENDPROC(kernel_thread)
15231
15232 ENTRY(child_rip)
15233 pushq $0 # fake return address
15234@@ -1208,13 +1563,14 @@ ENTRY(child_rip)
15235 */
15236 movq %rdi, %rax
15237 movq %rsi, %rdi
15238+ pax_force_fptr %rax
15239 call *%rax
15240 # exit
15241 mov %eax, %edi
15242 call do_exit
15243 ud2 # padding for call trace
15244 CFI_ENDPROC
15245-END(child_rip)
15246+ENDPROC(child_rip)
15247
15248 /*
15249 * execve(). This function needs to use IRET, not SYSRET, to set up all state properly.
15250@@ -1243,9 +1599,10 @@ ENTRY(kernel_execve)
15251 je int_ret_from_sys_call
15252 RESTORE_ARGS
15253 UNFAKE_STACK_FRAME
15254+ pax_force_retaddr
15255 ret
15256 CFI_ENDPROC
15257-END(kernel_execve)
15258+ENDPROC(kernel_execve)
15259
15260 /* Call softirq on interrupt stack. Interrupts are off. */
15261 ENTRY(call_softirq)
15262@@ -1263,9 +1620,10 @@ ENTRY(call_softirq)
15263 CFI_DEF_CFA_REGISTER rsp
15264 CFI_ADJUST_CFA_OFFSET -8
15265 decl PER_CPU_VAR(irq_count)
15266+ pax_force_retaddr
15267 ret
15268 CFI_ENDPROC
15269-END(call_softirq)
15270+ENDPROC(call_softirq)
15271
15272 #ifdef CONFIG_XEN
15273 zeroentry xen_hypervisor_callback xen_do_hypervisor_callback
15274@@ -1303,7 +1661,7 @@ ENTRY(xen_do_hypervisor_callback) # do
15275 decl PER_CPU_VAR(irq_count)
15276 jmp error_exit
15277 CFI_ENDPROC
15278-END(xen_do_hypervisor_callback)
15279+ENDPROC(xen_do_hypervisor_callback)
15280
15281 /*
15282 * Hypervisor uses this for application faults while it executes.
15283@@ -1362,7 +1720,7 @@ ENTRY(xen_failsafe_callback)
15284 SAVE_ALL
15285 jmp error_exit
15286 CFI_ENDPROC
15287-END(xen_failsafe_callback)
15288+ENDPROC(xen_failsafe_callback)
15289
15290 #endif /* CONFIG_XEN */
15291
15292@@ -1405,16 +1763,31 @@ ENTRY(paranoid_exit)
15293 TRACE_IRQS_OFF
15294 testl %ebx,%ebx /* swapgs needed? */
15295 jnz paranoid_restore
15296- testl $3,CS(%rsp)
15297+ testb $3,CS(%rsp)
15298 jnz paranoid_userspace
15299+#ifdef CONFIG_PAX_MEMORY_UDEREF
15300+ pax_exit_kernel
15301+ TRACE_IRQS_IRETQ 0
15302+ SWAPGS_UNSAFE_STACK
15303+ RESTORE_ALL 8
15304+ pax_force_retaddr
15305+ jmp irq_return
15306+#endif
15307 paranoid_swapgs:
15308+#ifdef CONFIG_PAX_MEMORY_UDEREF
15309+ pax_exit_kernel_user
15310+#else
15311+ pax_exit_kernel
15312+#endif
15313 TRACE_IRQS_IRETQ 0
15314 SWAPGS_UNSAFE_STACK
15315 RESTORE_ALL 8
15316 jmp irq_return
15317 paranoid_restore:
15318+ pax_exit_kernel
15319 TRACE_IRQS_IRETQ 0
15320 RESTORE_ALL 8
15321+ pax_force_retaddr
15322 jmp irq_return
15323 paranoid_userspace:
15324 GET_THREAD_INFO(%rcx)
15325@@ -1443,7 +1816,7 @@ paranoid_schedule:
15326 TRACE_IRQS_OFF
15327 jmp paranoid_userspace
15328 CFI_ENDPROC
15329-END(paranoid_exit)
15330+ENDPROC(paranoid_exit)
15331
15332 /*
15333 * Exception entry point. This expects an error code/orig_rax on the stack.
15334@@ -1470,12 +1843,13 @@ ENTRY(error_entry)
15335 movq_cfi r14, R14+8
15336 movq_cfi r15, R15+8
15337 xorl %ebx,%ebx
15338- testl $3,CS+8(%rsp)
15339+ testb $3,CS+8(%rsp)
15340 je error_kernelspace
15341 error_swapgs:
15342 SWAPGS
15343 error_sti:
15344 TRACE_IRQS_OFF
15345+ pax_force_retaddr
15346 ret
15347 CFI_ENDPROC
15348
15349@@ -1497,7 +1871,7 @@ error_kernelspace:
15350 cmpq $gs_change,RIP+8(%rsp)
15351 je error_swapgs
15352 jmp error_sti
15353-END(error_entry)
15354+ENDPROC(error_entry)
15355
15356
15357 /* ebx: no swapgs flag (1: don't need swapgs, 0: need it) */
15358@@ -1517,7 +1891,7 @@ ENTRY(error_exit)
15359 jnz retint_careful
15360 jmp retint_swapgs
15361 CFI_ENDPROC
15362-END(error_exit)
15363+ENDPROC(error_exit)
15364
15365
15366 /* runs on exception stack */
15367@@ -1529,6 +1903,16 @@ ENTRY(nmi)
15368 CFI_ADJUST_CFA_OFFSET 15*8
15369 call save_paranoid
15370 DEFAULT_FRAME 0
15371+#ifdef CONFIG_PAX_MEMORY_UDEREF
15372+ testb $3, CS(%rsp)
15373+ jnz 1f
15374+ pax_enter_kernel
15375+ jmp 2f
15376+1: pax_enter_kernel_user
15377+2:
15378+#else
15379+ pax_enter_kernel
15380+#endif
15381 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
15382 movq %rsp,%rdi
15383 movq $-1,%rsi
15384@@ -1539,12 +1923,28 @@ ENTRY(nmi)
15385 DISABLE_INTERRUPTS(CLBR_NONE)
15386 testl %ebx,%ebx /* swapgs needed? */
15387 jnz nmi_restore
15388- testl $3,CS(%rsp)
15389+ testb $3,CS(%rsp)
15390 jnz nmi_userspace
15391+#ifdef CONFIG_PAX_MEMORY_UDEREF
15392+ pax_exit_kernel
15393+ SWAPGS_UNSAFE_STACK
15394+ RESTORE_ALL 8
15395+ pax_force_retaddr
15396+ jmp irq_return
15397+#endif
15398 nmi_swapgs:
15399+#ifdef CONFIG_PAX_MEMORY_UDEREF
15400+ pax_exit_kernel_user
15401+#else
15402+ pax_exit_kernel
15403+#endif
15404 SWAPGS_UNSAFE_STACK
15405+ RESTORE_ALL 8
15406+ jmp irq_return
15407 nmi_restore:
15408+ pax_exit_kernel
15409 RESTORE_ALL 8
15410+ pax_force_retaddr
15411 jmp irq_return
15412 nmi_userspace:
15413 GET_THREAD_INFO(%rcx)
15414@@ -1573,14 +1973,14 @@ nmi_schedule:
15415 jmp paranoid_exit
15416 CFI_ENDPROC
15417 #endif
15418-END(nmi)
15419+ENDPROC(nmi)
15420
15421 ENTRY(ignore_sysret)
15422 CFI_STARTPROC
15423 mov $-ENOSYS,%eax
15424 sysret
15425 CFI_ENDPROC
15426-END(ignore_sysret)
15427+ENDPROC(ignore_sysret)
15428
15429 /*
15430 * End of kprobes section
15431diff -urNp linux-2.6.32.48/arch/x86/kernel/ftrace.c linux-2.6.32.48/arch/x86/kernel/ftrace.c
15432--- linux-2.6.32.48/arch/x86/kernel/ftrace.c 2011-11-08 19:02:43.000000000 -0500
15433+++ linux-2.6.32.48/arch/x86/kernel/ftrace.c 2011-11-15 19:59:43.000000000 -0500
15434@@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
15435 static void *mod_code_newcode; /* holds the text to write to the IP */
15436
15437 static unsigned nmi_wait_count;
15438-static atomic_t nmi_update_count = ATOMIC_INIT(0);
15439+static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
15440
15441 int ftrace_arch_read_dyn_info(char *buf, int size)
15442 {
15443@@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
15444
15445 r = snprintf(buf, size, "%u %u",
15446 nmi_wait_count,
15447- atomic_read(&nmi_update_count));
15448+ atomic_read_unchecked(&nmi_update_count));
15449 return r;
15450 }
15451
15452@@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
15453 {
15454 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
15455 smp_rmb();
15456+ pax_open_kernel();
15457 ftrace_mod_code();
15458- atomic_inc(&nmi_update_count);
15459+ pax_close_kernel();
15460+ atomic_inc_unchecked(&nmi_update_count);
15461 }
15462 /* Must have previous changes seen before executions */
15463 smp_mb();
15464@@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
15465
15466
15467
15468-static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
15469+static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
15470
15471 static unsigned char *ftrace_nop_replace(void)
15472 {
15473@@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
15474 {
15475 unsigned char replaced[MCOUNT_INSN_SIZE];
15476
15477+ ip = ktla_ktva(ip);
15478+
15479 /*
15480 * Note: Due to modules and __init, code can
15481 * disappear and change, we need to protect against faulting
15482@@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
15483 unsigned char old[MCOUNT_INSN_SIZE], *new;
15484 int ret;
15485
15486- memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
15487+ memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
15488 new = ftrace_call_replace(ip, (unsigned long)func);
15489 ret = ftrace_modify_code(ip, old, new);
15490
15491@@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
15492 switch (faulted) {
15493 case 0:
15494 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
15495- memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
15496+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
15497 break;
15498 case 1:
15499 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
15500- memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
15501+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
15502 break;
15503 case 2:
15504 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
15505- memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
15506+ memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
15507 break;
15508 }
15509
15510@@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
15511 {
15512 unsigned char code[MCOUNT_INSN_SIZE];
15513
15514+ ip = ktla_ktva(ip);
15515+
15516 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
15517 return -EFAULT;
15518
15519diff -urNp linux-2.6.32.48/arch/x86/kernel/head32.c linux-2.6.32.48/arch/x86/kernel/head32.c
15520--- linux-2.6.32.48/arch/x86/kernel/head32.c 2011-11-08 19:02:43.000000000 -0500
15521+++ linux-2.6.32.48/arch/x86/kernel/head32.c 2011-11-15 19:59:43.000000000 -0500
15522@@ -16,6 +16,7 @@
15523 #include <asm/apic.h>
15524 #include <asm/io_apic.h>
15525 #include <asm/bios_ebda.h>
15526+#include <asm/boot.h>
15527
15528 static void __init i386_default_early_setup(void)
15529 {
15530@@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
15531 {
15532 reserve_trampoline_memory();
15533
15534- reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15535+ reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
15536
15537 #ifdef CONFIG_BLK_DEV_INITRD
15538 /* Reserve INITRD */
15539diff -urNp linux-2.6.32.48/arch/x86/kernel/head_32.S linux-2.6.32.48/arch/x86/kernel/head_32.S
15540--- linux-2.6.32.48/arch/x86/kernel/head_32.S 2011-11-08 19:02:43.000000000 -0500
15541+++ linux-2.6.32.48/arch/x86/kernel/head_32.S 2011-11-15 19:59:43.000000000 -0500
15542@@ -19,10 +19,17 @@
15543 #include <asm/setup.h>
15544 #include <asm/processor-flags.h>
15545 #include <asm/percpu.h>
15546+#include <asm/msr-index.h>
15547
15548 /* Physical address */
15549 #define pa(X) ((X) - __PAGE_OFFSET)
15550
15551+#ifdef CONFIG_PAX_KERNEXEC
15552+#define ta(X) (X)
15553+#else
15554+#define ta(X) ((X) - __PAGE_OFFSET)
15555+#endif
15556+
15557 /*
15558 * References to members of the new_cpu_data structure.
15559 */
15560@@ -52,11 +59,7 @@
15561 * and small than max_low_pfn, otherwise will waste some page table entries
15562 */
15563
15564-#if PTRS_PER_PMD > 1
15565-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
15566-#else
15567-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
15568-#endif
15569+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
15570
15571 /* Enough space to fit pagetables for the low memory linear map */
15572 MAPPING_BEYOND_END = \
15573@@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
15574 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15575
15576 /*
15577+ * Real beginning of normal "text" segment
15578+ */
15579+ENTRY(stext)
15580+ENTRY(_stext)
15581+
15582+/*
15583 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
15584 * %esi points to the real-mode code as a 32-bit pointer.
15585 * CS and DS must be 4 GB flat segments, but we don't depend on
15586@@ -80,7 +89,16 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
15587 * can.
15588 */
15589 __HEAD
15590+
15591+#ifdef CONFIG_PAX_KERNEXEC
15592+ jmp startup_32
15593+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
15594+.fill PAGE_SIZE-5,1,0xcc
15595+#endif
15596+
15597 ENTRY(startup_32)
15598+ movl pa(stack_start),%ecx
15599+
15600 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
15601 us to not reload segments */
15602 testb $(1<<6), BP_loadflags(%esi)
15603@@ -95,7 +113,60 @@ ENTRY(startup_32)
15604 movl %eax,%es
15605 movl %eax,%fs
15606 movl %eax,%gs
15607+ movl %eax,%ss
15608 2:
15609+ leal -__PAGE_OFFSET(%ecx),%esp
15610+
15611+#ifdef CONFIG_SMP
15612+ movl $pa(cpu_gdt_table),%edi
15613+ movl $__per_cpu_load,%eax
15614+ movw %ax,__KERNEL_PERCPU + 2(%edi)
15615+ rorl $16,%eax
15616+ movb %al,__KERNEL_PERCPU + 4(%edi)
15617+ movb %ah,__KERNEL_PERCPU + 7(%edi)
15618+ movl $__per_cpu_end - 1,%eax
15619+ subl $__per_cpu_start,%eax
15620+ movw %ax,__KERNEL_PERCPU + 0(%edi)
15621+#endif
15622+
15623+#ifdef CONFIG_PAX_MEMORY_UDEREF
15624+ movl $NR_CPUS,%ecx
15625+ movl $pa(cpu_gdt_table),%edi
15626+1:
15627+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
15628+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
15629+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
15630+ addl $PAGE_SIZE_asm,%edi
15631+ loop 1b
15632+#endif
15633+
15634+#ifdef CONFIG_PAX_KERNEXEC
15635+ movl $pa(boot_gdt),%edi
15636+ movl $__LOAD_PHYSICAL_ADDR,%eax
15637+ movw %ax,__BOOT_CS + 2(%edi)
15638+ rorl $16,%eax
15639+ movb %al,__BOOT_CS + 4(%edi)
15640+ movb %ah,__BOOT_CS + 7(%edi)
15641+ rorl $16,%eax
15642+
15643+ ljmp $(__BOOT_CS),$1f
15644+1:
15645+
15646+ movl $NR_CPUS,%ecx
15647+ movl $pa(cpu_gdt_table),%edi
15648+ addl $__PAGE_OFFSET,%eax
15649+1:
15650+ movw %ax,__KERNEL_CS + 2(%edi)
15651+ movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
15652+ rorl $16,%eax
15653+ movb %al,__KERNEL_CS + 4(%edi)
15654+ movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
15655+ movb %ah,__KERNEL_CS + 7(%edi)
15656+ movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
15657+ rorl $16,%eax
15658+ addl $PAGE_SIZE_asm,%edi
15659+ loop 1b
15660+#endif
15661
15662 /*
15663 * Clear BSS first so that there are no surprises...
15664@@ -140,9 +211,7 @@ ENTRY(startup_32)
15665 cmpl $num_subarch_entries, %eax
15666 jae bad_subarch
15667
15668- movl pa(subarch_entries)(,%eax,4), %eax
15669- subl $__PAGE_OFFSET, %eax
15670- jmp *%eax
15671+ jmp *pa(subarch_entries)(,%eax,4)
15672
15673 bad_subarch:
15674 WEAK(lguest_entry)
15675@@ -154,10 +223,10 @@ WEAK(xen_entry)
15676 __INITDATA
15677
15678 subarch_entries:
15679- .long default_entry /* normal x86/PC */
15680- .long lguest_entry /* lguest hypervisor */
15681- .long xen_entry /* Xen hypervisor */
15682- .long default_entry /* Moorestown MID */
15683+ .long ta(default_entry) /* normal x86/PC */
15684+ .long ta(lguest_entry) /* lguest hypervisor */
15685+ .long ta(xen_entry) /* Xen hypervisor */
15686+ .long ta(default_entry) /* Moorestown MID */
15687 num_subarch_entries = (. - subarch_entries) / 4
15688 .previous
15689 #endif /* CONFIG_PARAVIRT */
15690@@ -218,8 +287,11 @@ default_entry:
15691 movl %eax, pa(max_pfn_mapped)
15692
15693 /* Do early initialization of the fixmap area */
15694- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15695- movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15696+#ifdef CONFIG_COMPAT_VDSO
15697+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15698+#else
15699+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
15700+#endif
15701 #else /* Not PAE */
15702
15703 page_pde_offset = (__PAGE_OFFSET >> 20);
15704@@ -249,8 +321,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
15705 movl %eax, pa(max_pfn_mapped)
15706
15707 /* Do early initialization of the fixmap area */
15708- movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
15709- movl %eax,pa(swapper_pg_dir+0xffc)
15710+#ifdef CONFIG_COMPAT_VDSO
15711+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
15712+#else
15713+ movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
15714+#endif
15715 #endif
15716 jmp 3f
15717 /*
15718@@ -272,6 +347,9 @@ ENTRY(startup_32_smp)
15719 movl %eax,%es
15720 movl %eax,%fs
15721 movl %eax,%gs
15722+ movl pa(stack_start),%ecx
15723+ movl %eax,%ss
15724+ leal -__PAGE_OFFSET(%ecx),%esp
15725 #endif /* CONFIG_SMP */
15726 3:
15727
15728@@ -297,6 +375,7 @@ ENTRY(startup_32_smp)
15729 orl %edx,%eax
15730 movl %eax,%cr4
15731
15732+#ifdef CONFIG_X86_PAE
15733 btl $5, %eax # check if PAE is enabled
15734 jnc 6f
15735
15736@@ -305,6 +384,10 @@ ENTRY(startup_32_smp)
15737 cpuid
15738 cmpl $0x80000000, %eax
15739 jbe 6f
15740+
15741+ /* Clear bogus XD_DISABLE bits */
15742+ call verify_cpu
15743+
15744 mov $0x80000001, %eax
15745 cpuid
15746 /* Execute Disable bit supported? */
15747@@ -312,13 +395,17 @@ ENTRY(startup_32_smp)
15748 jnc 6f
15749
15750 /* Setup EFER (Extended Feature Enable Register) */
15751- movl $0xc0000080, %ecx
15752+ movl $MSR_EFER, %ecx
15753 rdmsr
15754
15755 btsl $11, %eax
15756 /* Make changes effective */
15757 wrmsr
15758
15759+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
15760+ movl $1,pa(nx_enabled)
15761+#endif
15762+
15763 6:
15764
15765 /*
15766@@ -331,8 +418,8 @@ ENTRY(startup_32_smp)
15767 movl %eax,%cr0 /* ..and set paging (PG) bit */
15768 ljmp $__BOOT_CS,$1f /* Clear prefetch and normalize %eip */
15769 1:
15770- /* Set up the stack pointer */
15771- lss stack_start,%esp
15772+ /* Shift the stack pointer to a virtual address */
15773+ addl $__PAGE_OFFSET, %esp
15774
15775 /*
15776 * Initialize eflags. Some BIOS's leave bits like NT set. This would
15777@@ -344,9 +431,7 @@ ENTRY(startup_32_smp)
15778
15779 #ifdef CONFIG_SMP
15780 cmpb $0, ready
15781- jz 1f /* Initial CPU cleans BSS */
15782- jmp checkCPUtype
15783-1:
15784+ jnz checkCPUtype
15785 #endif /* CONFIG_SMP */
15786
15787 /*
15788@@ -424,7 +509,7 @@ is386: movl $2,%ecx # set MP
15789 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
15790 movl %eax,%ss # after changing gdt.
15791
15792- movl $(__USER_DS),%eax # DS/ES contains default USER segment
15793+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
15794 movl %eax,%ds
15795 movl %eax,%es
15796
15797@@ -438,15 +523,22 @@ is386: movl $2,%ecx # set MP
15798 */
15799 cmpb $0,ready
15800 jne 1f
15801- movl $per_cpu__gdt_page,%eax
15802+ movl $cpu_gdt_table,%eax
15803 movl $per_cpu__stack_canary,%ecx
15804+#ifdef CONFIG_SMP
15805+ addl $__per_cpu_load,%ecx
15806+#endif
15807 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
15808 shrl $16, %ecx
15809 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
15810 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
15811 1:
15812-#endif
15813 movl $(__KERNEL_STACK_CANARY),%eax
15814+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15815+ movl $(__USER_DS),%eax
15816+#else
15817+ xorl %eax,%eax
15818+#endif
15819 movl %eax,%gs
15820
15821 xorl %eax,%eax # Clear LDT
15822@@ -454,14 +546,7 @@ is386: movl $2,%ecx # set MP
15823
15824 cld # gcc2 wants the direction flag cleared at all times
15825 pushl $0 # fake return address for unwinder
15826-#ifdef CONFIG_SMP
15827- movb ready, %cl
15828 movb $1, ready
15829- cmpb $0,%cl # the first CPU calls start_kernel
15830- je 1f
15831- movl (stack_start), %esp
15832-1:
15833-#endif /* CONFIG_SMP */
15834 jmp *(initial_code)
15835
15836 /*
15837@@ -546,22 +631,22 @@ early_page_fault:
15838 jmp early_fault
15839
15840 early_fault:
15841- cld
15842 #ifdef CONFIG_PRINTK
15843+ cmpl $1,%ss:early_recursion_flag
15844+ je hlt_loop
15845+ incl %ss:early_recursion_flag
15846+ cld
15847 pusha
15848 movl $(__KERNEL_DS),%eax
15849 movl %eax,%ds
15850 movl %eax,%es
15851- cmpl $2,early_recursion_flag
15852- je hlt_loop
15853- incl early_recursion_flag
15854 movl %cr2,%eax
15855 pushl %eax
15856 pushl %edx /* trapno */
15857 pushl $fault_msg
15858 call printk
15859+; call dump_stack
15860 #endif
15861- call dump_stack
15862 hlt_loop:
15863 hlt
15864 jmp hlt_loop
15865@@ -569,8 +654,11 @@ hlt_loop:
15866 /* This is the default interrupt "handler" :-) */
15867 ALIGN
15868 ignore_int:
15869- cld
15870 #ifdef CONFIG_PRINTK
15871+ cmpl $2,%ss:early_recursion_flag
15872+ je hlt_loop
15873+ incl %ss:early_recursion_flag
15874+ cld
15875 pushl %eax
15876 pushl %ecx
15877 pushl %edx
15878@@ -579,9 +667,6 @@ ignore_int:
15879 movl $(__KERNEL_DS),%eax
15880 movl %eax,%ds
15881 movl %eax,%es
15882- cmpl $2,early_recursion_flag
15883- je hlt_loop
15884- incl early_recursion_flag
15885 pushl 16(%esp)
15886 pushl 24(%esp)
15887 pushl 32(%esp)
15888@@ -600,6 +685,8 @@ ignore_int:
15889 #endif
15890 iret
15891
15892+#include "verify_cpu.S"
15893+
15894 __REFDATA
15895 .align 4
15896 ENTRY(initial_code)
15897@@ -610,31 +697,47 @@ ENTRY(initial_page_table)
15898 /*
15899 * BSS section
15900 */
15901-__PAGE_ALIGNED_BSS
15902- .align PAGE_SIZE_asm
15903 #ifdef CONFIG_X86_PAE
15904+.section .swapper_pg_pmd,"a",@progbits
15905 swapper_pg_pmd:
15906 .fill 1024*KPMDS,4,0
15907 #else
15908+.section .swapper_pg_dir,"a",@progbits
15909 ENTRY(swapper_pg_dir)
15910 .fill 1024,4,0
15911 #endif
15912+.section .swapper_pg_fixmap,"a",@progbits
15913 swapper_pg_fixmap:
15914 .fill 1024,4,0
15915 #ifdef CONFIG_X86_TRAMPOLINE
15916+.section .trampoline_pg_dir,"a",@progbits
15917 ENTRY(trampoline_pg_dir)
15918+#ifdef CONFIG_X86_PAE
15919+ .fill 4,8,0
15920+#else
15921 .fill 1024,4,0
15922 #endif
15923+#endif
15924+
15925+.section .empty_zero_page,"a",@progbits
15926 ENTRY(empty_zero_page)
15927 .fill 4096,1,0
15928
15929 /*
15930+ * The IDT has to be page-aligned to simplify the Pentium
15931+ * F0 0F bug workaround.. We have a special link segment
15932+ * for this.
15933+ */
15934+.section .idt,"a",@progbits
15935+ENTRY(idt_table)
15936+ .fill 256,8,0
15937+
15938+/*
15939 * This starts the data section.
15940 */
15941 #ifdef CONFIG_X86_PAE
15942-__PAGE_ALIGNED_DATA
15943- /* Page-aligned for the benefit of paravirt? */
15944- .align PAGE_SIZE_asm
15945+.section .swapper_pg_dir,"a",@progbits
15946+
15947 ENTRY(swapper_pg_dir)
15948 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
15949 # if KPMDS == 3
15950@@ -653,15 +756,24 @@ ENTRY(swapper_pg_dir)
15951 # error "Kernel PMDs should be 1, 2 or 3"
15952 # endif
15953 .align PAGE_SIZE_asm /* needs to be page-sized too */
15954+
15955+#ifdef CONFIG_PAX_PER_CPU_PGD
15956+ENTRY(cpu_pgd)
15957+ .rept NR_CPUS
15958+ .fill 4,8,0
15959+ .endr
15960+#endif
15961+
15962 #endif
15963
15964 .data
15965+.balign 4
15966 ENTRY(stack_start)
15967- .long init_thread_union+THREAD_SIZE
15968- .long __BOOT_DS
15969+ .long init_thread_union+THREAD_SIZE-8
15970
15971 ready: .byte 0
15972
15973+.section .rodata,"a",@progbits
15974 early_recursion_flag:
15975 .long 0
15976
15977@@ -697,7 +809,7 @@ fault_msg:
15978 .word 0 # 32 bit align gdt_desc.address
15979 boot_gdt_descr:
15980 .word __BOOT_DS+7
15981- .long boot_gdt - __PAGE_OFFSET
15982+ .long pa(boot_gdt)
15983
15984 .word 0 # 32-bit align idt_desc.address
15985 idt_descr:
15986@@ -708,7 +820,7 @@ idt_descr:
15987 .word 0 # 32 bit align gdt_desc.address
15988 ENTRY(early_gdt_descr)
15989 .word GDT_ENTRIES*8-1
15990- .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
15991+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
15992
15993 /*
15994 * The boot_gdt must mirror the equivalent in setup.S and is
15995@@ -717,5 +829,65 @@ ENTRY(early_gdt_descr)
15996 .align L1_CACHE_BYTES
15997 ENTRY(boot_gdt)
15998 .fill GDT_ENTRY_BOOT_CS,8,0
15999- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
16000- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
16001+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
16002+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
16003+
16004+ .align PAGE_SIZE_asm
16005+ENTRY(cpu_gdt_table)
16006+ .rept NR_CPUS
16007+ .quad 0x0000000000000000 /* NULL descriptor */
16008+ .quad 0x0000000000000000 /* 0x0b reserved */
16009+ .quad 0x0000000000000000 /* 0x13 reserved */
16010+ .quad 0x0000000000000000 /* 0x1b reserved */
16011+
16012+#ifdef CONFIG_PAX_KERNEXEC
16013+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
16014+#else
16015+ .quad 0x0000000000000000 /* 0x20 unused */
16016+#endif
16017+
16018+ .quad 0x0000000000000000 /* 0x28 unused */
16019+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
16020+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
16021+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
16022+ .quad 0x0000000000000000 /* 0x4b reserved */
16023+ .quad 0x0000000000000000 /* 0x53 reserved */
16024+ .quad 0x0000000000000000 /* 0x5b reserved */
16025+
16026+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
16027+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
16028+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
16029+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
16030+
16031+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
16032+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
16033+
16034+ /*
16035+ * Segments used for calling PnP BIOS have byte granularity.
16036+ * The code segments and data segments have fixed 64k limits,
16037+ * the transfer segment sizes are set at run time.
16038+ */
16039+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
16040+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
16041+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
16042+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
16043+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
16044+
16045+ /*
16046+ * The APM segments have byte granularity and their bases
16047+ * are set at run time. All have 64k limits.
16048+ */
16049+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
16050+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
16051+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
16052+
16053+ .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
16054+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
16055+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
16056+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
16057+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
16058+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
16059+
16060+ /* Be sure this is zeroed to avoid false validations in Xen */
16061+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
16062+ .endr
16063diff -urNp linux-2.6.32.48/arch/x86/kernel/head_64.S linux-2.6.32.48/arch/x86/kernel/head_64.S
16064--- linux-2.6.32.48/arch/x86/kernel/head_64.S 2011-11-08 19:02:43.000000000 -0500
16065+++ linux-2.6.32.48/arch/x86/kernel/head_64.S 2011-11-15 19:59:43.000000000 -0500
16066@@ -19,6 +19,7 @@
16067 #include <asm/cache.h>
16068 #include <asm/processor-flags.h>
16069 #include <asm/percpu.h>
16070+#include <asm/cpufeature.h>
16071
16072 #ifdef CONFIG_PARAVIRT
16073 #include <asm/asm-offsets.h>
16074@@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
16075 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
16076 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
16077 L3_START_KERNEL = pud_index(__START_KERNEL_map)
16078+L4_VMALLOC_START = pgd_index(VMALLOC_START)
16079+L3_VMALLOC_START = pud_index(VMALLOC_START)
16080+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
16081+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
16082
16083 .text
16084 __HEAD
16085@@ -85,35 +90,22 @@ startup_64:
16086 */
16087 addq %rbp, init_level4_pgt + 0(%rip)
16088 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
16089+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
16090+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
16091 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
16092
16093 addq %rbp, level3_ident_pgt + 0(%rip)
16094+#ifndef CONFIG_XEN
16095+ addq %rbp, level3_ident_pgt + 8(%rip)
16096+#endif
16097
16098- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
16099- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
16100+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
16101
16102- addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16103+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
16104+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
16105
16106- /* Add an Identity mapping if I am above 1G */
16107- leaq _text(%rip), %rdi
16108- andq $PMD_PAGE_MASK, %rdi
16109-
16110- movq %rdi, %rax
16111- shrq $PUD_SHIFT, %rax
16112- andq $(PTRS_PER_PUD - 1), %rax
16113- jz ident_complete
16114-
16115- leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
16116- leaq level3_ident_pgt(%rip), %rbx
16117- movq %rdx, 0(%rbx, %rax, 8)
16118-
16119- movq %rdi, %rax
16120- shrq $PMD_SHIFT, %rax
16121- andq $(PTRS_PER_PMD - 1), %rax
16122- leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
16123- leaq level2_spare_pgt(%rip), %rbx
16124- movq %rdx, 0(%rbx, %rax, 8)
16125-ident_complete:
16126+ addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
16127+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
16128
16129 /*
16130 * Fixup the kernel text+data virtual addresses. Note that
16131@@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
16132 * after the boot processor executes this code.
16133 */
16134
16135- /* Enable PAE mode and PGE */
16136- movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
16137+ /* Enable PAE mode and PSE/PGE */
16138+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16139 movq %rax, %cr4
16140
16141 /* Setup early boot stage 4 level pagetables. */
16142@@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
16143 movl $MSR_EFER, %ecx
16144 rdmsr
16145 btsl $_EFER_SCE, %eax /* Enable System Call */
16146- btl $20,%edi /* No Execute supported? */
16147+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
16148 jnc 1f
16149 btsl $_EFER_NX, %eax
16150+ leaq init_level4_pgt(%rip), %rdi
16151+ btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
16152+ btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
16153+ btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
16154 1: wrmsr /* Make changes effective */
16155
16156 /* Setup cr0 */
16157@@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
16158 .quad x86_64_start_kernel
16159 ENTRY(initial_gs)
16160 .quad INIT_PER_CPU_VAR(irq_stack_union)
16161- __FINITDATA
16162
16163 ENTRY(stack_start)
16164 .quad init_thread_union+THREAD_SIZE-8
16165 .word 0
16166+ __FINITDATA
16167
16168 bad_address:
16169 jmp bad_address
16170
16171- .section ".init.text","ax"
16172+ __INIT
16173 #ifdef CONFIG_EARLY_PRINTK
16174 .globl early_idt_handlers
16175 early_idt_handlers:
16176@@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
16177 #endif /* EARLY_PRINTK */
16178 1: hlt
16179 jmp 1b
16180+ .previous
16181
16182 #ifdef CONFIG_EARLY_PRINTK
16183+ __INITDATA
16184 early_recursion_flag:
16185 .long 0
16186+ .previous
16187
16188+ .section .rodata,"a",@progbits
16189 early_idt_msg:
16190 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
16191 early_idt_ripmsg:
16192 .asciz "RIP %s\n"
16193-#endif /* CONFIG_EARLY_PRINTK */
16194 .previous
16195+#endif /* CONFIG_EARLY_PRINTK */
16196
16197+ .section .rodata,"a",@progbits
16198 #define NEXT_PAGE(name) \
16199 .balign PAGE_SIZE; \
16200 ENTRY(name)
16201@@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
16202 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16203 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
16204 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16205+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
16206+ .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
16207+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
16208+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16209 .org init_level4_pgt + L4_START_KERNEL*8, 0
16210 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
16211 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
16212
16213+#ifdef CONFIG_PAX_PER_CPU_PGD
16214+NEXT_PAGE(cpu_pgd)
16215+ .rept NR_CPUS
16216+ .fill 512,8,0
16217+ .endr
16218+#endif
16219+
16220 NEXT_PAGE(level3_ident_pgt)
16221 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
16222+#ifdef CONFIG_XEN
16223 .fill 511,8,0
16224+#else
16225+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
16226+ .fill 510,8,0
16227+#endif
16228+
16229+NEXT_PAGE(level3_vmalloc_pgt)
16230+ .fill 512,8,0
16231+
16232+NEXT_PAGE(level3_vmemmap_pgt)
16233+ .fill L3_VMEMMAP_START,8,0
16234+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
16235
16236 NEXT_PAGE(level3_kernel_pgt)
16237 .fill L3_START_KERNEL,8,0
16238@@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
16239 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
16240 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16241
16242+NEXT_PAGE(level2_vmemmap_pgt)
16243+ .fill 512,8,0
16244+
16245 NEXT_PAGE(level2_fixmap_pgt)
16246- .fill 506,8,0
16247- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
16248- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
16249- .fill 5,8,0
16250+ .fill 507,8,0
16251+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
16252+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
16253+ .fill 4,8,0
16254
16255-NEXT_PAGE(level1_fixmap_pgt)
16256+NEXT_PAGE(level1_vsyscall_pgt)
16257 .fill 512,8,0
16258
16259-NEXT_PAGE(level2_ident_pgt)
16260- /* Since I easily can, map the first 1G.
16261+ /* Since I easily can, map the first 2G.
16262 * Don't set NX because code runs from these pages.
16263 */
16264- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
16265+NEXT_PAGE(level2_ident_pgt)
16266+ PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
16267
16268 NEXT_PAGE(level2_kernel_pgt)
16269 /*
16270@@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
16271 * If you want to increase this then increase MODULES_VADDR
16272 * too.)
16273 */
16274- PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
16275- KERNEL_IMAGE_SIZE/PMD_SIZE)
16276-
16277-NEXT_PAGE(level2_spare_pgt)
16278- .fill 512, 8, 0
16279+ PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
16280
16281 #undef PMDS
16282 #undef NEXT_PAGE
16283
16284- .data
16285+ .align PAGE_SIZE
16286+ENTRY(cpu_gdt_table)
16287+ .rept NR_CPUS
16288+ .quad 0x0000000000000000 /* NULL descriptor */
16289+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
16290+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
16291+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
16292+ .quad 0x00cffb000000ffff /* __USER32_CS */
16293+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
16294+ .quad 0x00affb000000ffff /* __USER_CS */
16295+
16296+#ifdef CONFIG_PAX_KERNEXEC
16297+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
16298+#else
16299+ .quad 0x0 /* unused */
16300+#endif
16301+
16302+ .quad 0,0 /* TSS */
16303+ .quad 0,0 /* LDT */
16304+ .quad 0,0,0 /* three TLS descriptors */
16305+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
16306+ /* asm/segment.h:GDT_ENTRIES must match this */
16307+
16308+ /* zero the remaining page */
16309+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
16310+ .endr
16311+
16312 .align 16
16313 .globl early_gdt_descr
16314 early_gdt_descr:
16315 .word GDT_ENTRIES*8-1
16316 early_gdt_descr_base:
16317- .quad INIT_PER_CPU_VAR(gdt_page)
16318+ .quad cpu_gdt_table
16319
16320 ENTRY(phys_base)
16321 /* This must match the first entry in level2_kernel_pgt */
16322 .quad 0x0000000000000000
16323
16324 #include "../../x86/xen/xen-head.S"
16325-
16326- .section .bss, "aw", @nobits
16327+
16328+ .section .rodata,"a",@progbits
16329 .align L1_CACHE_BYTES
16330 ENTRY(idt_table)
16331- .skip IDT_ENTRIES * 16
16332+ .fill 512,8,0
16333
16334 __PAGE_ALIGNED_BSS
16335 .align PAGE_SIZE
16336diff -urNp linux-2.6.32.48/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.48/arch/x86/kernel/i386_ksyms_32.c
16337--- linux-2.6.32.48/arch/x86/kernel/i386_ksyms_32.c 2011-11-08 19:02:43.000000000 -0500
16338+++ linux-2.6.32.48/arch/x86/kernel/i386_ksyms_32.c 2011-11-15 19:59:43.000000000 -0500
16339@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
16340 EXPORT_SYMBOL(cmpxchg8b_emu);
16341 #endif
16342
16343+EXPORT_SYMBOL_GPL(cpu_gdt_table);
16344+
16345 /* Networking helper routines. */
16346 EXPORT_SYMBOL(csum_partial_copy_generic);
16347+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
16348+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
16349
16350 EXPORT_SYMBOL(__get_user_1);
16351 EXPORT_SYMBOL(__get_user_2);
16352@@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
16353
16354 EXPORT_SYMBOL(csum_partial);
16355 EXPORT_SYMBOL(empty_zero_page);
16356+
16357+#ifdef CONFIG_PAX_KERNEXEC
16358+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
16359+#endif
16360diff -urNp linux-2.6.32.48/arch/x86/kernel/i8259.c linux-2.6.32.48/arch/x86/kernel/i8259.c
16361--- linux-2.6.32.48/arch/x86/kernel/i8259.c 2011-11-08 19:02:43.000000000 -0500
16362+++ linux-2.6.32.48/arch/x86/kernel/i8259.c 2011-11-15 19:59:43.000000000 -0500
16363@@ -208,7 +208,7 @@ spurious_8259A_irq:
16364 "spurious 8259A interrupt: IRQ%d.\n", irq);
16365 spurious_irq_mask |= irqmask;
16366 }
16367- atomic_inc(&irq_err_count);
16368+ atomic_inc_unchecked(&irq_err_count);
16369 /*
16370 * Theoretically we do not have to handle this IRQ,
16371 * but in Linux this does not cause problems and is
16372diff -urNp linux-2.6.32.48/arch/x86/kernel/init_task.c linux-2.6.32.48/arch/x86/kernel/init_task.c
16373--- linux-2.6.32.48/arch/x86/kernel/init_task.c 2011-11-08 19:02:43.000000000 -0500
16374+++ linux-2.6.32.48/arch/x86/kernel/init_task.c 2011-11-15 19:59:43.000000000 -0500
16375@@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
16376 * way process stacks are handled. This is done by having a special
16377 * "init_task" linker map entry..
16378 */
16379-union thread_union init_thread_union __init_task_data =
16380- { INIT_THREAD_INFO(init_task) };
16381+union thread_union init_thread_union __init_task_data;
16382
16383 /*
16384 * Initial task structure.
16385@@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
16386 * section. Since TSS's are completely CPU-local, we want them
16387 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
16388 */
16389-DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
16390-
16391+struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
16392+EXPORT_SYMBOL(init_tss);
16393diff -urNp linux-2.6.32.48/arch/x86/kernel/ioport.c linux-2.6.32.48/arch/x86/kernel/ioport.c
16394--- linux-2.6.32.48/arch/x86/kernel/ioport.c 2011-11-08 19:02:43.000000000 -0500
16395+++ linux-2.6.32.48/arch/x86/kernel/ioport.c 2011-11-15 19:59:43.000000000 -0500
16396@@ -6,6 +6,7 @@
16397 #include <linux/sched.h>
16398 #include <linux/kernel.h>
16399 #include <linux/capability.h>
16400+#include <linux/security.h>
16401 #include <linux/errno.h>
16402 #include <linux/types.h>
16403 #include <linux/ioport.h>
16404@@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
16405
16406 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
16407 return -EINVAL;
16408+#ifdef CONFIG_GRKERNSEC_IO
16409+ if (turn_on && grsec_disable_privio) {
16410+ gr_handle_ioperm();
16411+ return -EPERM;
16412+ }
16413+#endif
16414 if (turn_on && !capable(CAP_SYS_RAWIO))
16415 return -EPERM;
16416
16417@@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
16418 * because the ->io_bitmap_max value must match the bitmap
16419 * contents:
16420 */
16421- tss = &per_cpu(init_tss, get_cpu());
16422+ tss = init_tss + get_cpu();
16423
16424 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
16425
16426@@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
16427 return -EINVAL;
16428 /* Trying to gain more privileges? */
16429 if (level > old) {
16430+#ifdef CONFIG_GRKERNSEC_IO
16431+ if (grsec_disable_privio) {
16432+ gr_handle_iopl();
16433+ return -EPERM;
16434+ }
16435+#endif
16436 if (!capable(CAP_SYS_RAWIO))
16437 return -EPERM;
16438 }
16439diff -urNp linux-2.6.32.48/arch/x86/kernel/irq_32.c linux-2.6.32.48/arch/x86/kernel/irq_32.c
16440--- linux-2.6.32.48/arch/x86/kernel/irq_32.c 2011-11-08 19:02:43.000000000 -0500
16441+++ linux-2.6.32.48/arch/x86/kernel/irq_32.c 2011-11-15 19:59:43.000000000 -0500
16442@@ -35,7 +35,7 @@ static int check_stack_overflow(void)
16443 __asm__ __volatile__("andl %%esp,%0" :
16444 "=r" (sp) : "0" (THREAD_SIZE - 1));
16445
16446- return sp < (sizeof(struct thread_info) + STACK_WARN);
16447+ return sp < STACK_WARN;
16448 }
16449
16450 static void print_stack_overflow(void)
16451@@ -54,9 +54,9 @@ static inline void print_stack_overflow(
16452 * per-CPU IRQ handling contexts (thread information and stack)
16453 */
16454 union irq_ctx {
16455- struct thread_info tinfo;
16456- u32 stack[THREAD_SIZE/sizeof(u32)];
16457-} __attribute__((aligned(PAGE_SIZE)));
16458+ unsigned long previous_esp;
16459+ u32 stack[THREAD_SIZE/sizeof(u32)];
16460+} __attribute__((aligned(THREAD_SIZE)));
16461
16462 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
16463 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
16464@@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
16465 static inline int
16466 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
16467 {
16468- union irq_ctx *curctx, *irqctx;
16469+ union irq_ctx *irqctx;
16470 u32 *isp, arg1, arg2;
16471
16472- curctx = (union irq_ctx *) current_thread_info();
16473 irqctx = __get_cpu_var(hardirq_ctx);
16474
16475 /*
16476@@ -90,21 +89,16 @@ execute_on_irq_stack(int overflow, struc
16477 * handler) we can't do that and just have to keep using the
16478 * current stack (which is the irq stack already after all)
16479 */
16480- if (unlikely(curctx == irqctx))
16481+ if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
16482 return 0;
16483
16484 /* build the stack frame on the IRQ stack */
16485- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16486- irqctx->tinfo.task = curctx->tinfo.task;
16487- irqctx->tinfo.previous_esp = current_stack_pointer;
16488+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16489+ irqctx->previous_esp = current_stack_pointer;
16490
16491- /*
16492- * Copy the softirq bits in preempt_count so that the
16493- * softirq checks work in the hardirq context.
16494- */
16495- irqctx->tinfo.preempt_count =
16496- (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
16497- (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
16498+#ifdef CONFIG_PAX_MEMORY_UDEREF
16499+ __set_fs(MAKE_MM_SEG(0));
16500+#endif
16501
16502 if (unlikely(overflow))
16503 call_on_stack(print_stack_overflow, isp);
16504@@ -116,6 +110,11 @@ execute_on_irq_stack(int overflow, struc
16505 : "0" (irq), "1" (desc), "2" (isp),
16506 "D" (desc->handle_irq)
16507 : "memory", "cc", "ecx");
16508+
16509+#ifdef CONFIG_PAX_MEMORY_UDEREF
16510+ __set_fs(current_thread_info()->addr_limit);
16511+#endif
16512+
16513 return 1;
16514 }
16515
16516@@ -124,28 +123,11 @@ execute_on_irq_stack(int overflow, struc
16517 */
16518 void __cpuinit irq_ctx_init(int cpu)
16519 {
16520- union irq_ctx *irqctx;
16521-
16522 if (per_cpu(hardirq_ctx, cpu))
16523 return;
16524
16525- irqctx = &per_cpu(hardirq_stack, cpu);
16526- irqctx->tinfo.task = NULL;
16527- irqctx->tinfo.exec_domain = NULL;
16528- irqctx->tinfo.cpu = cpu;
16529- irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
16530- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16531-
16532- per_cpu(hardirq_ctx, cpu) = irqctx;
16533-
16534- irqctx = &per_cpu(softirq_stack, cpu);
16535- irqctx->tinfo.task = NULL;
16536- irqctx->tinfo.exec_domain = NULL;
16537- irqctx->tinfo.cpu = cpu;
16538- irqctx->tinfo.preempt_count = 0;
16539- irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
16540-
16541- per_cpu(softirq_ctx, cpu) = irqctx;
16542+ per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
16543+ per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
16544
16545 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
16546 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
16547@@ -159,7 +141,6 @@ void irq_ctx_exit(int cpu)
16548 asmlinkage void do_softirq(void)
16549 {
16550 unsigned long flags;
16551- struct thread_info *curctx;
16552 union irq_ctx *irqctx;
16553 u32 *isp;
16554
16555@@ -169,15 +150,22 @@ asmlinkage void do_softirq(void)
16556 local_irq_save(flags);
16557
16558 if (local_softirq_pending()) {
16559- curctx = current_thread_info();
16560 irqctx = __get_cpu_var(softirq_ctx);
16561- irqctx->tinfo.task = curctx->task;
16562- irqctx->tinfo.previous_esp = current_stack_pointer;
16563+ irqctx->previous_esp = current_stack_pointer;
16564
16565 /* build the stack frame on the softirq stack */
16566- isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
16567+ isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
16568+
16569+#ifdef CONFIG_PAX_MEMORY_UDEREF
16570+ __set_fs(MAKE_MM_SEG(0));
16571+#endif
16572
16573 call_on_stack(__do_softirq, isp);
16574+
16575+#ifdef CONFIG_PAX_MEMORY_UDEREF
16576+ __set_fs(current_thread_info()->addr_limit);
16577+#endif
16578+
16579 /*
16580 * Shouldnt happen, we returned above if in_interrupt():
16581 */
16582diff -urNp linux-2.6.32.48/arch/x86/kernel/irq.c linux-2.6.32.48/arch/x86/kernel/irq.c
16583--- linux-2.6.32.48/arch/x86/kernel/irq.c 2011-11-08 19:02:43.000000000 -0500
16584+++ linux-2.6.32.48/arch/x86/kernel/irq.c 2011-11-15 19:59:43.000000000 -0500
16585@@ -15,7 +15,7 @@
16586 #include <asm/mce.h>
16587 #include <asm/hw_irq.h>
16588
16589-atomic_t irq_err_count;
16590+atomic_unchecked_t irq_err_count;
16591
16592 /* Function pointer for generic interrupt vector handling */
16593 void (*generic_interrupt_extension)(void) = NULL;
16594@@ -114,9 +114,9 @@ static int show_other_interrupts(struct
16595 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
16596 seq_printf(p, " Machine check polls\n");
16597 #endif
16598- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
16599+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
16600 #if defined(CONFIG_X86_IO_APIC)
16601- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
16602+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
16603 #endif
16604 return 0;
16605 }
16606@@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
16607
16608 u64 arch_irq_stat(void)
16609 {
16610- u64 sum = atomic_read(&irq_err_count);
16611+ u64 sum = atomic_read_unchecked(&irq_err_count);
16612
16613 #ifdef CONFIG_X86_IO_APIC
16614- sum += atomic_read(&irq_mis_count);
16615+ sum += atomic_read_unchecked(&irq_mis_count);
16616 #endif
16617 return sum;
16618 }
16619diff -urNp linux-2.6.32.48/arch/x86/kernel/kgdb.c linux-2.6.32.48/arch/x86/kernel/kgdb.c
16620--- linux-2.6.32.48/arch/x86/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
16621+++ linux-2.6.32.48/arch/x86/kernel/kgdb.c 2011-11-15 19:59:43.000000000 -0500
16622@@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
16623
16624 /* clear the trace bit */
16625 linux_regs->flags &= ~X86_EFLAGS_TF;
16626- atomic_set(&kgdb_cpu_doing_single_step, -1);
16627+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
16628
16629 /* set the trace bit if we're stepping */
16630 if (remcomInBuffer[0] == 's') {
16631 linux_regs->flags |= X86_EFLAGS_TF;
16632 kgdb_single_step = 1;
16633- atomic_set(&kgdb_cpu_doing_single_step,
16634+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
16635 raw_smp_processor_id());
16636 }
16637
16638@@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
16639 break;
16640
16641 case DIE_DEBUG:
16642- if (atomic_read(&kgdb_cpu_doing_single_step) ==
16643+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
16644 raw_smp_processor_id()) {
16645 if (user_mode(regs))
16646 return single_step_cont(regs, args);
16647@@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
16648 return instruction_pointer(regs);
16649 }
16650
16651-struct kgdb_arch arch_kgdb_ops = {
16652+const struct kgdb_arch arch_kgdb_ops = {
16653 /* Breakpoint instruction: */
16654 .gdb_bpt_instr = { 0xcc },
16655 .flags = KGDB_HW_BREAKPOINT,
16656diff -urNp linux-2.6.32.48/arch/x86/kernel/kprobes.c linux-2.6.32.48/arch/x86/kernel/kprobes.c
16657--- linux-2.6.32.48/arch/x86/kernel/kprobes.c 2011-11-08 19:02:43.000000000 -0500
16658+++ linux-2.6.32.48/arch/x86/kernel/kprobes.c 2011-11-18 18:01:52.000000000 -0500
16659@@ -168,9 +168,13 @@ static void __kprobes set_jmp_op(void *f
16660 char op;
16661 s32 raddr;
16662 } __attribute__((packed)) * jop;
16663- jop = (struct __arch_jmp_op *)from;
16664+
16665+ jop = (struct __arch_jmp_op *)(ktla_ktva(from));
16666+
16667+ pax_open_kernel();
16668 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
16669 jop->op = RELATIVEJUMP_INSTRUCTION;
16670+ pax_close_kernel();
16671 }
16672
16673 /*
16674@@ -195,7 +199,7 @@ static int __kprobes can_boost(kprobe_op
16675 kprobe_opcode_t opcode;
16676 kprobe_opcode_t *orig_opcodes = opcodes;
16677
16678- if (search_exception_tables((unsigned long)opcodes))
16679+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
16680 return 0; /* Page fault may occur on this address. */
16681
16682 retry:
16683@@ -339,7 +343,9 @@ static void __kprobes fix_riprel(struct
16684 disp = (u8 *) p->addr + *((s32 *) insn) -
16685 (u8 *) p->ainsn.insn;
16686 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
16687+ pax_open_kernel();
16688 *(s32 *)insn = (s32) disp;
16689+ pax_close_kernel();
16690 }
16691 }
16692 #endif
16693@@ -347,16 +353,18 @@ static void __kprobes fix_riprel(struct
16694
16695 static void __kprobes arch_copy_kprobe(struct kprobe *p)
16696 {
16697- memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16698+ pax_open_kernel();
16699+ memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
16700+ pax_close_kernel();
16701
16702 fix_riprel(p);
16703
16704- if (can_boost(p->addr))
16705+ if (can_boost(ktla_ktva(p->addr)))
16706 p->ainsn.boostable = 0;
16707 else
16708 p->ainsn.boostable = -1;
16709
16710- p->opcode = *p->addr;
16711+ p->opcode = *(ktla_ktva(p->addr));
16712 }
16713
16714 int __kprobes arch_prepare_kprobe(struct kprobe *p)
16715@@ -434,7 +442,7 @@ static void __kprobes prepare_singlestep
16716 if (p->opcode == BREAKPOINT_INSTRUCTION)
16717 regs->ip = (unsigned long)p->addr;
16718 else
16719- regs->ip = (unsigned long)p->ainsn.insn;
16720+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16721 }
16722
16723 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
16724@@ -455,7 +463,7 @@ static void __kprobes setup_singlestep(s
16725 if (p->ainsn.boostable == 1 && !p->post_handler) {
16726 /* Boost up -- we can execute copied instructions directly */
16727 reset_current_kprobe();
16728- regs->ip = (unsigned long)p->ainsn.insn;
16729+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
16730 preempt_enable_no_resched();
16731 return;
16732 }
16733@@ -525,7 +533,7 @@ static int __kprobes kprobe_handler(stru
16734 struct kprobe_ctlblk *kcb;
16735
16736 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
16737- if (*addr != BREAKPOINT_INSTRUCTION) {
16738+ if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
16739 /*
16740 * The breakpoint instruction was removed right
16741 * after we hit it. Another cpu has removed
16742@@ -637,6 +645,9 @@ static void __used __kprobes kretprobe_t
16743 /* Skip orig_ax, ip, cs */
16744 " addq $24, %rsp\n"
16745 " popfq\n"
16746+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN
16747+ " btsq $63,(%rsp)\n"
16748+#endif
16749 #else
16750 " pushf\n"
16751 /*
16752@@ -777,7 +788,7 @@ static void __kprobes resume_execution(s
16753 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
16754 {
16755 unsigned long *tos = stack_addr(regs);
16756- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
16757+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
16758 unsigned long orig_ip = (unsigned long)p->addr;
16759 kprobe_opcode_t *insn = p->ainsn.insn;
16760
16761@@ -960,7 +971,7 @@ int __kprobes kprobe_exceptions_notify(s
16762 struct die_args *args = data;
16763 int ret = NOTIFY_DONE;
16764
16765- if (args->regs && user_mode_vm(args->regs))
16766+ if (args->regs && user_mode(args->regs))
16767 return ret;
16768
16769 switch (val) {
16770diff -urNp linux-2.6.32.48/arch/x86/kernel/kvm.c linux-2.6.32.48/arch/x86/kernel/kvm.c
16771--- linux-2.6.32.48/arch/x86/kernel/kvm.c 2011-11-08 19:02:43.000000000 -0500
16772+++ linux-2.6.32.48/arch/x86/kernel/kvm.c 2011-11-15 19:59:43.000000000 -0500
16773@@ -216,6 +216,7 @@ static void __init paravirt_ops_setup(vo
16774 pv_mmu_ops.set_pud = kvm_set_pud;
16775 #if PAGETABLE_LEVELS == 4
16776 pv_mmu_ops.set_pgd = kvm_set_pgd;
16777+ pv_mmu_ops.set_pgd_batched = kvm_set_pgd;
16778 #endif
16779 #endif
16780 pv_mmu_ops.flush_tlb_user = kvm_flush_tlb;
16781diff -urNp linux-2.6.32.48/arch/x86/kernel/ldt.c linux-2.6.32.48/arch/x86/kernel/ldt.c
16782--- linux-2.6.32.48/arch/x86/kernel/ldt.c 2011-11-08 19:02:43.000000000 -0500
16783+++ linux-2.6.32.48/arch/x86/kernel/ldt.c 2011-11-15 19:59:43.000000000 -0500
16784@@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
16785 if (reload) {
16786 #ifdef CONFIG_SMP
16787 preempt_disable();
16788- load_LDT(pc);
16789+ load_LDT_nolock(pc);
16790 if (!cpumask_equal(mm_cpumask(current->mm),
16791 cpumask_of(smp_processor_id())))
16792 smp_call_function(flush_ldt, current->mm, 1);
16793 preempt_enable();
16794 #else
16795- load_LDT(pc);
16796+ load_LDT_nolock(pc);
16797 #endif
16798 }
16799 if (oldsize) {
16800@@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
16801 return err;
16802
16803 for (i = 0; i < old->size; i++)
16804- write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
16805+ write_ldt_entry(new->ldt, i, old->ldt + i);
16806 return 0;
16807 }
16808
16809@@ -115,6 +115,24 @@ int init_new_context(struct task_struct
16810 retval = copy_ldt(&mm->context, &old_mm->context);
16811 mutex_unlock(&old_mm->context.lock);
16812 }
16813+
16814+ if (tsk == current) {
16815+ mm->context.vdso = 0;
16816+
16817+#ifdef CONFIG_X86_32
16818+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
16819+ mm->context.user_cs_base = 0UL;
16820+ mm->context.user_cs_limit = ~0UL;
16821+
16822+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
16823+ cpus_clear(mm->context.cpu_user_cs_mask);
16824+#endif
16825+
16826+#endif
16827+#endif
16828+
16829+ }
16830+
16831 return retval;
16832 }
16833
16834@@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
16835 }
16836 }
16837
16838+#ifdef CONFIG_PAX_SEGMEXEC
16839+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
16840+ error = -EINVAL;
16841+ goto out_unlock;
16842+ }
16843+#endif
16844+
16845 fill_ldt(&ldt, &ldt_info);
16846 if (oldmode)
16847 ldt.avl = 0;
16848diff -urNp linux-2.6.32.48/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.48/arch/x86/kernel/machine_kexec_32.c
16849--- linux-2.6.32.48/arch/x86/kernel/machine_kexec_32.c 2011-11-08 19:02:43.000000000 -0500
16850+++ linux-2.6.32.48/arch/x86/kernel/machine_kexec_32.c 2011-11-15 19:59:43.000000000 -0500
16851@@ -26,7 +26,7 @@
16852 #include <asm/system.h>
16853 #include <asm/cacheflush.h>
16854
16855-static void set_idt(void *newidt, __u16 limit)
16856+static void set_idt(struct desc_struct *newidt, __u16 limit)
16857 {
16858 struct desc_ptr curidt;
16859
16860@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
16861 }
16862
16863
16864-static void set_gdt(void *newgdt, __u16 limit)
16865+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
16866 {
16867 struct desc_ptr curgdt;
16868
16869@@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
16870 }
16871
16872 control_page = page_address(image->control_code_page);
16873- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
16874+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
16875
16876 relocate_kernel_ptr = control_page;
16877 page_list[PA_CONTROL_PAGE] = __pa(control_page);
16878diff -urNp linux-2.6.32.48/arch/x86/kernel/microcode_amd.c linux-2.6.32.48/arch/x86/kernel/microcode_amd.c
16879--- linux-2.6.32.48/arch/x86/kernel/microcode_amd.c 2011-11-08 19:02:43.000000000 -0500
16880+++ linux-2.6.32.48/arch/x86/kernel/microcode_amd.c 2011-11-15 19:59:43.000000000 -0500
16881@@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
16882 uci->mc = NULL;
16883 }
16884
16885-static struct microcode_ops microcode_amd_ops = {
16886+static const struct microcode_ops microcode_amd_ops = {
16887 .request_microcode_user = request_microcode_user,
16888 .request_microcode_fw = request_microcode_fw,
16889 .collect_cpu_info = collect_cpu_info_amd,
16890@@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
16891 .microcode_fini_cpu = microcode_fini_cpu_amd,
16892 };
16893
16894-struct microcode_ops * __init init_amd_microcode(void)
16895+const struct microcode_ops * __init init_amd_microcode(void)
16896 {
16897 return &microcode_amd_ops;
16898 }
16899diff -urNp linux-2.6.32.48/arch/x86/kernel/microcode_core.c linux-2.6.32.48/arch/x86/kernel/microcode_core.c
16900--- linux-2.6.32.48/arch/x86/kernel/microcode_core.c 2011-11-08 19:02:43.000000000 -0500
16901+++ linux-2.6.32.48/arch/x86/kernel/microcode_core.c 2011-11-15 19:59:43.000000000 -0500
16902@@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
16903
16904 #define MICROCODE_VERSION "2.00"
16905
16906-static struct microcode_ops *microcode_ops;
16907+static const struct microcode_ops *microcode_ops;
16908
16909 /*
16910 * Synchronization.
16911diff -urNp linux-2.6.32.48/arch/x86/kernel/microcode_intel.c linux-2.6.32.48/arch/x86/kernel/microcode_intel.c
16912--- linux-2.6.32.48/arch/x86/kernel/microcode_intel.c 2011-11-08 19:02:43.000000000 -0500
16913+++ linux-2.6.32.48/arch/x86/kernel/microcode_intel.c 2011-11-15 19:59:43.000000000 -0500
16914@@ -443,13 +443,13 @@ static enum ucode_state request_microcod
16915
16916 static int get_ucode_user(void *to, const void *from, size_t n)
16917 {
16918- return copy_from_user(to, from, n);
16919+ return copy_from_user(to, (const void __force_user *)from, n);
16920 }
16921
16922 static enum ucode_state
16923 request_microcode_user(int cpu, const void __user *buf, size_t size)
16924 {
16925- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
16926+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
16927 }
16928
16929 static void microcode_fini_cpu(int cpu)
16930@@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
16931 uci->mc = NULL;
16932 }
16933
16934-static struct microcode_ops microcode_intel_ops = {
16935+static const struct microcode_ops microcode_intel_ops = {
16936 .request_microcode_user = request_microcode_user,
16937 .request_microcode_fw = request_microcode_fw,
16938 .collect_cpu_info = collect_cpu_info,
16939@@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
16940 .microcode_fini_cpu = microcode_fini_cpu,
16941 };
16942
16943-struct microcode_ops * __init init_intel_microcode(void)
16944+const struct microcode_ops * __init init_intel_microcode(void)
16945 {
16946 return &microcode_intel_ops;
16947 }
16948diff -urNp linux-2.6.32.48/arch/x86/kernel/module.c linux-2.6.32.48/arch/x86/kernel/module.c
16949--- linux-2.6.32.48/arch/x86/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
16950+++ linux-2.6.32.48/arch/x86/kernel/module.c 2011-11-15 19:59:43.000000000 -0500
16951@@ -34,7 +34,7 @@
16952 #define DEBUGP(fmt...)
16953 #endif
16954
16955-void *module_alloc(unsigned long size)
16956+static void *__module_alloc(unsigned long size, pgprot_t prot)
16957 {
16958 struct vm_struct *area;
16959
16960@@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
16961 if (!area)
16962 return NULL;
16963
16964- return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
16965- PAGE_KERNEL_EXEC);
16966+ return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
16967+}
16968+
16969+void *module_alloc(unsigned long size)
16970+{
16971+
16972+#ifdef CONFIG_PAX_KERNEXEC
16973+ return __module_alloc(size, PAGE_KERNEL);
16974+#else
16975+ return __module_alloc(size, PAGE_KERNEL_EXEC);
16976+#endif
16977+
16978 }
16979
16980 /* Free memory returned from module_alloc */
16981@@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
16982 vfree(module_region);
16983 }
16984
16985+#ifdef CONFIG_PAX_KERNEXEC
16986+#ifdef CONFIG_X86_32
16987+void *module_alloc_exec(unsigned long size)
16988+{
16989+ struct vm_struct *area;
16990+
16991+ if (size == 0)
16992+ return NULL;
16993+
16994+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
16995+ return area ? area->addr : NULL;
16996+}
16997+EXPORT_SYMBOL(module_alloc_exec);
16998+
16999+void module_free_exec(struct module *mod, void *module_region)
17000+{
17001+ vunmap(module_region);
17002+}
17003+EXPORT_SYMBOL(module_free_exec);
17004+#else
17005+void module_free_exec(struct module *mod, void *module_region)
17006+{
17007+ module_free(mod, module_region);
17008+}
17009+EXPORT_SYMBOL(module_free_exec);
17010+
17011+void *module_alloc_exec(unsigned long size)
17012+{
17013+ return __module_alloc(size, PAGE_KERNEL_RX);
17014+}
17015+EXPORT_SYMBOL(module_alloc_exec);
17016+#endif
17017+#endif
17018+
17019 /* We don't need anything special. */
17020 int module_frob_arch_sections(Elf_Ehdr *hdr,
17021 Elf_Shdr *sechdrs,
17022@@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17023 unsigned int i;
17024 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
17025 Elf32_Sym *sym;
17026- uint32_t *location;
17027+ uint32_t *plocation, location;
17028
17029 DEBUGP("Applying relocate section %u to %u\n", relsec,
17030 sechdrs[relsec].sh_info);
17031 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
17032 /* This is where to make the change */
17033- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
17034- + rel[i].r_offset;
17035+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
17036+ location = (uint32_t)plocation;
17037+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
17038+ plocation = ktla_ktva((void *)plocation);
17039 /* This is the symbol it is referring to. Note that all
17040 undefined symbols have been resolved. */
17041 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
17042@@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
17043 switch (ELF32_R_TYPE(rel[i].r_info)) {
17044 case R_386_32:
17045 /* We add the value into the location given */
17046- *location += sym->st_value;
17047+ pax_open_kernel();
17048+ *plocation += sym->st_value;
17049+ pax_close_kernel();
17050 break;
17051 case R_386_PC32:
17052 /* Add the value, subtract its postition */
17053- *location += sym->st_value - (uint32_t)location;
17054+ pax_open_kernel();
17055+ *plocation += sym->st_value - location;
17056+ pax_close_kernel();
17057 break;
17058 default:
17059 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
17060@@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
17061 case R_X86_64_NONE:
17062 break;
17063 case R_X86_64_64:
17064+ pax_open_kernel();
17065 *(u64 *)loc = val;
17066+ pax_close_kernel();
17067 break;
17068 case R_X86_64_32:
17069+ pax_open_kernel();
17070 *(u32 *)loc = val;
17071+ pax_close_kernel();
17072 if (val != *(u32 *)loc)
17073 goto overflow;
17074 break;
17075 case R_X86_64_32S:
17076+ pax_open_kernel();
17077 *(s32 *)loc = val;
17078+ pax_close_kernel();
17079 if ((s64)val != *(s32 *)loc)
17080 goto overflow;
17081 break;
17082 case R_X86_64_PC32:
17083 val -= (u64)loc;
17084+ pax_open_kernel();
17085 *(u32 *)loc = val;
17086+ pax_close_kernel();
17087+
17088 #if 0
17089 if ((s64)val != *(s32 *)loc)
17090 goto overflow;
17091diff -urNp linux-2.6.32.48/arch/x86/kernel/paravirt.c linux-2.6.32.48/arch/x86/kernel/paravirt.c
17092--- linux-2.6.32.48/arch/x86/kernel/paravirt.c 2011-11-08 19:02:43.000000000 -0500
17093+++ linux-2.6.32.48/arch/x86/kernel/paravirt.c 2011-11-15 19:59:43.000000000 -0500
17094@@ -53,6 +53,9 @@ u64 _paravirt_ident_64(u64 x)
17095 {
17096 return x;
17097 }
17098+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17099+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
17100+#endif
17101
17102 void __init default_banner(void)
17103 {
17104@@ -122,7 +125,7 @@ unsigned paravirt_patch_jmp(void *insnbu
17105 * corresponding structure. */
17106 static void *get_call_destination(u8 type)
17107 {
17108- struct paravirt_patch_template tmpl = {
17109+ const struct paravirt_patch_template tmpl = {
17110 .pv_init_ops = pv_init_ops,
17111 .pv_time_ops = pv_time_ops,
17112 .pv_cpu_ops = pv_cpu_ops,
17113@@ -133,6 +136,8 @@ static void *get_call_destination(u8 typ
17114 .pv_lock_ops = pv_lock_ops,
17115 #endif
17116 };
17117+
17118+ pax_track_stack();
17119 return *((void **)&tmpl + type);
17120 }
17121
17122@@ -145,15 +150,19 @@ unsigned paravirt_patch_default(u8 type,
17123 if (opfunc == NULL)
17124 /* If there's no function, patch it with a ud2a (BUG) */
17125 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
17126- else if (opfunc == _paravirt_nop)
17127+ else if (opfunc == (void *)_paravirt_nop)
17128 /* If the operation is a nop, then nop the callsite */
17129 ret = paravirt_patch_nop();
17130
17131 /* identity functions just return their single argument */
17132- else if (opfunc == _paravirt_ident_32)
17133+ else if (opfunc == (void *)_paravirt_ident_32)
17134 ret = paravirt_patch_ident_32(insnbuf, len);
17135- else if (opfunc == _paravirt_ident_64)
17136+ else if (opfunc == (void *)_paravirt_ident_64)
17137+ ret = paravirt_patch_ident_64(insnbuf, len);
17138+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
17139+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
17140 ret = paravirt_patch_ident_64(insnbuf, len);
17141+#endif
17142
17143 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
17144 type == PARAVIRT_PATCH(pv_cpu_ops.irq_enable_sysexit) ||
17145@@ -178,7 +187,7 @@ unsigned paravirt_patch_insns(void *insn
17146 if (insn_len > len || start == NULL)
17147 insn_len = len;
17148 else
17149- memcpy(insnbuf, start, insn_len);
17150+ memcpy(insnbuf, ktla_ktva(start), insn_len);
17151
17152 return insn_len;
17153 }
17154@@ -294,22 +303,22 @@ void arch_flush_lazy_mmu_mode(void)
17155 preempt_enable();
17156 }
17157
17158-struct pv_info pv_info = {
17159+struct pv_info pv_info __read_only = {
17160 .name = "bare hardware",
17161 .paravirt_enabled = 0,
17162 .kernel_rpl = 0,
17163 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
17164 };
17165
17166-struct pv_init_ops pv_init_ops = {
17167+struct pv_init_ops pv_init_ops __read_only = {
17168 .patch = native_patch,
17169 };
17170
17171-struct pv_time_ops pv_time_ops = {
17172+struct pv_time_ops pv_time_ops __read_only = {
17173 .sched_clock = native_sched_clock,
17174 };
17175
17176-struct pv_irq_ops pv_irq_ops = {
17177+struct pv_irq_ops pv_irq_ops __read_only = {
17178 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
17179 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
17180 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
17181@@ -321,7 +330,7 @@ struct pv_irq_ops pv_irq_ops = {
17182 #endif
17183 };
17184
17185-struct pv_cpu_ops pv_cpu_ops = {
17186+struct pv_cpu_ops pv_cpu_ops __read_only = {
17187 .cpuid = native_cpuid,
17188 .get_debugreg = native_get_debugreg,
17189 .set_debugreg = native_set_debugreg,
17190@@ -382,21 +391,26 @@ struct pv_cpu_ops pv_cpu_ops = {
17191 .end_context_switch = paravirt_nop,
17192 };
17193
17194-struct pv_apic_ops pv_apic_ops = {
17195+struct pv_apic_ops pv_apic_ops __read_only = {
17196 #ifdef CONFIG_X86_LOCAL_APIC
17197 .startup_ipi_hook = paravirt_nop,
17198 #endif
17199 };
17200
17201-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
17202+#ifdef CONFIG_X86_32
17203+#ifdef CONFIG_X86_PAE
17204+/* 64-bit pagetable entries */
17205+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
17206+#else
17207 /* 32-bit pagetable entries */
17208 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
17209+#endif
17210 #else
17211 /* 64-bit pagetable entries */
17212 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
17213 #endif
17214
17215-struct pv_mmu_ops pv_mmu_ops = {
17216+struct pv_mmu_ops pv_mmu_ops __read_only = {
17217
17218 .read_cr2 = native_read_cr2,
17219 .write_cr2 = native_write_cr2,
17220@@ -448,6 +462,7 @@ struct pv_mmu_ops pv_mmu_ops = {
17221 .make_pud = PTE_IDENT,
17222
17223 .set_pgd = native_set_pgd,
17224+ .set_pgd_batched = native_set_pgd_batched,
17225 #endif
17226 #endif /* PAGETABLE_LEVELS >= 3 */
17227
17228@@ -467,6 +482,12 @@ struct pv_mmu_ops pv_mmu_ops = {
17229 },
17230
17231 .set_fixmap = native_set_fixmap,
17232+
17233+#ifdef CONFIG_PAX_KERNEXEC
17234+ .pax_open_kernel = native_pax_open_kernel,
17235+ .pax_close_kernel = native_pax_close_kernel,
17236+#endif
17237+
17238 };
17239
17240 EXPORT_SYMBOL_GPL(pv_time_ops);
17241diff -urNp linux-2.6.32.48/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.48/arch/x86/kernel/paravirt-spinlocks.c
17242--- linux-2.6.32.48/arch/x86/kernel/paravirt-spinlocks.c 2011-11-08 19:02:43.000000000 -0500
17243+++ linux-2.6.32.48/arch/x86/kernel/paravirt-spinlocks.c 2011-11-15 19:59:43.000000000 -0500
17244@@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
17245 __raw_spin_lock(lock);
17246 }
17247
17248-struct pv_lock_ops pv_lock_ops = {
17249+struct pv_lock_ops pv_lock_ops __read_only = {
17250 #ifdef CONFIG_SMP
17251 .spin_is_locked = __ticket_spin_is_locked,
17252 .spin_is_contended = __ticket_spin_is_contended,
17253diff -urNp linux-2.6.32.48/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.48/arch/x86/kernel/pci-calgary_64.c
17254--- linux-2.6.32.48/arch/x86/kernel/pci-calgary_64.c 2011-11-08 19:02:43.000000000 -0500
17255+++ linux-2.6.32.48/arch/x86/kernel/pci-calgary_64.c 2011-11-15 19:59:43.000000000 -0500
17256@@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
17257 free_pages((unsigned long)vaddr, get_order(size));
17258 }
17259
17260-static struct dma_map_ops calgary_dma_ops = {
17261+static const struct dma_map_ops calgary_dma_ops = {
17262 .alloc_coherent = calgary_alloc_coherent,
17263 .free_coherent = calgary_free_coherent,
17264 .map_sg = calgary_map_sg,
17265diff -urNp linux-2.6.32.48/arch/x86/kernel/pci-dma.c linux-2.6.32.48/arch/x86/kernel/pci-dma.c
17266--- linux-2.6.32.48/arch/x86/kernel/pci-dma.c 2011-11-08 19:02:43.000000000 -0500
17267+++ linux-2.6.32.48/arch/x86/kernel/pci-dma.c 2011-11-15 19:59:43.000000000 -0500
17268@@ -14,7 +14,7 @@
17269
17270 static int forbid_dac __read_mostly;
17271
17272-struct dma_map_ops *dma_ops;
17273+const struct dma_map_ops *dma_ops;
17274 EXPORT_SYMBOL(dma_ops);
17275
17276 static int iommu_sac_force __read_mostly;
17277@@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
17278
17279 int dma_supported(struct device *dev, u64 mask)
17280 {
17281- struct dma_map_ops *ops = get_dma_ops(dev);
17282+ const struct dma_map_ops *ops = get_dma_ops(dev);
17283
17284 #ifdef CONFIG_PCI
17285 if (mask > 0xffffffff && forbid_dac > 0) {
17286diff -urNp linux-2.6.32.48/arch/x86/kernel/pci-gart_64.c linux-2.6.32.48/arch/x86/kernel/pci-gart_64.c
17287--- linux-2.6.32.48/arch/x86/kernel/pci-gart_64.c 2011-11-08 19:02:43.000000000 -0500
17288+++ linux-2.6.32.48/arch/x86/kernel/pci-gart_64.c 2011-11-15 19:59:43.000000000 -0500
17289@@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
17290 return -1;
17291 }
17292
17293-static struct dma_map_ops gart_dma_ops = {
17294+static const struct dma_map_ops gart_dma_ops = {
17295 .map_sg = gart_map_sg,
17296 .unmap_sg = gart_unmap_sg,
17297 .map_page = gart_map_page,
17298diff -urNp linux-2.6.32.48/arch/x86/kernel/pci-nommu.c linux-2.6.32.48/arch/x86/kernel/pci-nommu.c
17299--- linux-2.6.32.48/arch/x86/kernel/pci-nommu.c 2011-11-08 19:02:43.000000000 -0500
17300+++ linux-2.6.32.48/arch/x86/kernel/pci-nommu.c 2011-11-15 19:59:43.000000000 -0500
17301@@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
17302 flush_write_buffers();
17303 }
17304
17305-struct dma_map_ops nommu_dma_ops = {
17306+const struct dma_map_ops nommu_dma_ops = {
17307 .alloc_coherent = dma_generic_alloc_coherent,
17308 .free_coherent = nommu_free_coherent,
17309 .map_sg = nommu_map_sg,
17310diff -urNp linux-2.6.32.48/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.48/arch/x86/kernel/pci-swiotlb.c
17311--- linux-2.6.32.48/arch/x86/kernel/pci-swiotlb.c 2011-11-08 19:02:43.000000000 -0500
17312+++ linux-2.6.32.48/arch/x86/kernel/pci-swiotlb.c 2011-11-15 19:59:43.000000000 -0500
17313@@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
17314 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
17315 }
17316
17317-static struct dma_map_ops swiotlb_dma_ops = {
17318+static const struct dma_map_ops swiotlb_dma_ops = {
17319 .mapping_error = swiotlb_dma_mapping_error,
17320 .alloc_coherent = x86_swiotlb_alloc_coherent,
17321 .free_coherent = swiotlb_free_coherent,
17322diff -urNp linux-2.6.32.48/arch/x86/kernel/process_32.c linux-2.6.32.48/arch/x86/kernel/process_32.c
17323--- linux-2.6.32.48/arch/x86/kernel/process_32.c 2011-11-08 19:02:43.000000000 -0500
17324+++ linux-2.6.32.48/arch/x86/kernel/process_32.c 2011-11-15 19:59:43.000000000 -0500
17325@@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
17326 unsigned long thread_saved_pc(struct task_struct *tsk)
17327 {
17328 return ((unsigned long *)tsk->thread.sp)[3];
17329+//XXX return tsk->thread.eip;
17330 }
17331
17332 #ifndef CONFIG_SMP
17333@@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
17334 unsigned short ss, gs;
17335 const char *board;
17336
17337- if (user_mode_vm(regs)) {
17338+ if (user_mode(regs)) {
17339 sp = regs->sp;
17340 ss = regs->ss & 0xffff;
17341- gs = get_user_gs(regs);
17342 } else {
17343 sp = (unsigned long) (&regs->sp);
17344 savesegment(ss, ss);
17345- savesegment(gs, gs);
17346 }
17347+ gs = get_user_gs(regs);
17348
17349 printk("\n");
17350
17351@@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
17352 regs.bx = (unsigned long) fn;
17353 regs.dx = (unsigned long) arg;
17354
17355- regs.ds = __USER_DS;
17356- regs.es = __USER_DS;
17357+ regs.ds = __KERNEL_DS;
17358+ regs.es = __KERNEL_DS;
17359 regs.fs = __KERNEL_PERCPU;
17360- regs.gs = __KERNEL_STACK_CANARY;
17361+ savesegment(gs, regs.gs);
17362 regs.orig_ax = -1;
17363 regs.ip = (unsigned long) kernel_thread_helper;
17364 regs.cs = __KERNEL_CS | get_kernel_rpl();
17365@@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
17366 struct task_struct *tsk;
17367 int err;
17368
17369- childregs = task_pt_regs(p);
17370+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
17371 *childregs = *regs;
17372 childregs->ax = 0;
17373 childregs->sp = sp;
17374
17375 p->thread.sp = (unsigned long) childregs;
17376 p->thread.sp0 = (unsigned long) (childregs+1);
17377+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17378
17379 p->thread.ip = (unsigned long) ret_from_fork;
17380
17381@@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
17382 struct thread_struct *prev = &prev_p->thread,
17383 *next = &next_p->thread;
17384 int cpu = smp_processor_id();
17385- struct tss_struct *tss = &per_cpu(init_tss, cpu);
17386+ struct tss_struct *tss = init_tss + cpu;
17387 bool preload_fpu;
17388
17389 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
17390@@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
17391 */
17392 lazy_save_gs(prev->gs);
17393
17394+#ifdef CONFIG_PAX_MEMORY_UDEREF
17395+ __set_fs(task_thread_info(next_p)->addr_limit);
17396+#endif
17397+
17398 /*
17399 * Load the per-thread Thread-Local Storage descriptor.
17400 */
17401@@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
17402 */
17403 arch_end_context_switch(next_p);
17404
17405+ percpu_write(current_task, next_p);
17406+ percpu_write(current_tinfo, &next_p->tinfo);
17407+
17408 if (preload_fpu)
17409 __math_state_restore();
17410
17411@@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
17412 if (prev->gs | next->gs)
17413 lazy_load_gs(next->gs);
17414
17415- percpu_write(current_task, next_p);
17416-
17417 return prev_p;
17418 }
17419
17420@@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
17421 } while (count++ < 16);
17422 return 0;
17423 }
17424-
17425diff -urNp linux-2.6.32.48/arch/x86/kernel/process_64.c linux-2.6.32.48/arch/x86/kernel/process_64.c
17426--- linux-2.6.32.48/arch/x86/kernel/process_64.c 2011-11-08 19:02:43.000000000 -0500
17427+++ linux-2.6.32.48/arch/x86/kernel/process_64.c 2011-11-15 19:59:43.000000000 -0500
17428@@ -91,7 +91,7 @@ static void __exit_idle(void)
17429 void exit_idle(void)
17430 {
17431 /* idle loop has pid 0 */
17432- if (current->pid)
17433+ if (task_pid_nr(current))
17434 return;
17435 __exit_idle();
17436 }
17437@@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
17438 if (!board)
17439 board = "";
17440 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
17441- current->pid, current->comm, print_tainted(),
17442+ task_pid_nr(current), current->comm, print_tainted(),
17443 init_utsname()->release,
17444 (int)strcspn(init_utsname()->version, " "),
17445 init_utsname()->version, board);
17446@@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
17447 struct pt_regs *childregs;
17448 struct task_struct *me = current;
17449
17450- childregs = ((struct pt_regs *)
17451- (THREAD_SIZE + task_stack_page(p))) - 1;
17452+ childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
17453 *childregs = *regs;
17454
17455 childregs->ax = 0;
17456@@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
17457 p->thread.sp = (unsigned long) childregs;
17458 p->thread.sp0 = (unsigned long) (childregs+1);
17459 p->thread.usersp = me->thread.usersp;
17460+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
17461
17462 set_tsk_thread_flag(p, TIF_FORK);
17463
17464@@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
17465 struct thread_struct *prev = &prev_p->thread;
17466 struct thread_struct *next = &next_p->thread;
17467 int cpu = smp_processor_id();
17468- struct tss_struct *tss = &per_cpu(init_tss, cpu);
17469+ struct tss_struct *tss = init_tss + cpu;
17470 unsigned fsindex, gsindex;
17471 bool preload_fpu;
17472
17473@@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
17474 prev->usersp = percpu_read(old_rsp);
17475 percpu_write(old_rsp, next->usersp);
17476 percpu_write(current_task, next_p);
17477+ percpu_write(current_tinfo, &next_p->tinfo);
17478
17479- percpu_write(kernel_stack,
17480- (unsigned long)task_stack_page(next_p) +
17481- THREAD_SIZE - KERNEL_STACK_OFFSET);
17482+ percpu_write(kernel_stack, next->sp0);
17483
17484 /*
17485 * Now maybe reload the debug registers and handle I/O bitmaps
17486@@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
17487 if (!p || p == current || p->state == TASK_RUNNING)
17488 return 0;
17489 stack = (unsigned long)task_stack_page(p);
17490- if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
17491+ if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
17492 return 0;
17493 fp = *(u64 *)(p->thread.sp);
17494 do {
17495- if (fp < (unsigned long)stack ||
17496- fp >= (unsigned long)stack+THREAD_SIZE)
17497+ if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
17498 return 0;
17499 ip = *(u64 *)(fp+8);
17500 if (!in_sched_functions(ip))
17501diff -urNp linux-2.6.32.48/arch/x86/kernel/process.c linux-2.6.32.48/arch/x86/kernel/process.c
17502--- linux-2.6.32.48/arch/x86/kernel/process.c 2011-11-08 19:02:43.000000000 -0500
17503+++ linux-2.6.32.48/arch/x86/kernel/process.c 2011-11-15 19:59:43.000000000 -0500
17504@@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
17505
17506 void free_thread_info(struct thread_info *ti)
17507 {
17508- free_thread_xstate(ti->task);
17509 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
17510 }
17511
17512+static struct kmem_cache *task_struct_cachep;
17513+
17514 void arch_task_cache_init(void)
17515 {
17516- task_xstate_cachep =
17517- kmem_cache_create("task_xstate", xstate_size,
17518+ /* create a slab on which task_structs can be allocated */
17519+ task_struct_cachep =
17520+ kmem_cache_create("task_struct", sizeof(struct task_struct),
17521+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
17522+
17523+ task_xstate_cachep =
17524+ kmem_cache_create("task_xstate", xstate_size,
17525 __alignof__(union thread_xstate),
17526- SLAB_PANIC | SLAB_NOTRACK, NULL);
17527+ SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
17528+}
17529+
17530+struct task_struct *alloc_task_struct(void)
17531+{
17532+ return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
17533+}
17534+
17535+void free_task_struct(struct task_struct *task)
17536+{
17537+ free_thread_xstate(task);
17538+ kmem_cache_free(task_struct_cachep, task);
17539 }
17540
17541 /*
17542@@ -73,7 +90,7 @@ void exit_thread(void)
17543 unsigned long *bp = t->io_bitmap_ptr;
17544
17545 if (bp) {
17546- struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
17547+ struct tss_struct *tss = init_tss + get_cpu();
17548
17549 t->io_bitmap_ptr = NULL;
17550 clear_thread_flag(TIF_IO_BITMAP);
17551@@ -93,6 +110,9 @@ void flush_thread(void)
17552
17553 clear_tsk_thread_flag(tsk, TIF_DEBUG);
17554
17555+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
17556+ loadsegment(gs, 0);
17557+#endif
17558 tsk->thread.debugreg0 = 0;
17559 tsk->thread.debugreg1 = 0;
17560 tsk->thread.debugreg2 = 0;
17561@@ -307,7 +327,7 @@ void default_idle(void)
17562 EXPORT_SYMBOL(default_idle);
17563 #endif
17564
17565-void stop_this_cpu(void *dummy)
17566+__noreturn void stop_this_cpu(void *dummy)
17567 {
17568 local_irq_disable();
17569 /*
17570@@ -568,16 +588,38 @@ static int __init idle_setup(char *str)
17571 }
17572 early_param("idle", idle_setup);
17573
17574-unsigned long arch_align_stack(unsigned long sp)
17575+#ifdef CONFIG_PAX_RANDKSTACK
17576+void pax_randomize_kstack(struct pt_regs *regs)
17577 {
17578- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
17579- sp -= get_random_int() % 8192;
17580- return sp & ~0xf;
17581-}
17582+ struct thread_struct *thread = &current->thread;
17583+ unsigned long time;
17584
17585-unsigned long arch_randomize_brk(struct mm_struct *mm)
17586-{
17587- unsigned long range_end = mm->brk + 0x02000000;
17588- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
17589+ if (!randomize_va_space)
17590+ return;
17591+
17592+ if (v8086_mode(regs))
17593+ return;
17594+
17595+ rdtscl(time);
17596+
17597+ /* P4 seems to return a 0 LSB, ignore it */
17598+#ifdef CONFIG_MPENTIUM4
17599+ time &= 0x3EUL;
17600+ time <<= 2;
17601+#elif defined(CONFIG_X86_64)
17602+ time &= 0xFUL;
17603+ time <<= 4;
17604+#else
17605+ time &= 0x1FUL;
17606+ time <<= 3;
17607+#endif
17608+
17609+ thread->sp0 ^= time;
17610+ load_sp0(init_tss + smp_processor_id(), thread);
17611+
17612+#ifdef CONFIG_X86_64
17613+ percpu_write(kernel_stack, thread->sp0);
17614+#endif
17615 }
17616+#endif
17617
17618diff -urNp linux-2.6.32.48/arch/x86/kernel/ptrace.c linux-2.6.32.48/arch/x86/kernel/ptrace.c
17619--- linux-2.6.32.48/arch/x86/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
17620+++ linux-2.6.32.48/arch/x86/kernel/ptrace.c 2011-11-15 19:59:43.000000000 -0500
17621@@ -925,7 +925,7 @@ static const struct user_regset_view use
17622 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
17623 {
17624 int ret;
17625- unsigned long __user *datap = (unsigned long __user *)data;
17626+ unsigned long __user *datap = (__force unsigned long __user *)data;
17627
17628 switch (request) {
17629 /* read the word at location addr in the USER area. */
17630@@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
17631 if (addr < 0)
17632 return -EIO;
17633 ret = do_get_thread_area(child, addr,
17634- (struct user_desc __user *) data);
17635+ (__force struct user_desc __user *) data);
17636 break;
17637
17638 case PTRACE_SET_THREAD_AREA:
17639 if (addr < 0)
17640 return -EIO;
17641 ret = do_set_thread_area(child, addr,
17642- (struct user_desc __user *) data, 0);
17643+ (__force struct user_desc __user *) data, 0);
17644 break;
17645 #endif
17646
17647@@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
17648 #ifdef CONFIG_X86_PTRACE_BTS
17649 case PTRACE_BTS_CONFIG:
17650 ret = ptrace_bts_config
17651- (child, data, (struct ptrace_bts_config __user *)addr);
17652+ (child, data, (__force struct ptrace_bts_config __user *)addr);
17653 break;
17654
17655 case PTRACE_BTS_STATUS:
17656 ret = ptrace_bts_status
17657- (child, data, (struct ptrace_bts_config __user *)addr);
17658+ (child, data, (__force struct ptrace_bts_config __user *)addr);
17659 break;
17660
17661 case PTRACE_BTS_SIZE:
17662@@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
17663
17664 case PTRACE_BTS_GET:
17665 ret = ptrace_bts_read_record
17666- (child, data, (struct bts_struct __user *) addr);
17667+ (child, data, (__force struct bts_struct __user *) addr);
17668 break;
17669
17670 case PTRACE_BTS_CLEAR:
17671@@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
17672
17673 case PTRACE_BTS_DRAIN:
17674 ret = ptrace_bts_drain
17675- (child, data, (struct bts_struct __user *) addr);
17676+ (child, data, (__force struct bts_struct __user *) addr);
17677 break;
17678 #endif /* CONFIG_X86_PTRACE_BTS */
17679
17680@@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
17681 info.si_code = si_code;
17682
17683 /* User-mode ip? */
17684- info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
17685+ info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
17686
17687 /* Send us the fake SIGTRAP */
17688 force_sig_info(SIGTRAP, &info, tsk);
17689@@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
17690 * We must return the syscall number to actually look up in the table.
17691 * This can be -1L to skip running any syscall at all.
17692 */
17693-asmregparm long syscall_trace_enter(struct pt_regs *regs)
17694+long syscall_trace_enter(struct pt_regs *regs)
17695 {
17696 long ret = 0;
17697
17698@@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
17699 return ret ?: regs->orig_ax;
17700 }
17701
17702-asmregparm void syscall_trace_leave(struct pt_regs *regs)
17703+void syscall_trace_leave(struct pt_regs *regs)
17704 {
17705 if (unlikely(current->audit_context))
17706 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
17707diff -urNp linux-2.6.32.48/arch/x86/kernel/reboot.c linux-2.6.32.48/arch/x86/kernel/reboot.c
17708--- linux-2.6.32.48/arch/x86/kernel/reboot.c 2011-11-08 19:02:43.000000000 -0500
17709+++ linux-2.6.32.48/arch/x86/kernel/reboot.c 2011-11-15 19:59:43.000000000 -0500
17710@@ -33,7 +33,7 @@ void (*pm_power_off)(void);
17711 EXPORT_SYMBOL(pm_power_off);
17712
17713 static const struct desc_ptr no_idt = {};
17714-static int reboot_mode;
17715+static unsigned short reboot_mode;
17716 enum reboot_type reboot_type = BOOT_KBD;
17717 int reboot_force;
17718
17719@@ -292,12 +292,12 @@ core_initcall(reboot_init);
17720 controller to pulse the CPU reset line, which is more thorough, but
17721 doesn't work with at least one type of 486 motherboard. It is easy
17722 to stop this code working; hence the copious comments. */
17723-static const unsigned long long
17724-real_mode_gdt_entries [3] =
17725+static struct desc_struct
17726+real_mode_gdt_entries [3] __read_only =
17727 {
17728- 0x0000000000000000ULL, /* Null descriptor */
17729- 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
17730- 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
17731+ GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
17732+ GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
17733+ GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
17734 };
17735
17736 static const struct desc_ptr
17737@@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
17738 * specified by the code and length parameters.
17739 * We assume that length will aways be less that 100!
17740 */
17741-void machine_real_restart(const unsigned char *code, int length)
17742+__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
17743 {
17744 local_irq_disable();
17745
17746@@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
17747 /* Remap the kernel at virtual address zero, as well as offset zero
17748 from the kernel segment. This assumes the kernel segment starts at
17749 virtual address PAGE_OFFSET. */
17750- memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17751- sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
17752+ clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
17753+ min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
17754
17755 /*
17756 * Use `swapper_pg_dir' as our page directory.
17757@@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
17758 boot)". This seems like a fairly standard thing that gets set by
17759 REBOOT.COM programs, and the previous reset routine did this
17760 too. */
17761- *((unsigned short *)0x472) = reboot_mode;
17762+ *(unsigned short *)(__va(0x472)) = reboot_mode;
17763
17764 /* For the switch to real mode, copy some code to low memory. It has
17765 to be in the first 64k because it is running in 16-bit mode, and it
17766 has to have the same physical and virtual address, because it turns
17767 off paging. Copy it near the end of the first page, out of the way
17768 of BIOS variables. */
17769- memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
17770- real_mode_switch, sizeof (real_mode_switch));
17771- memcpy((void *)(0x1000 - 100), code, length);
17772+ memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
17773+ memcpy(__va(0x1000 - 100), code, length);
17774
17775 /* Set up the IDT for real mode. */
17776 load_idt(&real_mode_idt);
17777@@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
17778 __asm__ __volatile__ ("ljmp $0x0008,%0"
17779 :
17780 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
17781+ do { } while (1);
17782 }
17783 #ifdef CONFIG_APM_MODULE
17784 EXPORT_SYMBOL(machine_real_restart);
17785@@ -544,7 +544,7 @@ void __attribute__((weak)) mach_reboot_f
17786 {
17787 }
17788
17789-static void native_machine_emergency_restart(void)
17790+__noreturn static void native_machine_emergency_restart(void)
17791 {
17792 int i;
17793
17794@@ -659,13 +659,13 @@ void native_machine_shutdown(void)
17795 #endif
17796 }
17797
17798-static void __machine_emergency_restart(int emergency)
17799+static __noreturn void __machine_emergency_restart(int emergency)
17800 {
17801 reboot_emergency = emergency;
17802 machine_ops.emergency_restart();
17803 }
17804
17805-static void native_machine_restart(char *__unused)
17806+static __noreturn void native_machine_restart(char *__unused)
17807 {
17808 printk("machine restart\n");
17809
17810@@ -674,7 +674,7 @@ static void native_machine_restart(char
17811 __machine_emergency_restart(0);
17812 }
17813
17814-static void native_machine_halt(void)
17815+static __noreturn void native_machine_halt(void)
17816 {
17817 /* stop other cpus and apics */
17818 machine_shutdown();
17819@@ -685,7 +685,7 @@ static void native_machine_halt(void)
17820 stop_this_cpu(NULL);
17821 }
17822
17823-static void native_machine_power_off(void)
17824+__noreturn static void native_machine_power_off(void)
17825 {
17826 if (pm_power_off) {
17827 if (!reboot_force)
17828@@ -694,6 +694,7 @@ static void native_machine_power_off(voi
17829 }
17830 /* a fallback in case there is no PM info available */
17831 tboot_shutdown(TB_SHUTDOWN_HALT);
17832+ do { } while (1);
17833 }
17834
17835 struct machine_ops machine_ops = {
17836diff -urNp linux-2.6.32.48/arch/x86/kernel/setup.c linux-2.6.32.48/arch/x86/kernel/setup.c
17837--- linux-2.6.32.48/arch/x86/kernel/setup.c 2011-11-08 19:02:43.000000000 -0500
17838+++ linux-2.6.32.48/arch/x86/kernel/setup.c 2011-11-15 19:59:43.000000000 -0500
17839@@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
17840
17841 if (!boot_params.hdr.root_flags)
17842 root_mountflags &= ~MS_RDONLY;
17843- init_mm.start_code = (unsigned long) _text;
17844- init_mm.end_code = (unsigned long) _etext;
17845+ init_mm.start_code = ktla_ktva((unsigned long) _text);
17846+ init_mm.end_code = ktla_ktva((unsigned long) _etext);
17847 init_mm.end_data = (unsigned long) _edata;
17848 init_mm.brk = _brk_end;
17849
17850- code_resource.start = virt_to_phys(_text);
17851- code_resource.end = virt_to_phys(_etext)-1;
17852- data_resource.start = virt_to_phys(_etext);
17853+ code_resource.start = virt_to_phys(ktla_ktva(_text));
17854+ code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
17855+ data_resource.start = virt_to_phys(_sdata);
17856 data_resource.end = virt_to_phys(_edata)-1;
17857 bss_resource.start = virt_to_phys(&__bss_start);
17858 bss_resource.end = virt_to_phys(&__bss_stop)-1;
17859diff -urNp linux-2.6.32.48/arch/x86/kernel/setup_percpu.c linux-2.6.32.48/arch/x86/kernel/setup_percpu.c
17860--- linux-2.6.32.48/arch/x86/kernel/setup_percpu.c 2011-11-08 19:02:43.000000000 -0500
17861+++ linux-2.6.32.48/arch/x86/kernel/setup_percpu.c 2011-11-15 19:59:43.000000000 -0500
17862@@ -25,19 +25,17 @@
17863 # define DBG(x...)
17864 #endif
17865
17866-DEFINE_PER_CPU(int, cpu_number);
17867+#ifdef CONFIG_SMP
17868+DEFINE_PER_CPU(unsigned int, cpu_number);
17869 EXPORT_PER_CPU_SYMBOL(cpu_number);
17870+#endif
17871
17872-#ifdef CONFIG_X86_64
17873 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
17874-#else
17875-#define BOOT_PERCPU_OFFSET 0
17876-#endif
17877
17878 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
17879 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
17880
17881-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
17882+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
17883 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
17884 };
17885 EXPORT_SYMBOL(__per_cpu_offset);
17886@@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
17887 {
17888 #ifdef CONFIG_X86_32
17889 struct desc_struct gdt;
17890+ unsigned long base = per_cpu_offset(cpu);
17891
17892- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
17893- 0x2 | DESCTYPE_S, 0x8);
17894- gdt.s = 1;
17895+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
17896+ 0x83 | DESCTYPE_S, 0xC);
17897 write_gdt_entry(get_cpu_gdt_table(cpu),
17898 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
17899 #endif
17900@@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
17901 /* alrighty, percpu areas up and running */
17902 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
17903 for_each_possible_cpu(cpu) {
17904+#ifdef CONFIG_CC_STACKPROTECTOR
17905+#ifdef CONFIG_X86_32
17906+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
17907+#endif
17908+#endif
17909 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
17910 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
17911 per_cpu(cpu_number, cpu) = cpu;
17912@@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
17913 early_per_cpu_map(x86_cpu_to_node_map, cpu);
17914 #endif
17915 #endif
17916+#ifdef CONFIG_CC_STACKPROTECTOR
17917+#ifdef CONFIG_X86_32
17918+ if (!cpu)
17919+ per_cpu(stack_canary.canary, cpu) = canary;
17920+#endif
17921+#endif
17922 /*
17923 * Up to this point, the boot CPU has been using .data.init
17924 * area. Reload any changed state for the boot CPU.
17925diff -urNp linux-2.6.32.48/arch/x86/kernel/signal.c linux-2.6.32.48/arch/x86/kernel/signal.c
17926--- linux-2.6.32.48/arch/x86/kernel/signal.c 2011-11-08 19:02:43.000000000 -0500
17927+++ linux-2.6.32.48/arch/x86/kernel/signal.c 2011-11-15 19:59:43.000000000 -0500
17928@@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
17929 * Align the stack pointer according to the i386 ABI,
17930 * i.e. so that on function entry ((sp + 4) & 15) == 0.
17931 */
17932- sp = ((sp + 4) & -16ul) - 4;
17933+ sp = ((sp - 12) & -16ul) - 4;
17934 #else /* !CONFIG_X86_32 */
17935 sp = round_down(sp, 16) - 8;
17936 #endif
17937@@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
17938 * Return an always-bogus address instead so we will die with SIGSEGV.
17939 */
17940 if (onsigstack && !likely(on_sig_stack(sp)))
17941- return (void __user *)-1L;
17942+ return (__force void __user *)-1L;
17943
17944 /* save i387 state */
17945 if (used_math() && save_i387_xstate(*fpstate) < 0)
17946- return (void __user *)-1L;
17947+ return (__force void __user *)-1L;
17948
17949 return (void __user *)sp;
17950 }
17951@@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
17952 }
17953
17954 if (current->mm->context.vdso)
17955- restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17956+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
17957 else
17958- restorer = &frame->retcode;
17959+ restorer = (void __user *)&frame->retcode;
17960 if (ka->sa.sa_flags & SA_RESTORER)
17961 restorer = ka->sa.sa_restorer;
17962
17963@@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
17964 * reasons and because gdb uses it as a signature to notice
17965 * signal handler stack frames.
17966 */
17967- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
17968+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
17969
17970 if (err)
17971 return -EFAULT;
17972@@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
17973 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
17974
17975 /* Set up to return from userspace. */
17976- restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17977+ if (current->mm->context.vdso)
17978+ restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
17979+ else
17980+ restorer = (void __user *)&frame->retcode;
17981 if (ka->sa.sa_flags & SA_RESTORER)
17982 restorer = ka->sa.sa_restorer;
17983 put_user_ex(restorer, &frame->pretcode);
17984@@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
17985 * reasons and because gdb uses it as a signature to notice
17986 * signal handler stack frames.
17987 */
17988- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
17989+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
17990 } put_user_catch(err);
17991
17992 if (err)
17993@@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
17994 int signr;
17995 sigset_t *oldset;
17996
17997+ pax_track_stack();
17998+
17999 /*
18000 * We want the common case to go fast, which is why we may in certain
18001 * cases get here from kernel mode. Just return without doing anything
18002@@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
18003 * X86_32: vm86 regs switched out by assembly code before reaching
18004 * here, so testing against kernel CS suffices.
18005 */
18006- if (!user_mode(regs))
18007+ if (!user_mode_novm(regs))
18008 return;
18009
18010 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
18011diff -urNp linux-2.6.32.48/arch/x86/kernel/smpboot.c linux-2.6.32.48/arch/x86/kernel/smpboot.c
18012--- linux-2.6.32.48/arch/x86/kernel/smpboot.c 2011-11-08 19:02:43.000000000 -0500
18013+++ linux-2.6.32.48/arch/x86/kernel/smpboot.c 2011-11-15 19:59:43.000000000 -0500
18014@@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
18015 */
18016 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
18017
18018-void cpu_hotplug_driver_lock()
18019+void cpu_hotplug_driver_lock(void)
18020 {
18021- mutex_lock(&x86_cpu_hotplug_driver_mutex);
18022+ mutex_lock(&x86_cpu_hotplug_driver_mutex);
18023 }
18024
18025-void cpu_hotplug_driver_unlock()
18026+void cpu_hotplug_driver_unlock(void)
18027 {
18028- mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18029+ mutex_unlock(&x86_cpu_hotplug_driver_mutex);
18030 }
18031
18032 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
18033@@ -625,7 +625,7 @@ wakeup_secondary_cpu_via_init(int phys_a
18034 * target processor state.
18035 */
18036 startup_ipi_hook(phys_apicid, (unsigned long) start_secondary,
18037- (unsigned long)stack_start.sp);
18038+ stack_start);
18039
18040 /*
18041 * Run STARTUP IPI loop.
18042@@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
18043 set_idle_for_cpu(cpu, c_idle.idle);
18044 do_rest:
18045 per_cpu(current_task, cpu) = c_idle.idle;
18046+ per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
18047 #ifdef CONFIG_X86_32
18048 /* Stack for startup_32 can be just as for start_secondary onwards */
18049 irq_ctx_init(cpu);
18050@@ -750,13 +751,15 @@ do_rest:
18051 #else
18052 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
18053 initial_gs = per_cpu_offset(cpu);
18054- per_cpu(kernel_stack, cpu) =
18055- (unsigned long)task_stack_page(c_idle.idle) -
18056- KERNEL_STACK_OFFSET + THREAD_SIZE;
18057+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
18058 #endif
18059+
18060+ pax_open_kernel();
18061 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
18062+ pax_close_kernel();
18063+
18064 initial_code = (unsigned long)start_secondary;
18065- stack_start.sp = (void *) c_idle.idle->thread.sp;
18066+ stack_start = c_idle.idle->thread.sp;
18067
18068 /* start_ip had better be page-aligned! */
18069 start_ip = setup_trampoline();
18070@@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
18071
18072 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
18073
18074+#ifdef CONFIG_PAX_PER_CPU_PGD
18075+ clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
18076+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18077+ KERNEL_PGD_PTRS);
18078+#endif
18079+
18080 err = do_boot_cpu(apicid, cpu);
18081
18082 if (err) {
18083diff -urNp linux-2.6.32.48/arch/x86/kernel/step.c linux-2.6.32.48/arch/x86/kernel/step.c
18084--- linux-2.6.32.48/arch/x86/kernel/step.c 2011-11-08 19:02:43.000000000 -0500
18085+++ linux-2.6.32.48/arch/x86/kernel/step.c 2011-11-15 19:59:43.000000000 -0500
18086@@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
18087 struct desc_struct *desc;
18088 unsigned long base;
18089
18090- seg &= ~7UL;
18091+ seg >>= 3;
18092
18093 mutex_lock(&child->mm->context.lock);
18094- if (unlikely((seg >> 3) >= child->mm->context.size))
18095+ if (unlikely(seg >= child->mm->context.size))
18096 addr = -1L; /* bogus selector, access would fault */
18097 else {
18098 desc = child->mm->context.ldt + seg;
18099@@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
18100 addr += base;
18101 }
18102 mutex_unlock(&child->mm->context.lock);
18103- }
18104+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
18105+ addr = ktla_ktva(addr);
18106
18107 return addr;
18108 }
18109@@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
18110 unsigned char opcode[15];
18111 unsigned long addr = convert_ip_to_linear(child, regs);
18112
18113+ if (addr == -EINVAL)
18114+ return 0;
18115+
18116 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
18117 for (i = 0; i < copied; i++) {
18118 switch (opcode[i]) {
18119@@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
18120
18121 #ifdef CONFIG_X86_64
18122 case 0x40 ... 0x4f:
18123- if (regs->cs != __USER_CS)
18124+ if ((regs->cs & 0xffff) != __USER_CS)
18125 /* 32-bit mode: register increment */
18126 return 0;
18127 /* 64-bit mode: REX prefix */
18128diff -urNp linux-2.6.32.48/arch/x86/kernel/syscall_table_32.S linux-2.6.32.48/arch/x86/kernel/syscall_table_32.S
18129--- linux-2.6.32.48/arch/x86/kernel/syscall_table_32.S 2011-11-08 19:02:43.000000000 -0500
18130+++ linux-2.6.32.48/arch/x86/kernel/syscall_table_32.S 2011-11-15 19:59:43.000000000 -0500
18131@@ -1,3 +1,4 @@
18132+.section .rodata,"a",@progbits
18133 ENTRY(sys_call_table)
18134 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
18135 .long sys_exit
18136diff -urNp linux-2.6.32.48/arch/x86/kernel/sys_i386_32.c linux-2.6.32.48/arch/x86/kernel/sys_i386_32.c
18137--- linux-2.6.32.48/arch/x86/kernel/sys_i386_32.c 2011-11-08 19:02:43.000000000 -0500
18138+++ linux-2.6.32.48/arch/x86/kernel/sys_i386_32.c 2011-11-15 19:59:43.000000000 -0500
18139@@ -24,6 +24,21 @@
18140
18141 #include <asm/syscalls.h>
18142
18143+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
18144+{
18145+ unsigned long pax_task_size = TASK_SIZE;
18146+
18147+#ifdef CONFIG_PAX_SEGMEXEC
18148+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
18149+ pax_task_size = SEGMEXEC_TASK_SIZE;
18150+#endif
18151+
18152+ if (len > pax_task_size || addr > pax_task_size - len)
18153+ return -EINVAL;
18154+
18155+ return 0;
18156+}
18157+
18158 /*
18159 * Perform the select(nd, in, out, ex, tv) and mmap() system
18160 * calls. Linux/i386 didn't use to be able to handle more than
18161@@ -58,6 +73,212 @@ out:
18162 return err;
18163 }
18164
18165+unsigned long
18166+arch_get_unmapped_area(struct file *filp, unsigned long addr,
18167+ unsigned long len, unsigned long pgoff, unsigned long flags)
18168+{
18169+ struct mm_struct *mm = current->mm;
18170+ struct vm_area_struct *vma;
18171+ unsigned long start_addr, pax_task_size = TASK_SIZE;
18172+
18173+#ifdef CONFIG_PAX_SEGMEXEC
18174+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18175+ pax_task_size = SEGMEXEC_TASK_SIZE;
18176+#endif
18177+
18178+ pax_task_size -= PAGE_SIZE;
18179+
18180+ if (len > pax_task_size)
18181+ return -ENOMEM;
18182+
18183+ if (flags & MAP_FIXED)
18184+ return addr;
18185+
18186+#ifdef CONFIG_PAX_RANDMMAP
18187+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18188+#endif
18189+
18190+ if (addr) {
18191+ addr = PAGE_ALIGN(addr);
18192+ if (pax_task_size - len >= addr) {
18193+ vma = find_vma(mm, addr);
18194+ if (check_heap_stack_gap(vma, addr, len))
18195+ return addr;
18196+ }
18197+ }
18198+ if (len > mm->cached_hole_size) {
18199+ start_addr = addr = mm->free_area_cache;
18200+ } else {
18201+ start_addr = addr = mm->mmap_base;
18202+ mm->cached_hole_size = 0;
18203+ }
18204+
18205+#ifdef CONFIG_PAX_PAGEEXEC
18206+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
18207+ start_addr = 0x00110000UL;
18208+
18209+#ifdef CONFIG_PAX_RANDMMAP
18210+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18211+ start_addr += mm->delta_mmap & 0x03FFF000UL;
18212+#endif
18213+
18214+ if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
18215+ start_addr = addr = mm->mmap_base;
18216+ else
18217+ addr = start_addr;
18218+ }
18219+#endif
18220+
18221+full_search:
18222+ for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18223+ /* At this point: (!vma || addr < vma->vm_end). */
18224+ if (pax_task_size - len < addr) {
18225+ /*
18226+ * Start a new search - just in case we missed
18227+ * some holes.
18228+ */
18229+ if (start_addr != mm->mmap_base) {
18230+ start_addr = addr = mm->mmap_base;
18231+ mm->cached_hole_size = 0;
18232+ goto full_search;
18233+ }
18234+ return -ENOMEM;
18235+ }
18236+ if (check_heap_stack_gap(vma, addr, len))
18237+ break;
18238+ if (addr + mm->cached_hole_size < vma->vm_start)
18239+ mm->cached_hole_size = vma->vm_start - addr;
18240+ addr = vma->vm_end;
18241+ if (mm->start_brk <= addr && addr < mm->mmap_base) {
18242+ start_addr = addr = mm->mmap_base;
18243+ mm->cached_hole_size = 0;
18244+ goto full_search;
18245+ }
18246+ }
18247+
18248+ /*
18249+ * Remember the place where we stopped the search:
18250+ */
18251+ mm->free_area_cache = addr + len;
18252+ return addr;
18253+}
18254+
18255+unsigned long
18256+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
18257+ const unsigned long len, const unsigned long pgoff,
18258+ const unsigned long flags)
18259+{
18260+ struct vm_area_struct *vma;
18261+ struct mm_struct *mm = current->mm;
18262+ unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
18263+
18264+#ifdef CONFIG_PAX_SEGMEXEC
18265+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18266+ pax_task_size = SEGMEXEC_TASK_SIZE;
18267+#endif
18268+
18269+ pax_task_size -= PAGE_SIZE;
18270+
18271+ /* requested length too big for entire address space */
18272+ if (len > pax_task_size)
18273+ return -ENOMEM;
18274+
18275+ if (flags & MAP_FIXED)
18276+ return addr;
18277+
18278+#ifdef CONFIG_PAX_PAGEEXEC
18279+ if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
18280+ goto bottomup;
18281+#endif
18282+
18283+#ifdef CONFIG_PAX_RANDMMAP
18284+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18285+#endif
18286+
18287+ /* requesting a specific address */
18288+ if (addr) {
18289+ addr = PAGE_ALIGN(addr);
18290+ if (pax_task_size - len >= addr) {
18291+ vma = find_vma(mm, addr);
18292+ if (check_heap_stack_gap(vma, addr, len))
18293+ return addr;
18294+ }
18295+ }
18296+
18297+ /* check if free_area_cache is useful for us */
18298+ if (len <= mm->cached_hole_size) {
18299+ mm->cached_hole_size = 0;
18300+ mm->free_area_cache = mm->mmap_base;
18301+ }
18302+
18303+ /* either no address requested or can't fit in requested address hole */
18304+ addr = mm->free_area_cache;
18305+
18306+ /* make sure it can fit in the remaining address space */
18307+ if (addr > len) {
18308+ vma = find_vma(mm, addr-len);
18309+ if (check_heap_stack_gap(vma, addr - len, len))
18310+ /* remember the address as a hint for next time */
18311+ return (mm->free_area_cache = addr-len);
18312+ }
18313+
18314+ if (mm->mmap_base < len)
18315+ goto bottomup;
18316+
18317+ addr = mm->mmap_base-len;
18318+
18319+ do {
18320+ /*
18321+ * Lookup failure means no vma is above this address,
18322+ * else if new region fits below vma->vm_start,
18323+ * return with success:
18324+ */
18325+ vma = find_vma(mm, addr);
18326+ if (check_heap_stack_gap(vma, addr, len))
18327+ /* remember the address as a hint for next time */
18328+ return (mm->free_area_cache = addr);
18329+
18330+ /* remember the largest hole we saw so far */
18331+ if (addr + mm->cached_hole_size < vma->vm_start)
18332+ mm->cached_hole_size = vma->vm_start - addr;
18333+
18334+ /* try just below the current vma->vm_start */
18335+ addr = skip_heap_stack_gap(vma, len);
18336+ } while (!IS_ERR_VALUE(addr));
18337+
18338+bottomup:
18339+ /*
18340+ * A failed mmap() very likely causes application failure,
18341+ * so fall back to the bottom-up function here. This scenario
18342+ * can happen with large stack limits and large mmap()
18343+ * allocations.
18344+ */
18345+
18346+#ifdef CONFIG_PAX_SEGMEXEC
18347+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
18348+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18349+ else
18350+#endif
18351+
18352+ mm->mmap_base = TASK_UNMAPPED_BASE;
18353+
18354+#ifdef CONFIG_PAX_RANDMMAP
18355+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18356+ mm->mmap_base += mm->delta_mmap;
18357+#endif
18358+
18359+ mm->free_area_cache = mm->mmap_base;
18360+ mm->cached_hole_size = ~0UL;
18361+ addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18362+ /*
18363+ * Restore the topdown base:
18364+ */
18365+ mm->mmap_base = base;
18366+ mm->free_area_cache = base;
18367+ mm->cached_hole_size = ~0UL;
18368+
18369+ return addr;
18370+}
18371
18372 struct sel_arg_struct {
18373 unsigned long n;
18374@@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
18375 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
18376 case SEMTIMEDOP:
18377 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
18378- (const struct timespec __user *)fifth);
18379+ (__force const struct timespec __user *)fifth);
18380
18381 case SEMGET:
18382 return sys_semget(first, second, third);
18383@@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
18384 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
18385 if (ret)
18386 return ret;
18387- return put_user(raddr, (ulong __user *) third);
18388+ return put_user(raddr, (__force ulong __user *) third);
18389 }
18390 case 1: /* iBCS2 emulator entry point */
18391 if (!segment_eq(get_fs(), get_ds()))
18392@@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
18393
18394 return error;
18395 }
18396-
18397-
18398-/*
18399- * Do a system call from kernel instead of calling sys_execve so we
18400- * end up with proper pt_regs.
18401- */
18402-int kernel_execve(const char *filename, char *const argv[], char *const envp[])
18403-{
18404- long __res;
18405- asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
18406- : "=a" (__res)
18407- : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
18408- return __res;
18409-}
18410diff -urNp linux-2.6.32.48/arch/x86/kernel/sys_x86_64.c linux-2.6.32.48/arch/x86/kernel/sys_x86_64.c
18411--- linux-2.6.32.48/arch/x86/kernel/sys_x86_64.c 2011-11-08 19:02:43.000000000 -0500
18412+++ linux-2.6.32.48/arch/x86/kernel/sys_x86_64.c 2011-11-15 19:59:43.000000000 -0500
18413@@ -32,8 +32,8 @@ out:
18414 return error;
18415 }
18416
18417-static void find_start_end(unsigned long flags, unsigned long *begin,
18418- unsigned long *end)
18419+static void find_start_end(struct mm_struct *mm, unsigned long flags,
18420+ unsigned long *begin, unsigned long *end)
18421 {
18422 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
18423 unsigned long new_begin;
18424@@ -52,7 +52,7 @@ static void find_start_end(unsigned long
18425 *begin = new_begin;
18426 }
18427 } else {
18428- *begin = TASK_UNMAPPED_BASE;
18429+ *begin = mm->mmap_base;
18430 *end = TASK_SIZE;
18431 }
18432 }
18433@@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
18434 if (flags & MAP_FIXED)
18435 return addr;
18436
18437- find_start_end(flags, &begin, &end);
18438+ find_start_end(mm, flags, &begin, &end);
18439
18440 if (len > end)
18441 return -ENOMEM;
18442
18443+#ifdef CONFIG_PAX_RANDMMAP
18444+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18445+#endif
18446+
18447 if (addr) {
18448 addr = PAGE_ALIGN(addr);
18449 vma = find_vma(mm, addr);
18450- if (end - len >= addr &&
18451- (!vma || addr + len <= vma->vm_start))
18452+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
18453 return addr;
18454 }
18455 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
18456@@ -106,7 +109,7 @@ full_search:
18457 }
18458 return -ENOMEM;
18459 }
18460- if (!vma || addr + len <= vma->vm_start) {
18461+ if (check_heap_stack_gap(vma, addr, len)) {
18462 /*
18463 * Remember the place where we stopped the search:
18464 */
18465@@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
18466 {
18467 struct vm_area_struct *vma;
18468 struct mm_struct *mm = current->mm;
18469- unsigned long addr = addr0;
18470+ unsigned long base = mm->mmap_base, addr = addr0;
18471
18472 /* requested length too big for entire address space */
18473 if (len > TASK_SIZE)
18474@@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
18475 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
18476 goto bottomup;
18477
18478+#ifdef CONFIG_PAX_RANDMMAP
18479+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
18480+#endif
18481+
18482 /* requesting a specific address */
18483 if (addr) {
18484 addr = PAGE_ALIGN(addr);
18485- vma = find_vma(mm, addr);
18486- if (TASK_SIZE - len >= addr &&
18487- (!vma || addr + len <= vma->vm_start))
18488- return addr;
18489+ if (TASK_SIZE - len >= addr) {
18490+ vma = find_vma(mm, addr);
18491+ if (check_heap_stack_gap(vma, addr, len))
18492+ return addr;
18493+ }
18494 }
18495
18496 /* check if free_area_cache is useful for us */
18497@@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
18498 /* make sure it can fit in the remaining address space */
18499 if (addr > len) {
18500 vma = find_vma(mm, addr-len);
18501- if (!vma || addr <= vma->vm_start)
18502+ if (check_heap_stack_gap(vma, addr - len, len))
18503 /* remember the address as a hint for next time */
18504 return mm->free_area_cache = addr-len;
18505 }
18506@@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
18507 * return with success:
18508 */
18509 vma = find_vma(mm, addr);
18510- if (!vma || addr+len <= vma->vm_start)
18511+ if (check_heap_stack_gap(vma, addr, len))
18512 /* remember the address as a hint for next time */
18513 return mm->free_area_cache = addr;
18514
18515@@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
18516 mm->cached_hole_size = vma->vm_start - addr;
18517
18518 /* try just below the current vma->vm_start */
18519- addr = vma->vm_start-len;
18520- } while (len < vma->vm_start);
18521+ addr = skip_heap_stack_gap(vma, len);
18522+ } while (!IS_ERR_VALUE(addr));
18523
18524 bottomup:
18525 /*
18526@@ -198,13 +206,21 @@ bottomup:
18527 * can happen with large stack limits and large mmap()
18528 * allocations.
18529 */
18530+ mm->mmap_base = TASK_UNMAPPED_BASE;
18531+
18532+#ifdef CONFIG_PAX_RANDMMAP
18533+ if (mm->pax_flags & MF_PAX_RANDMMAP)
18534+ mm->mmap_base += mm->delta_mmap;
18535+#endif
18536+
18537+ mm->free_area_cache = mm->mmap_base;
18538 mm->cached_hole_size = ~0UL;
18539- mm->free_area_cache = TASK_UNMAPPED_BASE;
18540 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
18541 /*
18542 * Restore the topdown base:
18543 */
18544- mm->free_area_cache = mm->mmap_base;
18545+ mm->mmap_base = base;
18546+ mm->free_area_cache = base;
18547 mm->cached_hole_size = ~0UL;
18548
18549 return addr;
18550diff -urNp linux-2.6.32.48/arch/x86/kernel/tboot.c linux-2.6.32.48/arch/x86/kernel/tboot.c
18551--- linux-2.6.32.48/arch/x86/kernel/tboot.c 2011-11-08 19:02:43.000000000 -0500
18552+++ linux-2.6.32.48/arch/x86/kernel/tboot.c 2011-11-15 19:59:43.000000000 -0500
18553@@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
18554
18555 void tboot_shutdown(u32 shutdown_type)
18556 {
18557- void (*shutdown)(void);
18558+ void (* __noreturn shutdown)(void);
18559
18560 if (!tboot_enabled())
18561 return;
18562@@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
18563
18564 switch_to_tboot_pt();
18565
18566- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
18567+ shutdown = (void *)tboot->shutdown_entry;
18568 shutdown();
18569
18570 /* should not reach here */
18571@@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
18572 tboot_shutdown(acpi_shutdown_map[sleep_state]);
18573 }
18574
18575-static atomic_t ap_wfs_count;
18576+static atomic_unchecked_t ap_wfs_count;
18577
18578 static int tboot_wait_for_aps(int num_aps)
18579 {
18580@@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
18581 {
18582 switch (action) {
18583 case CPU_DYING:
18584- atomic_inc(&ap_wfs_count);
18585+ atomic_inc_unchecked(&ap_wfs_count);
18586 if (num_online_cpus() == 1)
18587- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
18588+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
18589 return NOTIFY_BAD;
18590 break;
18591 }
18592@@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
18593
18594 tboot_create_trampoline();
18595
18596- atomic_set(&ap_wfs_count, 0);
18597+ atomic_set_unchecked(&ap_wfs_count, 0);
18598 register_hotcpu_notifier(&tboot_cpu_notifier);
18599 return 0;
18600 }
18601diff -urNp linux-2.6.32.48/arch/x86/kernel/time.c linux-2.6.32.48/arch/x86/kernel/time.c
18602--- linux-2.6.32.48/arch/x86/kernel/time.c 2011-11-08 19:02:43.000000000 -0500
18603+++ linux-2.6.32.48/arch/x86/kernel/time.c 2011-11-15 19:59:43.000000000 -0500
18604@@ -26,17 +26,13 @@
18605 int timer_ack;
18606 #endif
18607
18608-#ifdef CONFIG_X86_64
18609-volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
18610-#endif
18611-
18612 unsigned long profile_pc(struct pt_regs *regs)
18613 {
18614 unsigned long pc = instruction_pointer(regs);
18615
18616- if (!user_mode_vm(regs) && in_lock_functions(pc)) {
18617+ if (!user_mode(regs) && in_lock_functions(pc)) {
18618 #ifdef CONFIG_FRAME_POINTER
18619- return *(unsigned long *)(regs->bp + sizeof(long));
18620+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
18621 #else
18622 unsigned long *sp =
18623 (unsigned long *)kernel_stack_pointer(regs);
18624@@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
18625 * or above a saved flags. Eflags has bits 22-31 zero,
18626 * kernel addresses don't.
18627 */
18628+
18629+#ifdef CONFIG_PAX_KERNEXEC
18630+ return ktla_ktva(sp[0]);
18631+#else
18632 if (sp[0] >> 22)
18633 return sp[0];
18634 if (sp[1] >> 22)
18635 return sp[1];
18636 #endif
18637+
18638+#endif
18639 }
18640 return pc;
18641 }
18642diff -urNp linux-2.6.32.48/arch/x86/kernel/tls.c linux-2.6.32.48/arch/x86/kernel/tls.c
18643--- linux-2.6.32.48/arch/x86/kernel/tls.c 2011-11-08 19:02:43.000000000 -0500
18644+++ linux-2.6.32.48/arch/x86/kernel/tls.c 2011-11-15 19:59:43.000000000 -0500
18645@@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
18646 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
18647 return -EINVAL;
18648
18649+#ifdef CONFIG_PAX_SEGMEXEC
18650+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
18651+ return -EINVAL;
18652+#endif
18653+
18654 set_tls_desc(p, idx, &info, 1);
18655
18656 return 0;
18657diff -urNp linux-2.6.32.48/arch/x86/kernel/trampoline_32.S linux-2.6.32.48/arch/x86/kernel/trampoline_32.S
18658--- linux-2.6.32.48/arch/x86/kernel/trampoline_32.S 2011-11-08 19:02:43.000000000 -0500
18659+++ linux-2.6.32.48/arch/x86/kernel/trampoline_32.S 2011-11-15 19:59:43.000000000 -0500
18660@@ -32,6 +32,12 @@
18661 #include <asm/segment.h>
18662 #include <asm/page_types.h>
18663
18664+#ifdef CONFIG_PAX_KERNEXEC
18665+#define ta(X) (X)
18666+#else
18667+#define ta(X) ((X) - __PAGE_OFFSET)
18668+#endif
18669+
18670 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
18671 __CPUINITRODATA
18672 .code16
18673@@ -60,7 +66,7 @@ r_base = .
18674 inc %ax # protected mode (PE) bit
18675 lmsw %ax # into protected mode
18676 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
18677- ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
18678+ ljmpl $__BOOT_CS, $ta(startup_32_smp)
18679
18680 # These need to be in the same 64K segment as the above;
18681 # hence we don't use the boot_gdt_descr defined in head.S
18682diff -urNp linux-2.6.32.48/arch/x86/kernel/trampoline_64.S linux-2.6.32.48/arch/x86/kernel/trampoline_64.S
18683--- linux-2.6.32.48/arch/x86/kernel/trampoline_64.S 2011-11-08 19:02:43.000000000 -0500
18684+++ linux-2.6.32.48/arch/x86/kernel/trampoline_64.S 2011-11-15 19:59:43.000000000 -0500
18685@@ -91,7 +91,7 @@ startup_32:
18686 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
18687 movl %eax, %ds
18688
18689- movl $X86_CR4_PAE, %eax
18690+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
18691 movl %eax, %cr4 # Enable PAE mode
18692
18693 # Setup trampoline 4 level pagetables
18694@@ -127,7 +127,7 @@ startup_64:
18695 no_longmode:
18696 hlt
18697 jmp no_longmode
18698-#include "verify_cpu_64.S"
18699+#include "verify_cpu.S"
18700
18701 # Careful these need to be in the same 64K segment as the above;
18702 tidt:
18703@@ -138,7 +138,7 @@ tidt:
18704 # so the kernel can live anywhere
18705 .balign 4
18706 tgdt:
18707- .short tgdt_end - tgdt # gdt limit
18708+ .short tgdt_end - tgdt - 1 # gdt limit
18709 .long tgdt - r_base
18710 .short 0
18711 .quad 0x00cf9b000000ffff # __KERNEL32_CS
18712diff -urNp linux-2.6.32.48/arch/x86/kernel/traps.c linux-2.6.32.48/arch/x86/kernel/traps.c
18713--- linux-2.6.32.48/arch/x86/kernel/traps.c 2011-11-08 19:02:43.000000000 -0500
18714+++ linux-2.6.32.48/arch/x86/kernel/traps.c 2011-11-15 19:59:43.000000000 -0500
18715@@ -69,12 +69,6 @@ asmlinkage int system_call(void);
18716
18717 /* Do we ignore FPU interrupts ? */
18718 char ignore_fpu_irq;
18719-
18720-/*
18721- * The IDT has to be page-aligned to simplify the Pentium
18722- * F0 0F bug workaround.
18723- */
18724-gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
18725 #endif
18726
18727 DECLARE_BITMAP(used_vectors, NR_VECTORS);
18728@@ -112,19 +106,19 @@ static inline void preempt_conditional_c
18729 static inline void
18730 die_if_kernel(const char *str, struct pt_regs *regs, long err)
18731 {
18732- if (!user_mode_vm(regs))
18733+ if (!user_mode(regs))
18734 die(str, regs, err);
18735 }
18736 #endif
18737
18738 static void __kprobes
18739-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
18740+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
18741 long error_code, siginfo_t *info)
18742 {
18743 struct task_struct *tsk = current;
18744
18745 #ifdef CONFIG_X86_32
18746- if (regs->flags & X86_VM_MASK) {
18747+ if (v8086_mode(regs)) {
18748 /*
18749 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
18750 * On nmi (interrupt 2), do_trap should not be called.
18751@@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
18752 }
18753 #endif
18754
18755- if (!user_mode(regs))
18756+ if (!user_mode_novm(regs))
18757 goto kernel_trap;
18758
18759 #ifdef CONFIG_X86_32
18760@@ -158,7 +152,7 @@ trap_signal:
18761 printk_ratelimit()) {
18762 printk(KERN_INFO
18763 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
18764- tsk->comm, tsk->pid, str,
18765+ tsk->comm, task_pid_nr(tsk), str,
18766 regs->ip, regs->sp, error_code);
18767 print_vma_addr(" in ", regs->ip);
18768 printk("\n");
18769@@ -175,8 +169,20 @@ kernel_trap:
18770 if (!fixup_exception(regs)) {
18771 tsk->thread.error_code = error_code;
18772 tsk->thread.trap_no = trapnr;
18773+
18774+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18775+ if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
18776+ str = "PAX: suspicious stack segment fault";
18777+#endif
18778+
18779 die(str, regs, error_code);
18780 }
18781+
18782+#ifdef CONFIG_PAX_REFCOUNT
18783+ if (trapnr == 4)
18784+ pax_report_refcount_overflow(regs);
18785+#endif
18786+
18787 return;
18788
18789 #ifdef CONFIG_X86_32
18790@@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
18791 conditional_sti(regs);
18792
18793 #ifdef CONFIG_X86_32
18794- if (regs->flags & X86_VM_MASK)
18795+ if (v8086_mode(regs))
18796 goto gp_in_vm86;
18797 #endif
18798
18799 tsk = current;
18800- if (!user_mode(regs))
18801+ if (!user_mode_novm(regs))
18802 goto gp_in_kernel;
18803
18804+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18805+ if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
18806+ struct mm_struct *mm = tsk->mm;
18807+ unsigned long limit;
18808+
18809+ down_write(&mm->mmap_sem);
18810+ limit = mm->context.user_cs_limit;
18811+ if (limit < TASK_SIZE) {
18812+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
18813+ up_write(&mm->mmap_sem);
18814+ return;
18815+ }
18816+ up_write(&mm->mmap_sem);
18817+ }
18818+#endif
18819+
18820 tsk->thread.error_code = error_code;
18821 tsk->thread.trap_no = 13;
18822
18823@@ -305,6 +327,13 @@ gp_in_kernel:
18824 if (notify_die(DIE_GPF, "general protection fault", regs,
18825 error_code, 13, SIGSEGV) == NOTIFY_STOP)
18826 return;
18827+
18828+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18829+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
18830+ die("PAX: suspicious general protection fault", regs, error_code);
18831+ else
18832+#endif
18833+
18834 die("general protection fault", regs, error_code);
18835 }
18836
18837@@ -435,6 +464,17 @@ static notrace __kprobes void default_do
18838 dotraplinkage notrace __kprobes void
18839 do_nmi(struct pt_regs *regs, long error_code)
18840 {
18841+
18842+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
18843+ if (!user_mode(regs)) {
18844+ unsigned long cs = regs->cs & 0xFFFF;
18845+ unsigned long ip = ktva_ktla(regs->ip);
18846+
18847+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
18848+ regs->ip = ip;
18849+ }
18850+#endif
18851+
18852 nmi_enter();
18853
18854 inc_irq_stat(__nmi_count);
18855@@ -558,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
18856 }
18857
18858 #ifdef CONFIG_X86_32
18859- if (regs->flags & X86_VM_MASK)
18860+ if (v8086_mode(regs))
18861 goto debug_vm86;
18862 #endif
18863
18864@@ -570,7 +610,7 @@ dotraplinkage void __kprobes do_debug(st
18865 * kernel space (but re-enable TF when returning to user mode).
18866 */
18867 if (condition & DR_STEP) {
18868- if (!user_mode(regs))
18869+ if (!user_mode_novm(regs))
18870 goto clear_TF_reenable;
18871 }
18872
18873@@ -757,7 +797,7 @@ do_simd_coprocessor_error(struct pt_regs
18874 * Handle strange cache flush from user space exception
18875 * in all other cases. This is undocumented behaviour.
18876 */
18877- if (regs->flags & X86_VM_MASK) {
18878+ if (v8086_mode(regs)) {
18879 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
18880 return;
18881 }
18882@@ -798,7 +838,7 @@ asmlinkage void __attribute__((weak)) sm
18883 void __math_state_restore(void)
18884 {
18885 struct thread_info *thread = current_thread_info();
18886- struct task_struct *tsk = thread->task;
18887+ struct task_struct *tsk = current;
18888
18889 /*
18890 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
18891@@ -825,8 +865,7 @@ void __math_state_restore(void)
18892 */
18893 asmlinkage void math_state_restore(void)
18894 {
18895- struct thread_info *thread = current_thread_info();
18896- struct task_struct *tsk = thread->task;
18897+ struct task_struct *tsk = current;
18898
18899 if (!tsk_used_math(tsk)) {
18900 local_irq_enable();
18901diff -urNp linux-2.6.32.48/arch/x86/kernel/verify_cpu_64.S linux-2.6.32.48/arch/x86/kernel/verify_cpu_64.S
18902--- linux-2.6.32.48/arch/x86/kernel/verify_cpu_64.S 2011-11-08 19:02:43.000000000 -0500
18903+++ linux-2.6.32.48/arch/x86/kernel/verify_cpu_64.S 1969-12-31 19:00:00.000000000 -0500
18904@@ -1,105 +0,0 @@
18905-/*
18906- *
18907- * verify_cpu.S - Code for cpu long mode and SSE verification. This
18908- * code has been borrowed from boot/setup.S and was introduced by
18909- * Andi Kleen.
18910- *
18911- * Copyright (c) 2007 Andi Kleen (ak@suse.de)
18912- * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
18913- * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
18914- *
18915- * This source code is licensed under the GNU General Public License,
18916- * Version 2. See the file COPYING for more details.
18917- *
18918- * This is a common code for verification whether CPU supports
18919- * long mode and SSE or not. It is not called directly instead this
18920- * file is included at various places and compiled in that context.
18921- * Following are the current usage.
18922- *
18923- * This file is included by both 16bit and 32bit code.
18924- *
18925- * arch/x86_64/boot/setup.S : Boot cpu verification (16bit)
18926- * arch/x86_64/boot/compressed/head.S: Boot cpu verification (32bit)
18927- * arch/x86_64/kernel/trampoline.S: secondary processor verfication (16bit)
18928- * arch/x86_64/kernel/acpi/wakeup.S:Verfication at resume (16bit)
18929- *
18930- * verify_cpu, returns the status of cpu check in register %eax.
18931- * 0: Success 1: Failure
18932- *
18933- * The caller needs to check for the error code and take the action
18934- * appropriately. Either display a message or halt.
18935- */
18936-
18937-#include <asm/cpufeature.h>
18938-
18939-verify_cpu:
18940- pushfl # Save caller passed flags
18941- pushl $0 # Kill any dangerous flags
18942- popfl
18943-
18944- pushfl # standard way to check for cpuid
18945- popl %eax
18946- movl %eax,%ebx
18947- xorl $0x200000,%eax
18948- pushl %eax
18949- popfl
18950- pushfl
18951- popl %eax
18952- cmpl %eax,%ebx
18953- jz verify_cpu_no_longmode # cpu has no cpuid
18954-
18955- movl $0x0,%eax # See if cpuid 1 is implemented
18956- cpuid
18957- cmpl $0x1,%eax
18958- jb verify_cpu_no_longmode # no cpuid 1
18959-
18960- xor %di,%di
18961- cmpl $0x68747541,%ebx # AuthenticAMD
18962- jnz verify_cpu_noamd
18963- cmpl $0x69746e65,%edx
18964- jnz verify_cpu_noamd
18965- cmpl $0x444d4163,%ecx
18966- jnz verify_cpu_noamd
18967- mov $1,%di # cpu is from AMD
18968-
18969-verify_cpu_noamd:
18970- movl $0x1,%eax # Does the cpu have what it takes
18971- cpuid
18972- andl $REQUIRED_MASK0,%edx
18973- xorl $REQUIRED_MASK0,%edx
18974- jnz verify_cpu_no_longmode
18975-
18976- movl $0x80000000,%eax # See if extended cpuid is implemented
18977- cpuid
18978- cmpl $0x80000001,%eax
18979- jb verify_cpu_no_longmode # no extended cpuid
18980-
18981- movl $0x80000001,%eax # Does the cpu have what it takes
18982- cpuid
18983- andl $REQUIRED_MASK1,%edx
18984- xorl $REQUIRED_MASK1,%edx
18985- jnz verify_cpu_no_longmode
18986-
18987-verify_cpu_sse_test:
18988- movl $1,%eax
18989- cpuid
18990- andl $SSE_MASK,%edx
18991- cmpl $SSE_MASK,%edx
18992- je verify_cpu_sse_ok
18993- test %di,%di
18994- jz verify_cpu_no_longmode # only try to force SSE on AMD
18995- movl $0xc0010015,%ecx # HWCR
18996- rdmsr
18997- btr $15,%eax # enable SSE
18998- wrmsr
18999- xor %di,%di # don't loop
19000- jmp verify_cpu_sse_test # try again
19001-
19002-verify_cpu_no_longmode:
19003- popfl # Restore caller passed flags
19004- movl $1,%eax
19005- ret
19006-verify_cpu_sse_ok:
19007- popfl # Restore caller passed flags
19008- xorl %eax, %eax
19009- ret
19010diff -urNp linux-2.6.32.48/arch/x86/kernel/verify_cpu.S linux-2.6.32.48/arch/x86/kernel/verify_cpu.S
19011--- linux-2.6.32.48/arch/x86/kernel/verify_cpu.S 1969-12-31 19:00:00.000000000 -0500
19012+++ linux-2.6.32.48/arch/x86/kernel/verify_cpu.S 2011-11-15 19:59:43.000000000 -0500
19013@@ -0,0 +1,140 @@
19014+/*
19015+ *
19016+ * verify_cpu.S - Code for cpu long mode and SSE verification. This
19017+ * code has been borrowed from boot/setup.S and was introduced by
19018+ * Andi Kleen.
19019+ *
19020+ * Copyright (c) 2007 Andi Kleen (ak@suse.de)
19021+ * Copyright (c) 2007 Eric Biederman (ebiederm@xmission.com)
19022+ * Copyright (c) 2007 Vivek Goyal (vgoyal@in.ibm.com)
19023+ * Copyright (c) 2010 Kees Cook (kees.cook@canonical.com)
19024+ *
19025+ * This source code is licensed under the GNU General Public License,
19026+ * Version 2. See the file COPYING for more details.
19027+ *
19028+ * This is a common code for verification whether CPU supports
19029+ * long mode and SSE or not. It is not called directly instead this
19030+ * file is included at various places and compiled in that context.
19031+ * This file is expected to run in 32bit code. Currently:
19032+ *
19033+ * arch/x86/boot/compressed/head_64.S: Boot cpu verification
19034+ * arch/x86/kernel/trampoline_64.S: secondary processor verification
19035+ * arch/x86/kernel/head_32.S: processor startup
19036+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
19037+ *
19038+ * verify_cpu, returns the status of longmode and SSE in register %eax.
19039+ * 0: Success 1: Failure
19040+ *
19041+ * On Intel, the XD_DISABLE flag will be cleared as a side-effect.
19042+ *
19043+ * The caller needs to check for the error code and take the action
19044+ * appropriately. Either display a message or halt.
19045+ */
19046+
19047+#include <asm/cpufeature.h>
19048+#include <asm/msr-index.h>
19049+
19050+verify_cpu:
19051+ pushfl # Save caller passed flags
19052+ pushl $0 # Kill any dangerous flags
19053+ popfl
19054+
19055+ pushfl # standard way to check for cpuid
19056+ popl %eax
19057+ movl %eax,%ebx
19058+ xorl $0x200000,%eax
19059+ pushl %eax
19060+ popfl
19061+ pushfl
19062+ popl %eax
19063+ cmpl %eax,%ebx
19064+ jz verify_cpu_no_longmode # cpu has no cpuid
19065+
19066+ movl $0x0,%eax # See if cpuid 1 is implemented
19067+ cpuid
19068+ cmpl $0x1,%eax
19069+ jb verify_cpu_no_longmode # no cpuid 1
19070+
19071+ xor %di,%di
19072+ cmpl $0x68747541,%ebx # AuthenticAMD
19073+ jnz verify_cpu_noamd
19074+ cmpl $0x69746e65,%edx
19075+ jnz verify_cpu_noamd
19076+ cmpl $0x444d4163,%ecx
19077+ jnz verify_cpu_noamd
19078+ mov $1,%di # cpu is from AMD
19079+ jmp verify_cpu_check
19080+
19081+verify_cpu_noamd:
19082+ cmpl $0x756e6547,%ebx # GenuineIntel?
19083+ jnz verify_cpu_check
19084+ cmpl $0x49656e69,%edx
19085+ jnz verify_cpu_check
19086+ cmpl $0x6c65746e,%ecx
19087+ jnz verify_cpu_check
19088+
19089+ # only call IA32_MISC_ENABLE when:
19090+ # family > 6 || (family == 6 && model >= 0xd)
19091+ movl $0x1, %eax # check CPU family and model
19092+ cpuid
19093+ movl %eax, %ecx
19094+
19095+ andl $0x0ff00f00, %eax # mask family and extended family
19096+ shrl $8, %eax
19097+ cmpl $6, %eax
19098+ ja verify_cpu_clear_xd # family > 6, ok
19099+ jb verify_cpu_check # family < 6, skip
19100+
19101+ andl $0x000f00f0, %ecx # mask model and extended model
19102+ shrl $4, %ecx
19103+ cmpl $0xd, %ecx
19104+ jb verify_cpu_check # family == 6, model < 0xd, skip
19105+
19106+verify_cpu_clear_xd:
19107+ movl $MSR_IA32_MISC_ENABLE, %ecx
19108+ rdmsr
19109+ btrl $2, %edx # clear MSR_IA32_MISC_ENABLE_XD_DISABLE
19110+ jnc verify_cpu_check # only write MSR if bit was changed
19111+ wrmsr
19112+
19113+verify_cpu_check:
19114+ movl $0x1,%eax # Does the cpu have what it takes
19115+ cpuid
19116+ andl $REQUIRED_MASK0,%edx
19117+ xorl $REQUIRED_MASK0,%edx
19118+ jnz verify_cpu_no_longmode
19119+
19120+ movl $0x80000000,%eax # See if extended cpuid is implemented
19121+ cpuid
19122+ cmpl $0x80000001,%eax
19123+ jb verify_cpu_no_longmode # no extended cpuid
19124+
19125+ movl $0x80000001,%eax # Does the cpu have what it takes
19126+ cpuid
19127+ andl $REQUIRED_MASK1,%edx
19128+ xorl $REQUIRED_MASK1,%edx
19129+ jnz verify_cpu_no_longmode
19130+
19131+verify_cpu_sse_test:
19132+ movl $1,%eax
19133+ cpuid
19134+ andl $SSE_MASK,%edx
19135+ cmpl $SSE_MASK,%edx
19136+ je verify_cpu_sse_ok
19137+ test %di,%di
19138+ jz verify_cpu_no_longmode # only try to force SSE on AMD
19139+ movl $MSR_K7_HWCR,%ecx
19140+ rdmsr
19141+ btr $15,%eax # enable SSE
19142+ wrmsr
19143+ xor %di,%di # don't loop
19144+ jmp verify_cpu_sse_test # try again
19145+
19146+verify_cpu_no_longmode:
19147+ popfl # Restore caller passed flags
19148+ movl $1,%eax
19149+ ret
19150+verify_cpu_sse_ok:
19151+ popfl # Restore caller passed flags
19152+ xorl %eax, %eax
19153+ ret
19154diff -urNp linux-2.6.32.48/arch/x86/kernel/vm86_32.c linux-2.6.32.48/arch/x86/kernel/vm86_32.c
19155--- linux-2.6.32.48/arch/x86/kernel/vm86_32.c 2011-11-08 19:02:43.000000000 -0500
19156+++ linux-2.6.32.48/arch/x86/kernel/vm86_32.c 2011-11-15 19:59:43.000000000 -0500
19157@@ -41,6 +41,7 @@
19158 #include <linux/ptrace.h>
19159 #include <linux/audit.h>
19160 #include <linux/stddef.h>
19161+#include <linux/grsecurity.h>
19162
19163 #include <asm/uaccess.h>
19164 #include <asm/io.h>
19165@@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
19166 do_exit(SIGSEGV);
19167 }
19168
19169- tss = &per_cpu(init_tss, get_cpu());
19170+ tss = init_tss + get_cpu();
19171 current->thread.sp0 = current->thread.saved_sp0;
19172 current->thread.sysenter_cs = __KERNEL_CS;
19173 load_sp0(tss, &current->thread);
19174@@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
19175 struct task_struct *tsk;
19176 int tmp, ret = -EPERM;
19177
19178+#ifdef CONFIG_GRKERNSEC_VM86
19179+ if (!capable(CAP_SYS_RAWIO)) {
19180+ gr_handle_vm86();
19181+ goto out;
19182+ }
19183+#endif
19184+
19185 tsk = current;
19186 if (tsk->thread.saved_sp0)
19187 goto out;
19188@@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
19189 int tmp, ret;
19190 struct vm86plus_struct __user *v86;
19191
19192+#ifdef CONFIG_GRKERNSEC_VM86
19193+ if (!capable(CAP_SYS_RAWIO)) {
19194+ gr_handle_vm86();
19195+ ret = -EPERM;
19196+ goto out;
19197+ }
19198+#endif
19199+
19200 tsk = current;
19201 switch (regs->bx) {
19202 case VM86_REQUEST_IRQ:
19203@@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
19204 tsk->thread.saved_fs = info->regs32->fs;
19205 tsk->thread.saved_gs = get_user_gs(info->regs32);
19206
19207- tss = &per_cpu(init_tss, get_cpu());
19208+ tss = init_tss + get_cpu();
19209 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
19210 if (cpu_has_sep)
19211 tsk->thread.sysenter_cs = 0;
19212@@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
19213 goto cannot_handle;
19214 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
19215 goto cannot_handle;
19216- intr_ptr = (unsigned long __user *) (i << 2);
19217+ intr_ptr = (__force unsigned long __user *) (i << 2);
19218 if (get_user(segoffs, intr_ptr))
19219 goto cannot_handle;
19220 if ((segoffs >> 16) == BIOSSEG)
19221diff -urNp linux-2.6.32.48/arch/x86/kernel/vmi_32.c linux-2.6.32.48/arch/x86/kernel/vmi_32.c
19222--- linux-2.6.32.48/arch/x86/kernel/vmi_32.c 2011-11-08 19:02:43.000000000 -0500
19223+++ linux-2.6.32.48/arch/x86/kernel/vmi_32.c 2011-11-15 19:59:43.000000000 -0500
19224@@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
19225 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
19226
19227 #define call_vrom_func(rom,func) \
19228- (((VROMFUNC *)(rom->func))())
19229+ (((VROMFUNC *)(ktva_ktla(rom.func)))())
19230
19231 #define call_vrom_long_func(rom,func,arg) \
19232- (((VROMLONGFUNC *)(rom->func)) (arg))
19233+({\
19234+ u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
19235+ struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
19236+ __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
19237+ __reloc;\
19238+})
19239
19240-static struct vrom_header *vmi_rom;
19241+static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
19242 static int disable_pge;
19243 static int disable_pse;
19244 static int disable_sep;
19245@@ -76,10 +81,10 @@ static struct {
19246 void (*set_initial_ap_state)(int, int);
19247 void (*halt)(void);
19248 void (*set_lazy_mode)(int mode);
19249-} vmi_ops;
19250+} __no_const vmi_ops __read_only;
19251
19252 /* Cached VMI operations */
19253-struct vmi_timer_ops vmi_timer_ops;
19254+struct vmi_timer_ops vmi_timer_ops __read_only;
19255
19256 /*
19257 * VMI patching routines.
19258@@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
19259 static inline void patch_offset(void *insnbuf,
19260 unsigned long ip, unsigned long dest)
19261 {
19262- *(unsigned long *)(insnbuf+1) = dest-ip-5;
19263+ *(unsigned long *)(insnbuf+1) = dest-ip-5;
19264 }
19265
19266 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
19267@@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
19268 {
19269 u64 reloc;
19270 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
19271+
19272 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
19273 switch(rel->type) {
19274 case VMI_RELOCATION_CALL_REL:
19275@@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
19276
19277 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
19278 {
19279- const pte_t pte = { .pte = 0 };
19280+ const pte_t pte = __pte(0ULL);
19281 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
19282 }
19283
19284 static void vmi_pmd_clear(pmd_t *pmd)
19285 {
19286- const pte_t pte = { .pte = 0 };
19287+ const pte_t pte = __pte(0ULL);
19288 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
19289 }
19290 #endif
19291@@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
19292 ap.ss = __KERNEL_DS;
19293 ap.esp = (unsigned long) start_esp;
19294
19295- ap.ds = __USER_DS;
19296- ap.es = __USER_DS;
19297+ ap.ds = __KERNEL_DS;
19298+ ap.es = __KERNEL_DS;
19299 ap.fs = __KERNEL_PERCPU;
19300- ap.gs = __KERNEL_STACK_CANARY;
19301+ savesegment(gs, ap.gs);
19302
19303 ap.eflags = 0;
19304
19305@@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
19306 paravirt_leave_lazy_mmu();
19307 }
19308
19309+#ifdef CONFIG_PAX_KERNEXEC
19310+static unsigned long vmi_pax_open_kernel(void)
19311+{
19312+ return 0;
19313+}
19314+
19315+static unsigned long vmi_pax_close_kernel(void)
19316+{
19317+ return 0;
19318+}
19319+#endif
19320+
19321 static inline int __init check_vmi_rom(struct vrom_header *rom)
19322 {
19323 struct pci_header *pci;
19324@@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
19325 return 0;
19326 if (rom->vrom_signature != VMI_SIGNATURE)
19327 return 0;
19328+ if (rom->rom_length * 512 > sizeof(*rom)) {
19329+ printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
19330+ return 0;
19331+ }
19332 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
19333 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
19334 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
19335@@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
19336 struct vrom_header *romstart;
19337 romstart = (struct vrom_header *)isa_bus_to_virt(base);
19338 if (check_vmi_rom(romstart)) {
19339- vmi_rom = romstart;
19340+ vmi_rom = *romstart;
19341 return 1;
19342 }
19343 }
19344@@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
19345
19346 para_fill(pv_irq_ops.safe_halt, Halt);
19347
19348+#ifdef CONFIG_PAX_KERNEXEC
19349+ pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
19350+ pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
19351+#endif
19352+
19353 /*
19354 * Alternative instruction rewriting doesn't happen soon enough
19355 * to convert VMI_IRET to a call instead of a jump; so we have
19356@@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
19357
19358 void __init vmi_init(void)
19359 {
19360- if (!vmi_rom)
19361+ if (!vmi_rom.rom_signature)
19362 probe_vmi_rom();
19363 else
19364- check_vmi_rom(vmi_rom);
19365+ check_vmi_rom(&vmi_rom);
19366
19367 /* In case probing for or validating the ROM failed, basil */
19368- if (!vmi_rom)
19369+ if (!vmi_rom.rom_signature)
19370 return;
19371
19372- reserve_top_address(-vmi_rom->virtual_top);
19373+ reserve_top_address(-vmi_rom.virtual_top);
19374
19375 #ifdef CONFIG_X86_IO_APIC
19376 /* This is virtual hardware; timer routing is wired correctly */
19377@@ -874,7 +901,7 @@ void __init vmi_activate(void)
19378 {
19379 unsigned long flags;
19380
19381- if (!vmi_rom)
19382+ if (!vmi_rom.rom_signature)
19383 return;
19384
19385 local_irq_save(flags);
19386diff -urNp linux-2.6.32.48/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.48/arch/x86/kernel/vmlinux.lds.S
19387--- linux-2.6.32.48/arch/x86/kernel/vmlinux.lds.S 2011-11-08 19:02:43.000000000 -0500
19388+++ linux-2.6.32.48/arch/x86/kernel/vmlinux.lds.S 2011-11-15 19:59:43.000000000 -0500
19389@@ -26,6 +26,13 @@
19390 #include <asm/page_types.h>
19391 #include <asm/cache.h>
19392 #include <asm/boot.h>
19393+#include <asm/segment.h>
19394+
19395+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19396+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
19397+#else
19398+#define __KERNEL_TEXT_OFFSET 0
19399+#endif
19400
19401 #undef i386 /* in case the preprocessor is a 32bit one */
19402
19403@@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
19404 #ifdef CONFIG_X86_32
19405 OUTPUT_ARCH(i386)
19406 ENTRY(phys_startup_32)
19407-jiffies = jiffies_64;
19408 #else
19409 OUTPUT_ARCH(i386:x86-64)
19410 ENTRY(phys_startup_64)
19411-jiffies_64 = jiffies;
19412 #endif
19413
19414 PHDRS {
19415 text PT_LOAD FLAGS(5); /* R_E */
19416- data PT_LOAD FLAGS(7); /* RWE */
19417+#ifdef CONFIG_X86_32
19418+ module PT_LOAD FLAGS(5); /* R_E */
19419+#endif
19420+#ifdef CONFIG_XEN
19421+ rodata PT_LOAD FLAGS(5); /* R_E */
19422+#else
19423+ rodata PT_LOAD FLAGS(4); /* R__ */
19424+#endif
19425+ data PT_LOAD FLAGS(6); /* RW_ */
19426 #ifdef CONFIG_X86_64
19427 user PT_LOAD FLAGS(5); /* R_E */
19428+#endif
19429+ init.begin PT_LOAD FLAGS(6); /* RW_ */
19430 #ifdef CONFIG_SMP
19431 percpu PT_LOAD FLAGS(6); /* RW_ */
19432 #endif
19433+ text.init PT_LOAD FLAGS(5); /* R_E */
19434+ text.exit PT_LOAD FLAGS(5); /* R_E */
19435 init PT_LOAD FLAGS(7); /* RWE */
19436-#endif
19437 note PT_NOTE FLAGS(0); /* ___ */
19438 }
19439
19440 SECTIONS
19441 {
19442 #ifdef CONFIG_X86_32
19443- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
19444- phys_startup_32 = startup_32 - LOAD_OFFSET;
19445+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
19446 #else
19447- . = __START_KERNEL;
19448- phys_startup_64 = startup_64 - LOAD_OFFSET;
19449+ . = __START_KERNEL;
19450 #endif
19451
19452 /* Text and read-only data */
19453- .text : AT(ADDR(.text) - LOAD_OFFSET) {
19454- _text = .;
19455+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19456 /* bootstrapping code */
19457+#ifdef CONFIG_X86_32
19458+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19459+#else
19460+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19461+#endif
19462+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
19463+ _text = .;
19464 HEAD_TEXT
19465 #ifdef CONFIG_X86_32
19466 . = ALIGN(PAGE_SIZE);
19467@@ -82,28 +102,71 @@ SECTIONS
19468 IRQENTRY_TEXT
19469 *(.fixup)
19470 *(.gnu.warning)
19471- /* End of text section */
19472- _etext = .;
19473 } :text = 0x9090
19474
19475- NOTES :text :note
19476+ . += __KERNEL_TEXT_OFFSET;
19477+
19478+#ifdef CONFIG_X86_32
19479+ . = ALIGN(PAGE_SIZE);
19480+ .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
19481+ *(.vmi.rom)
19482+ } :module
19483+
19484+ . = ALIGN(PAGE_SIZE);
19485+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
19486+
19487+#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
19488+ MODULES_EXEC_VADDR = .;
19489+ BYTE(0)
19490+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
19491+ . = ALIGN(HPAGE_SIZE);
19492+ MODULES_EXEC_END = . - 1;
19493+#endif
19494+
19495+ } :module
19496+#endif
19497
19498- EXCEPTION_TABLE(16) :text = 0x9090
19499+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
19500+ /* End of text section */
19501+ _etext = . - __KERNEL_TEXT_OFFSET;
19502+ }
19503+
19504+#ifdef CONFIG_X86_32
19505+ . = ALIGN(PAGE_SIZE);
19506+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
19507+ *(.idt)
19508+ . = ALIGN(PAGE_SIZE);
19509+ *(.empty_zero_page)
19510+ *(.swapper_pg_fixmap)
19511+ *(.swapper_pg_pmd)
19512+ *(.swapper_pg_dir)
19513+ *(.trampoline_pg_dir)
19514+ } :rodata
19515+#endif
19516+
19517+ . = ALIGN(PAGE_SIZE);
19518+ NOTES :rodata :note
19519+
19520+ EXCEPTION_TABLE(16) :rodata
19521
19522 RO_DATA(PAGE_SIZE)
19523
19524 /* Data */
19525 .data : AT(ADDR(.data) - LOAD_OFFSET) {
19526+
19527+#ifdef CONFIG_PAX_KERNEXEC
19528+ . = ALIGN(HPAGE_SIZE);
19529+#else
19530+ . = ALIGN(PAGE_SIZE);
19531+#endif
19532+
19533 /* Start of data section */
19534 _sdata = .;
19535
19536 /* init_task */
19537 INIT_TASK_DATA(THREAD_SIZE)
19538
19539-#ifdef CONFIG_X86_32
19540- /* 32 bit has nosave before _edata */
19541 NOSAVE_DATA
19542-#endif
19543
19544 PAGE_ALIGNED_DATA(PAGE_SIZE)
19545
19546@@ -112,6 +175,8 @@ SECTIONS
19547 DATA_DATA
19548 CONSTRUCTORS
19549
19550+ jiffies = jiffies_64;
19551+
19552 /* rarely changed data like cpu maps */
19553 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
19554
19555@@ -166,12 +231,6 @@ SECTIONS
19556 }
19557 vgetcpu_mode = VVIRT(.vgetcpu_mode);
19558
19559- . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
19560- .jiffies : AT(VLOAD(.jiffies)) {
19561- *(.jiffies)
19562- }
19563- jiffies = VVIRT(.jiffies);
19564-
19565 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
19566 *(.vsyscall_3)
19567 }
19568@@ -187,12 +246,19 @@ SECTIONS
19569 #endif /* CONFIG_X86_64 */
19570
19571 /* Init code and data - will be freed after init */
19572- . = ALIGN(PAGE_SIZE);
19573 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
19574+ BYTE(0)
19575+
19576+#ifdef CONFIG_PAX_KERNEXEC
19577+ . = ALIGN(HPAGE_SIZE);
19578+#else
19579+ . = ALIGN(PAGE_SIZE);
19580+#endif
19581+
19582 __init_begin = .; /* paired with __init_end */
19583- }
19584+ } :init.begin
19585
19586-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
19587+#ifdef CONFIG_SMP
19588 /*
19589 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
19590 * output PHDR, so the next output section - .init.text - should
19591@@ -201,12 +267,27 @@ SECTIONS
19592 PERCPU_VADDR(0, :percpu)
19593 #endif
19594
19595- INIT_TEXT_SECTION(PAGE_SIZE)
19596-#ifdef CONFIG_X86_64
19597- :init
19598-#endif
19599+ . = ALIGN(PAGE_SIZE);
19600+ init_begin = .;
19601+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
19602+ VMLINUX_SYMBOL(_sinittext) = .;
19603+ INIT_TEXT
19604+ VMLINUX_SYMBOL(_einittext) = .;
19605+ . = ALIGN(PAGE_SIZE);
19606+ } :text.init
19607
19608- INIT_DATA_SECTION(16)
19609+ /*
19610+ * .exit.text is discard at runtime, not link time, to deal with
19611+ * references from .altinstructions and .eh_frame
19612+ */
19613+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
19614+ EXIT_TEXT
19615+ . = ALIGN(16);
19616+ } :text.exit
19617+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
19618+
19619+ . = ALIGN(PAGE_SIZE);
19620+ INIT_DATA_SECTION(16) :init
19621
19622 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
19623 __x86_cpu_dev_start = .;
19624@@ -232,19 +313,11 @@ SECTIONS
19625 *(.altinstr_replacement)
19626 }
19627
19628- /*
19629- * .exit.text is discard at runtime, not link time, to deal with
19630- * references from .altinstructions and .eh_frame
19631- */
19632- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
19633- EXIT_TEXT
19634- }
19635-
19636 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
19637 EXIT_DATA
19638 }
19639
19640-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
19641+#ifndef CONFIG_SMP
19642 PERCPU(PAGE_SIZE)
19643 #endif
19644
19645@@ -267,12 +340,6 @@ SECTIONS
19646 . = ALIGN(PAGE_SIZE);
19647 }
19648
19649-#ifdef CONFIG_X86_64
19650- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
19651- NOSAVE_DATA
19652- }
19653-#endif
19654-
19655 /* BSS */
19656 . = ALIGN(PAGE_SIZE);
19657 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
19658@@ -288,6 +355,7 @@ SECTIONS
19659 __brk_base = .;
19660 . += 64 * 1024; /* 64k alignment slop space */
19661 *(.brk_reservation) /* areas brk users have reserved */
19662+ . = ALIGN(HPAGE_SIZE);
19663 __brk_limit = .;
19664 }
19665
19666@@ -316,13 +384,12 @@ SECTIONS
19667 * for the boot processor.
19668 */
19669 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
19670-INIT_PER_CPU(gdt_page);
19671 INIT_PER_CPU(irq_stack_union);
19672
19673 /*
19674 * Build-time check on the image size:
19675 */
19676-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
19677+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
19678 "kernel image bigger than KERNEL_IMAGE_SIZE");
19679
19680 #ifdef CONFIG_SMP
19681diff -urNp linux-2.6.32.48/arch/x86/kernel/vsyscall_64.c linux-2.6.32.48/arch/x86/kernel/vsyscall_64.c
19682--- linux-2.6.32.48/arch/x86/kernel/vsyscall_64.c 2011-11-08 19:02:43.000000000 -0500
19683+++ linux-2.6.32.48/arch/x86/kernel/vsyscall_64.c 2011-11-15 19:59:43.000000000 -0500
19684@@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
19685
19686 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
19687 /* copy vsyscall data */
19688+ strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
19689 vsyscall_gtod_data.clock.vread = clock->vread;
19690 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
19691 vsyscall_gtod_data.clock.mask = clock->mask;
19692@@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
19693 We do this here because otherwise user space would do it on
19694 its own in a likely inferior way (no access to jiffies).
19695 If you don't like it pass NULL. */
19696- if (tcache && tcache->blob[0] == (j = __jiffies)) {
19697+ if (tcache && tcache->blob[0] == (j = jiffies)) {
19698 p = tcache->blob[1];
19699 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
19700 /* Load per CPU data from RDTSCP */
19701diff -urNp linux-2.6.32.48/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.48/arch/x86/kernel/x8664_ksyms_64.c
19702--- linux-2.6.32.48/arch/x86/kernel/x8664_ksyms_64.c 2011-11-08 19:02:43.000000000 -0500
19703+++ linux-2.6.32.48/arch/x86/kernel/x8664_ksyms_64.c 2011-11-15 19:59:43.000000000 -0500
19704@@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
19705
19706 EXPORT_SYMBOL(copy_user_generic);
19707 EXPORT_SYMBOL(__copy_user_nocache);
19708-EXPORT_SYMBOL(copy_from_user);
19709-EXPORT_SYMBOL(copy_to_user);
19710 EXPORT_SYMBOL(__copy_from_user_inatomic);
19711
19712 EXPORT_SYMBOL(copy_page);
19713diff -urNp linux-2.6.32.48/arch/x86/kernel/xsave.c linux-2.6.32.48/arch/x86/kernel/xsave.c
19714--- linux-2.6.32.48/arch/x86/kernel/xsave.c 2011-11-08 19:02:43.000000000 -0500
19715+++ linux-2.6.32.48/arch/x86/kernel/xsave.c 2011-11-15 19:59:43.000000000 -0500
19716@@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
19717 fx_sw_user->xstate_size > fx_sw_user->extended_size)
19718 return -1;
19719
19720- err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
19721+ err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
19722 fx_sw_user->extended_size -
19723 FP_XSTATE_MAGIC2_SIZE));
19724 /*
19725@@ -196,7 +196,7 @@ fx_only:
19726 * the other extended state.
19727 */
19728 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
19729- return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
19730+ return fxrstor_checking((struct i387_fxsave_struct __force_kernel *)buf);
19731 }
19732
19733 /*
19734@@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
19735 if (task_thread_info(tsk)->status & TS_XSAVE)
19736 err = restore_user_xstate(buf);
19737 else
19738- err = fxrstor_checking((__force struct i387_fxsave_struct *)
19739+ err = fxrstor_checking((struct i387_fxsave_struct __user *)
19740 buf);
19741 if (unlikely(err)) {
19742 /*
19743diff -urNp linux-2.6.32.48/arch/x86/kvm/emulate.c linux-2.6.32.48/arch/x86/kvm/emulate.c
19744--- linux-2.6.32.48/arch/x86/kvm/emulate.c 2011-11-08 19:02:43.000000000 -0500
19745+++ linux-2.6.32.48/arch/x86/kvm/emulate.c 2011-11-15 19:59:43.000000000 -0500
19746@@ -81,8 +81,8 @@
19747 #define Src2CL (1<<29)
19748 #define Src2ImmByte (2<<29)
19749 #define Src2One (3<<29)
19750-#define Src2Imm16 (4<<29)
19751-#define Src2Mask (7<<29)
19752+#define Src2Imm16 (4U<<29)
19753+#define Src2Mask (7U<<29)
19754
19755 enum {
19756 Group1_80, Group1_81, Group1_82, Group1_83,
19757@@ -411,6 +411,7 @@ static u32 group2_table[] = {
19758
19759 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
19760 do { \
19761+ unsigned long _tmp; \
19762 __asm__ __volatile__ ( \
19763 _PRE_EFLAGS("0", "4", "2") \
19764 _op _suffix " %"_x"3,%1; " \
19765@@ -424,8 +425,6 @@ static u32 group2_table[] = {
19766 /* Raw emulation: instruction has two explicit operands. */
19767 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
19768 do { \
19769- unsigned long _tmp; \
19770- \
19771 switch ((_dst).bytes) { \
19772 case 2: \
19773 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
19774@@ -441,7 +440,6 @@ static u32 group2_table[] = {
19775
19776 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
19777 do { \
19778- unsigned long _tmp; \
19779 switch ((_dst).bytes) { \
19780 case 1: \
19781 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
19782diff -urNp linux-2.6.32.48/arch/x86/kvm/lapic.c linux-2.6.32.48/arch/x86/kvm/lapic.c
19783--- linux-2.6.32.48/arch/x86/kvm/lapic.c 2011-11-08 19:02:43.000000000 -0500
19784+++ linux-2.6.32.48/arch/x86/kvm/lapic.c 2011-11-15 19:59:43.000000000 -0500
19785@@ -52,7 +52,7 @@
19786 #define APIC_BUS_CYCLE_NS 1
19787
19788 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
19789-#define apic_debug(fmt, arg...)
19790+#define apic_debug(fmt, arg...) do {} while (0)
19791
19792 #define APIC_LVT_NUM 6
19793 /* 14 is the version for Xeon and Pentium 8.4.8*/
19794diff -urNp linux-2.6.32.48/arch/x86/kvm/paging_tmpl.h linux-2.6.32.48/arch/x86/kvm/paging_tmpl.h
19795--- linux-2.6.32.48/arch/x86/kvm/paging_tmpl.h 2011-11-08 19:02:43.000000000 -0500
19796+++ linux-2.6.32.48/arch/x86/kvm/paging_tmpl.h 2011-11-18 18:01:55.000000000 -0500
19797@@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
19798 int level = PT_PAGE_TABLE_LEVEL;
19799 unsigned long mmu_seq;
19800
19801+ pax_track_stack();
19802+
19803 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
19804 kvm_mmu_audit(vcpu, "pre page fault");
19805
19806@@ -461,6 +463,7 @@ static int FNAME(page_fault)(struct kvm_
19807 kvm_mmu_free_some_pages(vcpu);
19808 sptep = FNAME(fetch)(vcpu, addr, &walker, user_fault, write_fault,
19809 level, &write_pt, pfn);
19810+ (void)sptep;
19811 pgprintk("%s: shadow pte %p %llx ptwrite %d\n", __func__,
19812 sptep, *sptep, write_pt);
19813
19814diff -urNp linux-2.6.32.48/arch/x86/kvm/svm.c linux-2.6.32.48/arch/x86/kvm/svm.c
19815--- linux-2.6.32.48/arch/x86/kvm/svm.c 2011-11-08 19:02:43.000000000 -0500
19816+++ linux-2.6.32.48/arch/x86/kvm/svm.c 2011-11-15 19:59:43.000000000 -0500
19817@@ -2486,7 +2486,11 @@ static void reload_tss(struct kvm_vcpu *
19818 int cpu = raw_smp_processor_id();
19819
19820 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
19821+
19822+ pax_open_kernel();
19823 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
19824+ pax_close_kernel();
19825+
19826 load_TR_desc();
19827 }
19828
19829@@ -2947,7 +2951,7 @@ static bool svm_gb_page_enable(void)
19830 return true;
19831 }
19832
19833-static struct kvm_x86_ops svm_x86_ops = {
19834+static const struct kvm_x86_ops svm_x86_ops = {
19835 .cpu_has_kvm_support = has_svm,
19836 .disabled_by_bios = is_disabled,
19837 .hardware_setup = svm_hardware_setup,
19838diff -urNp linux-2.6.32.48/arch/x86/kvm/vmx.c linux-2.6.32.48/arch/x86/kvm/vmx.c
19839--- linux-2.6.32.48/arch/x86/kvm/vmx.c 2011-11-08 19:02:43.000000000 -0500
19840+++ linux-2.6.32.48/arch/x86/kvm/vmx.c 2011-11-15 19:59:43.000000000 -0500
19841@@ -570,7 +570,11 @@ static void reload_tss(void)
19842
19843 kvm_get_gdt(&gdt);
19844 descs = (void *)gdt.base;
19845+
19846+ pax_open_kernel();
19847 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
19848+ pax_close_kernel();
19849+
19850 load_TR_desc();
19851 }
19852
19853@@ -1410,8 +1414,11 @@ static __init int hardware_setup(void)
19854 if (!cpu_has_vmx_flexpriority())
19855 flexpriority_enabled = 0;
19856
19857- if (!cpu_has_vmx_tpr_shadow())
19858- kvm_x86_ops->update_cr8_intercept = NULL;
19859+ if (!cpu_has_vmx_tpr_shadow()) {
19860+ pax_open_kernel();
19861+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
19862+ pax_close_kernel();
19863+ }
19864
19865 if (enable_ept && !cpu_has_vmx_ept_2m_page())
19866 kvm_disable_largepages();
19867@@ -2362,7 +2369,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
19868 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
19869
19870 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
19871- vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
19872+ vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
19873 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
19874 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
19875 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
19876@@ -3718,6 +3725,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
19877 "jmp .Lkvm_vmx_return \n\t"
19878 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
19879 ".Lkvm_vmx_return: "
19880+
19881+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19882+ "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
19883+ ".Lkvm_vmx_return2: "
19884+#endif
19885+
19886 /* Save guest registers, load host registers, keep flags */
19887 "xchg %0, (%%"R"sp) \n\t"
19888 "mov %%"R"ax, %c[rax](%0) \n\t"
19889@@ -3764,8 +3777,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
19890 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
19891 #endif
19892 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
19893+
19894+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19895+ ,[cs]"i"(__KERNEL_CS)
19896+#endif
19897+
19898 : "cc", "memory"
19899- , R"bx", R"di", R"si"
19900+ , R"ax", R"bx", R"di", R"si"
19901 #ifdef CONFIG_X86_64
19902 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
19903 #endif
19904@@ -3782,7 +3800,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
19905 if (vmx->rmode.irq.pending)
19906 fixup_rmode_irq(vmx);
19907
19908- asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
19909+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
19910+
19911+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
19912+ loadsegment(fs, __KERNEL_PERCPU);
19913+#endif
19914+
19915+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
19916+ __set_fs(current_thread_info()->addr_limit);
19917+#endif
19918+
19919 vmx->launched = 1;
19920
19921 vmx_complete_interrupts(vmx);
19922@@ -3957,7 +3984,7 @@ static bool vmx_gb_page_enable(void)
19923 return false;
19924 }
19925
19926-static struct kvm_x86_ops vmx_x86_ops = {
19927+static const struct kvm_x86_ops vmx_x86_ops = {
19928 .cpu_has_kvm_support = cpu_has_kvm_support,
19929 .disabled_by_bios = vmx_disabled_by_bios,
19930 .hardware_setup = hardware_setup,
19931diff -urNp linux-2.6.32.48/arch/x86/kvm/x86.c linux-2.6.32.48/arch/x86/kvm/x86.c
19932--- linux-2.6.32.48/arch/x86/kvm/x86.c 2011-11-08 19:02:43.000000000 -0500
19933+++ linux-2.6.32.48/arch/x86/kvm/x86.c 2011-11-15 19:59:43.000000000 -0500
19934@@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
19935 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
19936 struct kvm_cpuid_entry2 __user *entries);
19937
19938-struct kvm_x86_ops *kvm_x86_ops;
19939+const struct kvm_x86_ops *kvm_x86_ops;
19940 EXPORT_SYMBOL_GPL(kvm_x86_ops);
19941
19942 int ignore_msrs = 0;
19943@@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
19944 struct kvm_cpuid2 *cpuid,
19945 struct kvm_cpuid_entry2 __user *entries)
19946 {
19947- int r;
19948+ int r, i;
19949
19950 r = -E2BIG;
19951 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
19952 goto out;
19953 r = -EFAULT;
19954- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
19955- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19956+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
19957 goto out;
19958+ for (i = 0; i < cpuid->nent; ++i) {
19959+ struct kvm_cpuid_entry2 cpuid_entry;
19960+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
19961+ goto out;
19962+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
19963+ }
19964 vcpu->arch.cpuid_nent = cpuid->nent;
19965 kvm_apic_set_version(vcpu);
19966 return 0;
19967@@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
19968 struct kvm_cpuid2 *cpuid,
19969 struct kvm_cpuid_entry2 __user *entries)
19970 {
19971- int r;
19972+ int r, i;
19973
19974 vcpu_load(vcpu);
19975 r = -E2BIG;
19976 if (cpuid->nent < vcpu->arch.cpuid_nent)
19977 goto out;
19978 r = -EFAULT;
19979- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
19980- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19981+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
19982 goto out;
19983+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
19984+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
19985+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
19986+ goto out;
19987+ }
19988 return 0;
19989
19990 out:
19991@@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
19992 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
19993 struct kvm_interrupt *irq)
19994 {
19995- if (irq->irq < 0 || irq->irq >= 256)
19996+ if (irq->irq >= 256)
19997 return -EINVAL;
19998 if (irqchip_in_kernel(vcpu->kvm))
19999 return -ENXIO;
20000@@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
20001 .notifier_call = kvmclock_cpufreq_notifier
20002 };
20003
20004-int kvm_arch_init(void *opaque)
20005+int kvm_arch_init(const void *opaque)
20006 {
20007 int r, cpu;
20008- struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
20009+ const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
20010
20011 if (kvm_x86_ops) {
20012 printk(KERN_ERR "kvm: already loaded the other module\n");
20013diff -urNp linux-2.6.32.48/arch/x86/lguest/boot.c linux-2.6.32.48/arch/x86/lguest/boot.c
20014--- linux-2.6.32.48/arch/x86/lguest/boot.c 2011-11-08 19:02:43.000000000 -0500
20015+++ linux-2.6.32.48/arch/x86/lguest/boot.c 2011-11-15 19:59:43.000000000 -0500
20016@@ -1172,9 +1172,10 @@ static __init int early_put_chars(u32 vt
20017 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
20018 * Launcher to reboot us.
20019 */
20020-static void lguest_restart(char *reason)
20021+static __noreturn void lguest_restart(char *reason)
20022 {
20023 kvm_hypercall2(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART);
20024+ BUG();
20025 }
20026
20027 /*G:050
20028diff -urNp linux-2.6.32.48/arch/x86/lib/atomic64_32.c linux-2.6.32.48/arch/x86/lib/atomic64_32.c
20029--- linux-2.6.32.48/arch/x86/lib/atomic64_32.c 2011-11-08 19:02:43.000000000 -0500
20030+++ linux-2.6.32.48/arch/x86/lib/atomic64_32.c 2011-11-15 19:59:43.000000000 -0500
20031@@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
20032 }
20033 EXPORT_SYMBOL(atomic64_cmpxchg);
20034
20035+u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
20036+{
20037+ return cmpxchg8b(&ptr->counter, old_val, new_val);
20038+}
20039+EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
20040+
20041 /**
20042 * atomic64_xchg - xchg atomic64 variable
20043 * @ptr: pointer to type atomic64_t
20044@@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
20045 EXPORT_SYMBOL(atomic64_xchg);
20046
20047 /**
20048+ * atomic64_xchg_unchecked - xchg atomic64 variable
20049+ * @ptr: pointer to type atomic64_unchecked_t
20050+ * @new_val: value to assign
20051+ *
20052+ * Atomically xchgs the value of @ptr to @new_val and returns
20053+ * the old value.
20054+ */
20055+u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20056+{
20057+ /*
20058+ * Try first with a (possibly incorrect) assumption about
20059+ * what we have there. We'll do two loops most likely,
20060+ * but we'll get an ownership MESI transaction straight away
20061+ * instead of a read transaction followed by a
20062+ * flush-for-ownership transaction:
20063+ */
20064+ u64 old_val, real_val = 0;
20065+
20066+ do {
20067+ old_val = real_val;
20068+
20069+ real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20070+
20071+ } while (real_val != old_val);
20072+
20073+ return old_val;
20074+}
20075+EXPORT_SYMBOL(atomic64_xchg_unchecked);
20076+
20077+/**
20078 * atomic64_set - set atomic64 variable
20079 * @ptr: pointer to type atomic64_t
20080 * @new_val: value to assign
20081@@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
20082 EXPORT_SYMBOL(atomic64_set);
20083
20084 /**
20085-EXPORT_SYMBOL(atomic64_read);
20086+ * atomic64_unchecked_set - set atomic64 variable
20087+ * @ptr: pointer to type atomic64_unchecked_t
20088+ * @new_val: value to assign
20089+ *
20090+ * Atomically sets the value of @ptr to @new_val.
20091+ */
20092+void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
20093+{
20094+ atomic64_xchg_unchecked(ptr, new_val);
20095+}
20096+EXPORT_SYMBOL(atomic64_set_unchecked);
20097+
20098+/**
20099 * atomic64_add_return - add and return
20100 * @delta: integer value to add
20101 * @ptr: pointer to type atomic64_t
20102@@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
20103 }
20104 EXPORT_SYMBOL(atomic64_add_return);
20105
20106+/**
20107+ * atomic64_add_return_unchecked - add and return
20108+ * @delta: integer value to add
20109+ * @ptr: pointer to type atomic64_unchecked_t
20110+ *
20111+ * Atomically adds @delta to @ptr and returns @delta + *@ptr
20112+ */
20113+noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20114+{
20115+ /*
20116+ * Try first with a (possibly incorrect) assumption about
20117+ * what we have there. We'll do two loops most likely,
20118+ * but we'll get an ownership MESI transaction straight away
20119+ * instead of a read transaction followed by a
20120+ * flush-for-ownership transaction:
20121+ */
20122+ u64 old_val, new_val, real_val = 0;
20123+
20124+ do {
20125+ old_val = real_val;
20126+ new_val = old_val + delta;
20127+
20128+ real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
20129+
20130+ } while (real_val != old_val);
20131+
20132+ return new_val;
20133+}
20134+EXPORT_SYMBOL(atomic64_add_return_unchecked);
20135+
20136 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
20137 {
20138 return atomic64_add_return(-delta, ptr);
20139 }
20140 EXPORT_SYMBOL(atomic64_sub_return);
20141
20142+u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20143+{
20144+ return atomic64_add_return_unchecked(-delta, ptr);
20145+}
20146+EXPORT_SYMBOL(atomic64_sub_return_unchecked);
20147+
20148 u64 atomic64_inc_return(atomic64_t *ptr)
20149 {
20150 return atomic64_add_return(1, ptr);
20151 }
20152 EXPORT_SYMBOL(atomic64_inc_return);
20153
20154+u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
20155+{
20156+ return atomic64_add_return_unchecked(1, ptr);
20157+}
20158+EXPORT_SYMBOL(atomic64_inc_return_unchecked);
20159+
20160 u64 atomic64_dec_return(atomic64_t *ptr)
20161 {
20162 return atomic64_sub_return(1, ptr);
20163 }
20164 EXPORT_SYMBOL(atomic64_dec_return);
20165
20166+u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
20167+{
20168+ return atomic64_sub_return_unchecked(1, ptr);
20169+}
20170+EXPORT_SYMBOL(atomic64_dec_return_unchecked);
20171+
20172 /**
20173 * atomic64_add - add integer to atomic64 variable
20174 * @delta: integer value to add
20175@@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
20176 EXPORT_SYMBOL(atomic64_add);
20177
20178 /**
20179+ * atomic64_add_unchecked - add integer to atomic64 variable
20180+ * @delta: integer value to add
20181+ * @ptr: pointer to type atomic64_unchecked_t
20182+ *
20183+ * Atomically adds @delta to @ptr.
20184+ */
20185+void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20186+{
20187+ atomic64_add_return_unchecked(delta, ptr);
20188+}
20189+EXPORT_SYMBOL(atomic64_add_unchecked);
20190+
20191+/**
20192 * atomic64_sub - subtract the atomic64 variable
20193 * @delta: integer value to subtract
20194 * @ptr: pointer to type atomic64_t
20195@@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
20196 EXPORT_SYMBOL(atomic64_sub);
20197
20198 /**
20199+ * atomic64_sub_unchecked - subtract the atomic64 variable
20200+ * @delta: integer value to subtract
20201+ * @ptr: pointer to type atomic64_unchecked_t
20202+ *
20203+ * Atomically subtracts @delta from @ptr.
20204+ */
20205+void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
20206+{
20207+ atomic64_add_unchecked(-delta, ptr);
20208+}
20209+EXPORT_SYMBOL(atomic64_sub_unchecked);
20210+
20211+/**
20212 * atomic64_sub_and_test - subtract value from variable and test result
20213 * @delta: integer value to subtract
20214 * @ptr: pointer to type atomic64_t
20215@@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
20216 EXPORT_SYMBOL(atomic64_inc);
20217
20218 /**
20219+ * atomic64_inc_unchecked - increment atomic64 variable
20220+ * @ptr: pointer to type atomic64_unchecked_t
20221+ *
20222+ * Atomically increments @ptr by 1.
20223+ */
20224+void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
20225+{
20226+ atomic64_add_unchecked(1, ptr);
20227+}
20228+EXPORT_SYMBOL(atomic64_inc_unchecked);
20229+
20230+/**
20231 * atomic64_dec - decrement atomic64 variable
20232 * @ptr: pointer to type atomic64_t
20233 *
20234@@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
20235 EXPORT_SYMBOL(atomic64_dec);
20236
20237 /**
20238+ * atomic64_dec_unchecked - decrement atomic64 variable
20239+ * @ptr: pointer to type atomic64_unchecked_t
20240+ *
20241+ * Atomically decrements @ptr by 1.
20242+ */
20243+void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
20244+{
20245+ atomic64_sub_unchecked(1, ptr);
20246+}
20247+EXPORT_SYMBOL(atomic64_dec_unchecked);
20248+
20249+/**
20250 * atomic64_dec_and_test - decrement and test
20251 * @ptr: pointer to type atomic64_t
20252 *
20253diff -urNp linux-2.6.32.48/arch/x86/lib/checksum_32.S linux-2.6.32.48/arch/x86/lib/checksum_32.S
20254--- linux-2.6.32.48/arch/x86/lib/checksum_32.S 2011-11-08 19:02:43.000000000 -0500
20255+++ linux-2.6.32.48/arch/x86/lib/checksum_32.S 2011-11-15 19:59:43.000000000 -0500
20256@@ -28,7 +28,8 @@
20257 #include <linux/linkage.h>
20258 #include <asm/dwarf2.h>
20259 #include <asm/errno.h>
20260-
20261+#include <asm/segment.h>
20262+
20263 /*
20264 * computes a partial checksum, e.g. for TCP/UDP fragments
20265 */
20266@@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
20267
20268 #define ARGBASE 16
20269 #define FP 12
20270-
20271-ENTRY(csum_partial_copy_generic)
20272+
20273+ENTRY(csum_partial_copy_generic_to_user)
20274 CFI_STARTPROC
20275+
20276+#ifdef CONFIG_PAX_MEMORY_UDEREF
20277+ pushl %gs
20278+ CFI_ADJUST_CFA_OFFSET 4
20279+ popl %es
20280+ CFI_ADJUST_CFA_OFFSET -4
20281+ jmp csum_partial_copy_generic
20282+#endif
20283+
20284+ENTRY(csum_partial_copy_generic_from_user)
20285+
20286+#ifdef CONFIG_PAX_MEMORY_UDEREF
20287+ pushl %gs
20288+ CFI_ADJUST_CFA_OFFSET 4
20289+ popl %ds
20290+ CFI_ADJUST_CFA_OFFSET -4
20291+#endif
20292+
20293+ENTRY(csum_partial_copy_generic)
20294 subl $4,%esp
20295 CFI_ADJUST_CFA_OFFSET 4
20296 pushl %edi
20297@@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
20298 jmp 4f
20299 SRC(1: movw (%esi), %bx )
20300 addl $2, %esi
20301-DST( movw %bx, (%edi) )
20302+DST( movw %bx, %es:(%edi) )
20303 addl $2, %edi
20304 addw %bx, %ax
20305 adcl $0, %eax
20306@@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
20307 SRC(1: movl (%esi), %ebx )
20308 SRC( movl 4(%esi), %edx )
20309 adcl %ebx, %eax
20310-DST( movl %ebx, (%edi) )
20311+DST( movl %ebx, %es:(%edi) )
20312 adcl %edx, %eax
20313-DST( movl %edx, 4(%edi) )
20314+DST( movl %edx, %es:4(%edi) )
20315
20316 SRC( movl 8(%esi), %ebx )
20317 SRC( movl 12(%esi), %edx )
20318 adcl %ebx, %eax
20319-DST( movl %ebx, 8(%edi) )
20320+DST( movl %ebx, %es:8(%edi) )
20321 adcl %edx, %eax
20322-DST( movl %edx, 12(%edi) )
20323+DST( movl %edx, %es:12(%edi) )
20324
20325 SRC( movl 16(%esi), %ebx )
20326 SRC( movl 20(%esi), %edx )
20327 adcl %ebx, %eax
20328-DST( movl %ebx, 16(%edi) )
20329+DST( movl %ebx, %es:16(%edi) )
20330 adcl %edx, %eax
20331-DST( movl %edx, 20(%edi) )
20332+DST( movl %edx, %es:20(%edi) )
20333
20334 SRC( movl 24(%esi), %ebx )
20335 SRC( movl 28(%esi), %edx )
20336 adcl %ebx, %eax
20337-DST( movl %ebx, 24(%edi) )
20338+DST( movl %ebx, %es:24(%edi) )
20339 adcl %edx, %eax
20340-DST( movl %edx, 28(%edi) )
20341+DST( movl %edx, %es:28(%edi) )
20342
20343 lea 32(%esi), %esi
20344 lea 32(%edi), %edi
20345@@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
20346 shrl $2, %edx # This clears CF
20347 SRC(3: movl (%esi), %ebx )
20348 adcl %ebx, %eax
20349-DST( movl %ebx, (%edi) )
20350+DST( movl %ebx, %es:(%edi) )
20351 lea 4(%esi), %esi
20352 lea 4(%edi), %edi
20353 dec %edx
20354@@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
20355 jb 5f
20356 SRC( movw (%esi), %cx )
20357 leal 2(%esi), %esi
20358-DST( movw %cx, (%edi) )
20359+DST( movw %cx, %es:(%edi) )
20360 leal 2(%edi), %edi
20361 je 6f
20362 shll $16,%ecx
20363 SRC(5: movb (%esi), %cl )
20364-DST( movb %cl, (%edi) )
20365+DST( movb %cl, %es:(%edi) )
20366 6: addl %ecx, %eax
20367 adcl $0, %eax
20368 7:
20369@@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
20370
20371 6001:
20372 movl ARGBASE+20(%esp), %ebx # src_err_ptr
20373- movl $-EFAULT, (%ebx)
20374+ movl $-EFAULT, %ss:(%ebx)
20375
20376 # zero the complete destination - computing the rest
20377 # is too much work
20378@@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
20379
20380 6002:
20381 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20382- movl $-EFAULT,(%ebx)
20383+ movl $-EFAULT,%ss:(%ebx)
20384 jmp 5000b
20385
20386 .previous
20387
20388+ pushl %ss
20389+ CFI_ADJUST_CFA_OFFSET 4
20390+ popl %ds
20391+ CFI_ADJUST_CFA_OFFSET -4
20392+ pushl %ss
20393+ CFI_ADJUST_CFA_OFFSET 4
20394+ popl %es
20395+ CFI_ADJUST_CFA_OFFSET -4
20396 popl %ebx
20397 CFI_ADJUST_CFA_OFFSET -4
20398 CFI_RESTORE ebx
20399@@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
20400 CFI_ADJUST_CFA_OFFSET -4
20401 ret
20402 CFI_ENDPROC
20403-ENDPROC(csum_partial_copy_generic)
20404+ENDPROC(csum_partial_copy_generic_to_user)
20405
20406 #else
20407
20408 /* Version for PentiumII/PPro */
20409
20410 #define ROUND1(x) \
20411+ nop; nop; nop; \
20412 SRC(movl x(%esi), %ebx ) ; \
20413 addl %ebx, %eax ; \
20414- DST(movl %ebx, x(%edi) ) ;
20415+ DST(movl %ebx, %es:x(%edi)) ;
20416
20417 #define ROUND(x) \
20418+ nop; nop; nop; \
20419 SRC(movl x(%esi), %ebx ) ; \
20420 adcl %ebx, %eax ; \
20421- DST(movl %ebx, x(%edi) ) ;
20422+ DST(movl %ebx, %es:x(%edi)) ;
20423
20424 #define ARGBASE 12
20425-
20426-ENTRY(csum_partial_copy_generic)
20427+
20428+ENTRY(csum_partial_copy_generic_to_user)
20429 CFI_STARTPROC
20430+
20431+#ifdef CONFIG_PAX_MEMORY_UDEREF
20432+ pushl %gs
20433+ CFI_ADJUST_CFA_OFFSET 4
20434+ popl %es
20435+ CFI_ADJUST_CFA_OFFSET -4
20436+ jmp csum_partial_copy_generic
20437+#endif
20438+
20439+ENTRY(csum_partial_copy_generic_from_user)
20440+
20441+#ifdef CONFIG_PAX_MEMORY_UDEREF
20442+ pushl %gs
20443+ CFI_ADJUST_CFA_OFFSET 4
20444+ popl %ds
20445+ CFI_ADJUST_CFA_OFFSET -4
20446+#endif
20447+
20448+ENTRY(csum_partial_copy_generic)
20449 pushl %ebx
20450 CFI_ADJUST_CFA_OFFSET 4
20451 CFI_REL_OFFSET ebx, 0
20452@@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
20453 subl %ebx, %edi
20454 lea -1(%esi),%edx
20455 andl $-32,%edx
20456- lea 3f(%ebx,%ebx), %ebx
20457+ lea 3f(%ebx,%ebx,2), %ebx
20458 testl %esi, %esi
20459 jmp *%ebx
20460 1: addl $64,%esi
20461@@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
20462 jb 5f
20463 SRC( movw (%esi), %dx )
20464 leal 2(%esi), %esi
20465-DST( movw %dx, (%edi) )
20466+DST( movw %dx, %es:(%edi) )
20467 leal 2(%edi), %edi
20468 je 6f
20469 shll $16,%edx
20470 5:
20471 SRC( movb (%esi), %dl )
20472-DST( movb %dl, (%edi) )
20473+DST( movb %dl, %es:(%edi) )
20474 6: addl %edx, %eax
20475 adcl $0, %eax
20476 7:
20477 .section .fixup, "ax"
20478 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
20479- movl $-EFAULT, (%ebx)
20480+ movl $-EFAULT, %ss:(%ebx)
20481 # zero the complete destination (computing the rest is too much work)
20482 movl ARGBASE+8(%esp),%edi # dst
20483 movl ARGBASE+12(%esp),%ecx # len
20484@@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
20485 rep; stosb
20486 jmp 7b
20487 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
20488- movl $-EFAULT, (%ebx)
20489+ movl $-EFAULT, %ss:(%ebx)
20490 jmp 7b
20491 .previous
20492
20493+#ifdef CONFIG_PAX_MEMORY_UDEREF
20494+ pushl %ss
20495+ CFI_ADJUST_CFA_OFFSET 4
20496+ popl %ds
20497+ CFI_ADJUST_CFA_OFFSET -4
20498+ pushl %ss
20499+ CFI_ADJUST_CFA_OFFSET 4
20500+ popl %es
20501+ CFI_ADJUST_CFA_OFFSET -4
20502+#endif
20503+
20504 popl %esi
20505 CFI_ADJUST_CFA_OFFSET -4
20506 CFI_RESTORE esi
20507@@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
20508 CFI_RESTORE ebx
20509 ret
20510 CFI_ENDPROC
20511-ENDPROC(csum_partial_copy_generic)
20512+ENDPROC(csum_partial_copy_generic_to_user)
20513
20514 #undef ROUND
20515 #undef ROUND1
20516diff -urNp linux-2.6.32.48/arch/x86/lib/clear_page_64.S linux-2.6.32.48/arch/x86/lib/clear_page_64.S
20517--- linux-2.6.32.48/arch/x86/lib/clear_page_64.S 2011-11-08 19:02:43.000000000 -0500
20518+++ linux-2.6.32.48/arch/x86/lib/clear_page_64.S 2011-11-15 19:59:43.000000000 -0500
20519@@ -1,5 +1,6 @@
20520 #include <linux/linkage.h>
20521 #include <asm/dwarf2.h>
20522+#include <asm/alternative-asm.h>
20523
20524 /*
20525 * Zero a page.
20526@@ -10,6 +11,7 @@ ENTRY(clear_page_c)
20527 movl $4096/8,%ecx
20528 xorl %eax,%eax
20529 rep stosq
20530+ pax_force_retaddr
20531 ret
20532 CFI_ENDPROC
20533 ENDPROC(clear_page_c)
20534@@ -33,6 +35,7 @@ ENTRY(clear_page)
20535 leaq 64(%rdi),%rdi
20536 jnz .Lloop
20537 nop
20538+ pax_force_retaddr
20539 ret
20540 CFI_ENDPROC
20541 .Lclear_page_end:
20542@@ -43,7 +46,7 @@ ENDPROC(clear_page)
20543
20544 #include <asm/cpufeature.h>
20545
20546- .section .altinstr_replacement,"ax"
20547+ .section .altinstr_replacement,"a"
20548 1: .byte 0xeb /* jmp <disp8> */
20549 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
20550 2:
20551diff -urNp linux-2.6.32.48/arch/x86/lib/copy_page_64.S linux-2.6.32.48/arch/x86/lib/copy_page_64.S
20552--- linux-2.6.32.48/arch/x86/lib/copy_page_64.S 2011-11-08 19:02:43.000000000 -0500
20553+++ linux-2.6.32.48/arch/x86/lib/copy_page_64.S 2011-11-15 19:59:43.000000000 -0500
20554@@ -2,12 +2,14 @@
20555
20556 #include <linux/linkage.h>
20557 #include <asm/dwarf2.h>
20558+#include <asm/alternative-asm.h>
20559
20560 ALIGN
20561 copy_page_c:
20562 CFI_STARTPROC
20563 movl $4096/8,%ecx
20564 rep movsq
20565+ pax_force_retaddr
20566 ret
20567 CFI_ENDPROC
20568 ENDPROC(copy_page_c)
20569@@ -94,6 +96,7 @@ ENTRY(copy_page)
20570 CFI_RESTORE r13
20571 addq $3*8,%rsp
20572 CFI_ADJUST_CFA_OFFSET -3*8
20573+ pax_force_retaddr
20574 ret
20575 .Lcopy_page_end:
20576 CFI_ENDPROC
20577@@ -104,7 +107,7 @@ ENDPROC(copy_page)
20578
20579 #include <asm/cpufeature.h>
20580
20581- .section .altinstr_replacement,"ax"
20582+ .section .altinstr_replacement,"a"
20583 1: .byte 0xeb /* jmp <disp8> */
20584 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
20585 2:
20586diff -urNp linux-2.6.32.48/arch/x86/lib/copy_user_64.S linux-2.6.32.48/arch/x86/lib/copy_user_64.S
20587--- linux-2.6.32.48/arch/x86/lib/copy_user_64.S 2011-11-08 19:02:43.000000000 -0500
20588+++ linux-2.6.32.48/arch/x86/lib/copy_user_64.S 2011-11-15 19:59:43.000000000 -0500
20589@@ -15,13 +15,15 @@
20590 #include <asm/asm-offsets.h>
20591 #include <asm/thread_info.h>
20592 #include <asm/cpufeature.h>
20593+#include <asm/pgtable.h>
20594+#include <asm/alternative-asm.h>
20595
20596 .macro ALTERNATIVE_JUMP feature,orig,alt
20597 0:
20598 .byte 0xe9 /* 32bit jump */
20599 .long \orig-1f /* by default jump to orig */
20600 1:
20601- .section .altinstr_replacement,"ax"
20602+ .section .altinstr_replacement,"a"
20603 2: .byte 0xe9 /* near jump with 32bit immediate */
20604 .long \alt-1b /* offset */ /* or alternatively to alt */
20605 .previous
20606@@ -64,55 +66,26 @@
20607 #endif
20608 .endm
20609
20610-/* Standard copy_to_user with segment limit checking */
20611-ENTRY(copy_to_user)
20612- CFI_STARTPROC
20613- GET_THREAD_INFO(%rax)
20614- movq %rdi,%rcx
20615- addq %rdx,%rcx
20616- jc bad_to_user
20617- cmpq TI_addr_limit(%rax),%rcx
20618- ja bad_to_user
20619- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20620- CFI_ENDPROC
20621-ENDPROC(copy_to_user)
20622-
20623-/* Standard copy_from_user with segment limit checking */
20624-ENTRY(copy_from_user)
20625- CFI_STARTPROC
20626- GET_THREAD_INFO(%rax)
20627- movq %rsi,%rcx
20628- addq %rdx,%rcx
20629- jc bad_from_user
20630- cmpq TI_addr_limit(%rax),%rcx
20631- ja bad_from_user
20632- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20633- CFI_ENDPROC
20634-ENDPROC(copy_from_user)
20635-
20636 ENTRY(copy_user_generic)
20637 CFI_STARTPROC
20638 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20639 CFI_ENDPROC
20640 ENDPROC(copy_user_generic)
20641
20642-ENTRY(__copy_from_user_inatomic)
20643- CFI_STARTPROC
20644- ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
20645- CFI_ENDPROC
20646-ENDPROC(__copy_from_user_inatomic)
20647-
20648 .section .fixup,"ax"
20649 /* must zero dest */
20650 ENTRY(bad_from_user)
20651 bad_from_user:
20652 CFI_STARTPROC
20653+ testl %edx,%edx
20654+ js bad_to_user
20655 movl %edx,%ecx
20656 xorl %eax,%eax
20657 rep
20658 stosb
20659 bad_to_user:
20660 movl %edx,%eax
20661+ pax_force_retaddr
20662 ret
20663 CFI_ENDPROC
20664 ENDPROC(bad_from_user)
20665@@ -180,6 +153,7 @@ ENTRY(copy_user_generic_unrolled)
20666 decl %ecx
20667 jnz 21b
20668 23: xor %eax,%eax
20669+ pax_force_retaddr
20670 ret
20671
20672 .section .fixup,"ax"
20673@@ -252,6 +226,7 @@ ENTRY(copy_user_generic_string)
20674 3: rep
20675 movsb
20676 4: xorl %eax,%eax
20677+ pax_force_retaddr
20678 ret
20679
20680 .section .fixup,"ax"
20681diff -urNp linux-2.6.32.48/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.48/arch/x86/lib/copy_user_nocache_64.S
20682--- linux-2.6.32.48/arch/x86/lib/copy_user_nocache_64.S 2011-11-08 19:02:43.000000000 -0500
20683+++ linux-2.6.32.48/arch/x86/lib/copy_user_nocache_64.S 2011-11-15 19:59:43.000000000 -0500
20684@@ -8,12 +8,14 @@
20685
20686 #include <linux/linkage.h>
20687 #include <asm/dwarf2.h>
20688+#include <asm/alternative-asm.h>
20689
20690 #define FIX_ALIGNMENT 1
20691
20692 #include <asm/current.h>
20693 #include <asm/asm-offsets.h>
20694 #include <asm/thread_info.h>
20695+#include <asm/pgtable.h>
20696
20697 .macro ALIGN_DESTINATION
20698 #ifdef FIX_ALIGNMENT
20699@@ -50,6 +52,15 @@
20700 */
20701 ENTRY(__copy_user_nocache)
20702 CFI_STARTPROC
20703+
20704+#ifdef CONFIG_PAX_MEMORY_UDEREF
20705+ mov $PAX_USER_SHADOW_BASE,%rcx
20706+ cmp %rcx,%rsi
20707+ jae 1f
20708+ add %rcx,%rsi
20709+1:
20710+#endif
20711+
20712 cmpl $8,%edx
20713 jb 20f /* less then 8 bytes, go to byte copy loop */
20714 ALIGN_DESTINATION
20715@@ -98,6 +109,7 @@ ENTRY(__copy_user_nocache)
20716 jnz 21b
20717 23: xorl %eax,%eax
20718 sfence
20719+ pax_force_retaddr
20720 ret
20721
20722 .section .fixup,"ax"
20723diff -urNp linux-2.6.32.48/arch/x86/lib/csum-copy_64.S linux-2.6.32.48/arch/x86/lib/csum-copy_64.S
20724--- linux-2.6.32.48/arch/x86/lib/csum-copy_64.S 2011-11-08 19:02:43.000000000 -0500
20725+++ linux-2.6.32.48/arch/x86/lib/csum-copy_64.S 2011-11-15 19:59:43.000000000 -0500
20726@@ -8,6 +8,7 @@
20727 #include <linux/linkage.h>
20728 #include <asm/dwarf2.h>
20729 #include <asm/errno.h>
20730+#include <asm/alternative-asm.h>
20731
20732 /*
20733 * Checksum copy with exception handling.
20734@@ -228,6 +229,7 @@ ENTRY(csum_partial_copy_generic)
20735 CFI_RESTORE rbp
20736 addq $7*8,%rsp
20737 CFI_ADJUST_CFA_OFFSET -7*8
20738+ pax_force_retaddr
20739 ret
20740 CFI_RESTORE_STATE
20741
20742diff -urNp linux-2.6.32.48/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.48/arch/x86/lib/csum-wrappers_64.c
20743--- linux-2.6.32.48/arch/x86/lib/csum-wrappers_64.c 2011-11-08 19:02:43.000000000 -0500
20744+++ linux-2.6.32.48/arch/x86/lib/csum-wrappers_64.c 2011-11-15 19:59:43.000000000 -0500
20745@@ -52,7 +52,13 @@ csum_partial_copy_from_user(const void _
20746 len -= 2;
20747 }
20748 }
20749- isum = csum_partial_copy_generic((__force const void *)src,
20750+
20751+#ifdef CONFIG_PAX_MEMORY_UDEREF
20752+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
20753+ src += PAX_USER_SHADOW_BASE;
20754+#endif
20755+
20756+ isum = csum_partial_copy_generic((const void __force_kernel *)src,
20757 dst, len, isum, errp, NULL);
20758 if (unlikely(*errp))
20759 goto out_err;
20760@@ -105,7 +111,13 @@ csum_partial_copy_to_user(const void *sr
20761 }
20762
20763 *errp = 0;
20764- return csum_partial_copy_generic(src, (void __force *)dst,
20765+
20766+#ifdef CONFIG_PAX_MEMORY_UDEREF
20767+ if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
20768+ dst += PAX_USER_SHADOW_BASE;
20769+#endif
20770+
20771+ return csum_partial_copy_generic(src, (void __force_kernel *)dst,
20772 len, isum, NULL, errp);
20773 }
20774 EXPORT_SYMBOL(csum_partial_copy_to_user);
20775diff -urNp linux-2.6.32.48/arch/x86/lib/getuser.S linux-2.6.32.48/arch/x86/lib/getuser.S
20776--- linux-2.6.32.48/arch/x86/lib/getuser.S 2011-11-08 19:02:43.000000000 -0500
20777+++ linux-2.6.32.48/arch/x86/lib/getuser.S 2011-11-15 19:59:43.000000000 -0500
20778@@ -33,15 +33,38 @@
20779 #include <asm/asm-offsets.h>
20780 #include <asm/thread_info.h>
20781 #include <asm/asm.h>
20782+#include <asm/segment.h>
20783+#include <asm/pgtable.h>
20784+#include <asm/alternative-asm.h>
20785+
20786+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
20787+#define __copyuser_seg gs;
20788+#else
20789+#define __copyuser_seg
20790+#endif
20791
20792 .text
20793 ENTRY(__get_user_1)
20794 CFI_STARTPROC
20795+
20796+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20797 GET_THREAD_INFO(%_ASM_DX)
20798 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20799 jae bad_get_user
20800-1: movzb (%_ASM_AX),%edx
20801+
20802+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20803+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20804+ cmp %_ASM_DX,%_ASM_AX
20805+ jae 1234f
20806+ add %_ASM_DX,%_ASM_AX
20807+1234:
20808+#endif
20809+
20810+#endif
20811+
20812+1: __copyuser_seg movzb (%_ASM_AX),%edx
20813 xor %eax,%eax
20814+ pax_force_retaddr
20815 ret
20816 CFI_ENDPROC
20817 ENDPROC(__get_user_1)
20818@@ -49,12 +72,26 @@ ENDPROC(__get_user_1)
20819 ENTRY(__get_user_2)
20820 CFI_STARTPROC
20821 add $1,%_ASM_AX
20822+
20823+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20824 jc bad_get_user
20825 GET_THREAD_INFO(%_ASM_DX)
20826 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20827 jae bad_get_user
20828-2: movzwl -1(%_ASM_AX),%edx
20829+
20830+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20831+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20832+ cmp %_ASM_DX,%_ASM_AX
20833+ jae 1234f
20834+ add %_ASM_DX,%_ASM_AX
20835+1234:
20836+#endif
20837+
20838+#endif
20839+
20840+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
20841 xor %eax,%eax
20842+ pax_force_retaddr
20843 ret
20844 CFI_ENDPROC
20845 ENDPROC(__get_user_2)
20846@@ -62,12 +99,26 @@ ENDPROC(__get_user_2)
20847 ENTRY(__get_user_4)
20848 CFI_STARTPROC
20849 add $3,%_ASM_AX
20850+
20851+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
20852 jc bad_get_user
20853 GET_THREAD_INFO(%_ASM_DX)
20854 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20855 jae bad_get_user
20856-3: mov -3(%_ASM_AX),%edx
20857+
20858+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20859+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20860+ cmp %_ASM_DX,%_ASM_AX
20861+ jae 1234f
20862+ add %_ASM_DX,%_ASM_AX
20863+1234:
20864+#endif
20865+
20866+#endif
20867+
20868+3: __copyuser_seg mov -3(%_ASM_AX),%edx
20869 xor %eax,%eax
20870+ pax_force_retaddr
20871 ret
20872 CFI_ENDPROC
20873 ENDPROC(__get_user_4)
20874@@ -80,8 +131,18 @@ ENTRY(__get_user_8)
20875 GET_THREAD_INFO(%_ASM_DX)
20876 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
20877 jae bad_get_user
20878+
20879+#ifdef CONFIG_PAX_MEMORY_UDEREF
20880+ mov $PAX_USER_SHADOW_BASE,%_ASM_DX
20881+ cmp %_ASM_DX,%_ASM_AX
20882+ jae 1234f
20883+ add %_ASM_DX,%_ASM_AX
20884+1234:
20885+#endif
20886+
20887 4: movq -7(%_ASM_AX),%_ASM_DX
20888 xor %eax,%eax
20889+ pax_force_retaddr
20890 ret
20891 CFI_ENDPROC
20892 ENDPROC(__get_user_8)
20893@@ -91,6 +152,7 @@ bad_get_user:
20894 CFI_STARTPROC
20895 xor %edx,%edx
20896 mov $(-EFAULT),%_ASM_AX
20897+ pax_force_retaddr
20898 ret
20899 CFI_ENDPROC
20900 END(bad_get_user)
20901diff -urNp linux-2.6.32.48/arch/x86/lib/iomap_copy_64.S linux-2.6.32.48/arch/x86/lib/iomap_copy_64.S
20902--- linux-2.6.32.48/arch/x86/lib/iomap_copy_64.S 2011-11-08 19:02:43.000000000 -0500
20903+++ linux-2.6.32.48/arch/x86/lib/iomap_copy_64.S 2011-11-15 19:59:43.000000000 -0500
20904@@ -17,6 +17,7 @@
20905
20906 #include <linux/linkage.h>
20907 #include <asm/dwarf2.h>
20908+#include <asm/alternative-asm.h>
20909
20910 /*
20911 * override generic version in lib/iomap_copy.c
20912@@ -25,6 +26,7 @@ ENTRY(__iowrite32_copy)
20913 CFI_STARTPROC
20914 movl %edx,%ecx
20915 rep movsd
20916+ pax_force_retaddr
20917 ret
20918 CFI_ENDPROC
20919 ENDPROC(__iowrite32_copy)
20920diff -urNp linux-2.6.32.48/arch/x86/lib/memcpy_64.S linux-2.6.32.48/arch/x86/lib/memcpy_64.S
20921--- linux-2.6.32.48/arch/x86/lib/memcpy_64.S 2011-11-08 19:02:43.000000000 -0500
20922+++ linux-2.6.32.48/arch/x86/lib/memcpy_64.S 2011-11-15 19:59:43.000000000 -0500
20923@@ -4,6 +4,7 @@
20924
20925 #include <asm/cpufeature.h>
20926 #include <asm/dwarf2.h>
20927+#include <asm/alternative-asm.h>
20928
20929 /*
20930 * memcpy - Copy a memory block.
20931@@ -34,6 +35,7 @@ memcpy_c:
20932 rep movsq
20933 movl %edx, %ecx
20934 rep movsb
20935+ pax_force_retaddr
20936 ret
20937 CFI_ENDPROC
20938 ENDPROC(memcpy_c)
20939@@ -118,6 +120,7 @@ ENTRY(memcpy)
20940 jnz .Lloop_1
20941
20942 .Lend:
20943+ pax_force_retaddr
20944 ret
20945 CFI_ENDPROC
20946 ENDPROC(memcpy)
20947@@ -128,7 +131,7 @@ ENDPROC(__memcpy)
20948 * It is also a lot simpler. Use this when possible:
20949 */
20950
20951- .section .altinstr_replacement, "ax"
20952+ .section .altinstr_replacement, "a"
20953 1: .byte 0xeb /* jmp <disp8> */
20954 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
20955 2:
20956diff -urNp linux-2.6.32.48/arch/x86/lib/memset_64.S linux-2.6.32.48/arch/x86/lib/memset_64.S
20957--- linux-2.6.32.48/arch/x86/lib/memset_64.S 2011-11-08 19:02:43.000000000 -0500
20958+++ linux-2.6.32.48/arch/x86/lib/memset_64.S 2011-11-15 19:59:43.000000000 -0500
20959@@ -2,6 +2,7 @@
20960
20961 #include <linux/linkage.h>
20962 #include <asm/dwarf2.h>
20963+#include <asm/alternative-asm.h>
20964
20965 /*
20966 * ISO C memset - set a memory block to a byte value.
20967@@ -28,6 +29,7 @@ memset_c:
20968 movl %r8d,%ecx
20969 rep stosb
20970 movq %r9,%rax
20971+ pax_force_retaddr
20972 ret
20973 CFI_ENDPROC
20974 ENDPROC(memset_c)
20975@@ -96,6 +98,7 @@ ENTRY(__memset)
20976
20977 .Lende:
20978 movq %r10,%rax
20979+ pax_force_retaddr
20980 ret
20981
20982 CFI_RESTORE_STATE
20983@@ -118,7 +121,7 @@ ENDPROC(__memset)
20984
20985 #include <asm/cpufeature.h>
20986
20987- .section .altinstr_replacement,"ax"
20988+ .section .altinstr_replacement,"a"
20989 1: .byte 0xeb /* jmp <disp8> */
20990 .byte (memset_c - memset) - (2f - 1b) /* offset */
20991 2:
20992diff -urNp linux-2.6.32.48/arch/x86/lib/mmx_32.c linux-2.6.32.48/arch/x86/lib/mmx_32.c
20993--- linux-2.6.32.48/arch/x86/lib/mmx_32.c 2011-11-08 19:02:43.000000000 -0500
20994+++ linux-2.6.32.48/arch/x86/lib/mmx_32.c 2011-11-15 19:59:43.000000000 -0500
20995@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
20996 {
20997 void *p;
20998 int i;
20999+ unsigned long cr0;
21000
21001 if (unlikely(in_interrupt()))
21002 return __memcpy(to, from, len);
21003@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
21004 kernel_fpu_begin();
21005
21006 __asm__ __volatile__ (
21007- "1: prefetch (%0)\n" /* This set is 28 bytes */
21008- " prefetch 64(%0)\n"
21009- " prefetch 128(%0)\n"
21010- " prefetch 192(%0)\n"
21011- " prefetch 256(%0)\n"
21012+ "1: prefetch (%1)\n" /* This set is 28 bytes */
21013+ " prefetch 64(%1)\n"
21014+ " prefetch 128(%1)\n"
21015+ " prefetch 192(%1)\n"
21016+ " prefetch 256(%1)\n"
21017 "2: \n"
21018 ".section .fixup, \"ax\"\n"
21019- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21020+ "3: \n"
21021+
21022+#ifdef CONFIG_PAX_KERNEXEC
21023+ " movl %%cr0, %0\n"
21024+ " movl %0, %%eax\n"
21025+ " andl $0xFFFEFFFF, %%eax\n"
21026+ " movl %%eax, %%cr0\n"
21027+#endif
21028+
21029+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21030+
21031+#ifdef CONFIG_PAX_KERNEXEC
21032+ " movl %0, %%cr0\n"
21033+#endif
21034+
21035 " jmp 2b\n"
21036 ".previous\n"
21037 _ASM_EXTABLE(1b, 3b)
21038- : : "r" (from));
21039+ : "=&r" (cr0) : "r" (from) : "ax");
21040
21041 for ( ; i > 5; i--) {
21042 __asm__ __volatile__ (
21043- "1: prefetch 320(%0)\n"
21044- "2: movq (%0), %%mm0\n"
21045- " movq 8(%0), %%mm1\n"
21046- " movq 16(%0), %%mm2\n"
21047- " movq 24(%0), %%mm3\n"
21048- " movq %%mm0, (%1)\n"
21049- " movq %%mm1, 8(%1)\n"
21050- " movq %%mm2, 16(%1)\n"
21051- " movq %%mm3, 24(%1)\n"
21052- " movq 32(%0), %%mm0\n"
21053- " movq 40(%0), %%mm1\n"
21054- " movq 48(%0), %%mm2\n"
21055- " movq 56(%0), %%mm3\n"
21056- " movq %%mm0, 32(%1)\n"
21057- " movq %%mm1, 40(%1)\n"
21058- " movq %%mm2, 48(%1)\n"
21059- " movq %%mm3, 56(%1)\n"
21060+ "1: prefetch 320(%1)\n"
21061+ "2: movq (%1), %%mm0\n"
21062+ " movq 8(%1), %%mm1\n"
21063+ " movq 16(%1), %%mm2\n"
21064+ " movq 24(%1), %%mm3\n"
21065+ " movq %%mm0, (%2)\n"
21066+ " movq %%mm1, 8(%2)\n"
21067+ " movq %%mm2, 16(%2)\n"
21068+ " movq %%mm3, 24(%2)\n"
21069+ " movq 32(%1), %%mm0\n"
21070+ " movq 40(%1), %%mm1\n"
21071+ " movq 48(%1), %%mm2\n"
21072+ " movq 56(%1), %%mm3\n"
21073+ " movq %%mm0, 32(%2)\n"
21074+ " movq %%mm1, 40(%2)\n"
21075+ " movq %%mm2, 48(%2)\n"
21076+ " movq %%mm3, 56(%2)\n"
21077 ".section .fixup, \"ax\"\n"
21078- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21079+ "3:\n"
21080+
21081+#ifdef CONFIG_PAX_KERNEXEC
21082+ " movl %%cr0, %0\n"
21083+ " movl %0, %%eax\n"
21084+ " andl $0xFFFEFFFF, %%eax\n"
21085+ " movl %%eax, %%cr0\n"
21086+#endif
21087+
21088+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21089+
21090+#ifdef CONFIG_PAX_KERNEXEC
21091+ " movl %0, %%cr0\n"
21092+#endif
21093+
21094 " jmp 2b\n"
21095 ".previous\n"
21096 _ASM_EXTABLE(1b, 3b)
21097- : : "r" (from), "r" (to) : "memory");
21098+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21099
21100 from += 64;
21101 to += 64;
21102@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
21103 static void fast_copy_page(void *to, void *from)
21104 {
21105 int i;
21106+ unsigned long cr0;
21107
21108 kernel_fpu_begin();
21109
21110@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
21111 * but that is for later. -AV
21112 */
21113 __asm__ __volatile__(
21114- "1: prefetch (%0)\n"
21115- " prefetch 64(%0)\n"
21116- " prefetch 128(%0)\n"
21117- " prefetch 192(%0)\n"
21118- " prefetch 256(%0)\n"
21119+ "1: prefetch (%1)\n"
21120+ " prefetch 64(%1)\n"
21121+ " prefetch 128(%1)\n"
21122+ " prefetch 192(%1)\n"
21123+ " prefetch 256(%1)\n"
21124 "2: \n"
21125 ".section .fixup, \"ax\"\n"
21126- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21127+ "3: \n"
21128+
21129+#ifdef CONFIG_PAX_KERNEXEC
21130+ " movl %%cr0, %0\n"
21131+ " movl %0, %%eax\n"
21132+ " andl $0xFFFEFFFF, %%eax\n"
21133+ " movl %%eax, %%cr0\n"
21134+#endif
21135+
21136+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21137+
21138+#ifdef CONFIG_PAX_KERNEXEC
21139+ " movl %0, %%cr0\n"
21140+#endif
21141+
21142 " jmp 2b\n"
21143 ".previous\n"
21144- _ASM_EXTABLE(1b, 3b) : : "r" (from));
21145+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21146
21147 for (i = 0; i < (4096-320)/64; i++) {
21148 __asm__ __volatile__ (
21149- "1: prefetch 320(%0)\n"
21150- "2: movq (%0), %%mm0\n"
21151- " movntq %%mm0, (%1)\n"
21152- " movq 8(%0), %%mm1\n"
21153- " movntq %%mm1, 8(%1)\n"
21154- " movq 16(%0), %%mm2\n"
21155- " movntq %%mm2, 16(%1)\n"
21156- " movq 24(%0), %%mm3\n"
21157- " movntq %%mm3, 24(%1)\n"
21158- " movq 32(%0), %%mm4\n"
21159- " movntq %%mm4, 32(%1)\n"
21160- " movq 40(%0), %%mm5\n"
21161- " movntq %%mm5, 40(%1)\n"
21162- " movq 48(%0), %%mm6\n"
21163- " movntq %%mm6, 48(%1)\n"
21164- " movq 56(%0), %%mm7\n"
21165- " movntq %%mm7, 56(%1)\n"
21166+ "1: prefetch 320(%1)\n"
21167+ "2: movq (%1), %%mm0\n"
21168+ " movntq %%mm0, (%2)\n"
21169+ " movq 8(%1), %%mm1\n"
21170+ " movntq %%mm1, 8(%2)\n"
21171+ " movq 16(%1), %%mm2\n"
21172+ " movntq %%mm2, 16(%2)\n"
21173+ " movq 24(%1), %%mm3\n"
21174+ " movntq %%mm3, 24(%2)\n"
21175+ " movq 32(%1), %%mm4\n"
21176+ " movntq %%mm4, 32(%2)\n"
21177+ " movq 40(%1), %%mm5\n"
21178+ " movntq %%mm5, 40(%2)\n"
21179+ " movq 48(%1), %%mm6\n"
21180+ " movntq %%mm6, 48(%2)\n"
21181+ " movq 56(%1), %%mm7\n"
21182+ " movntq %%mm7, 56(%2)\n"
21183 ".section .fixup, \"ax\"\n"
21184- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21185+ "3:\n"
21186+
21187+#ifdef CONFIG_PAX_KERNEXEC
21188+ " movl %%cr0, %0\n"
21189+ " movl %0, %%eax\n"
21190+ " andl $0xFFFEFFFF, %%eax\n"
21191+ " movl %%eax, %%cr0\n"
21192+#endif
21193+
21194+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21195+
21196+#ifdef CONFIG_PAX_KERNEXEC
21197+ " movl %0, %%cr0\n"
21198+#endif
21199+
21200 " jmp 2b\n"
21201 ".previous\n"
21202- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
21203+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21204
21205 from += 64;
21206 to += 64;
21207@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
21208 static void fast_copy_page(void *to, void *from)
21209 {
21210 int i;
21211+ unsigned long cr0;
21212
21213 kernel_fpu_begin();
21214
21215 __asm__ __volatile__ (
21216- "1: prefetch (%0)\n"
21217- " prefetch 64(%0)\n"
21218- " prefetch 128(%0)\n"
21219- " prefetch 192(%0)\n"
21220- " prefetch 256(%0)\n"
21221+ "1: prefetch (%1)\n"
21222+ " prefetch 64(%1)\n"
21223+ " prefetch 128(%1)\n"
21224+ " prefetch 192(%1)\n"
21225+ " prefetch 256(%1)\n"
21226 "2: \n"
21227 ".section .fixup, \"ax\"\n"
21228- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21229+ "3: \n"
21230+
21231+#ifdef CONFIG_PAX_KERNEXEC
21232+ " movl %%cr0, %0\n"
21233+ " movl %0, %%eax\n"
21234+ " andl $0xFFFEFFFF, %%eax\n"
21235+ " movl %%eax, %%cr0\n"
21236+#endif
21237+
21238+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
21239+
21240+#ifdef CONFIG_PAX_KERNEXEC
21241+ " movl %0, %%cr0\n"
21242+#endif
21243+
21244 " jmp 2b\n"
21245 ".previous\n"
21246- _ASM_EXTABLE(1b, 3b) : : "r" (from));
21247+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
21248
21249 for (i = 0; i < 4096/64; i++) {
21250 __asm__ __volatile__ (
21251- "1: prefetch 320(%0)\n"
21252- "2: movq (%0), %%mm0\n"
21253- " movq 8(%0), %%mm1\n"
21254- " movq 16(%0), %%mm2\n"
21255- " movq 24(%0), %%mm3\n"
21256- " movq %%mm0, (%1)\n"
21257- " movq %%mm1, 8(%1)\n"
21258- " movq %%mm2, 16(%1)\n"
21259- " movq %%mm3, 24(%1)\n"
21260- " movq 32(%0), %%mm0\n"
21261- " movq 40(%0), %%mm1\n"
21262- " movq 48(%0), %%mm2\n"
21263- " movq 56(%0), %%mm3\n"
21264- " movq %%mm0, 32(%1)\n"
21265- " movq %%mm1, 40(%1)\n"
21266- " movq %%mm2, 48(%1)\n"
21267- " movq %%mm3, 56(%1)\n"
21268+ "1: prefetch 320(%1)\n"
21269+ "2: movq (%1), %%mm0\n"
21270+ " movq 8(%1), %%mm1\n"
21271+ " movq 16(%1), %%mm2\n"
21272+ " movq 24(%1), %%mm3\n"
21273+ " movq %%mm0, (%2)\n"
21274+ " movq %%mm1, 8(%2)\n"
21275+ " movq %%mm2, 16(%2)\n"
21276+ " movq %%mm3, 24(%2)\n"
21277+ " movq 32(%1), %%mm0\n"
21278+ " movq 40(%1), %%mm1\n"
21279+ " movq 48(%1), %%mm2\n"
21280+ " movq 56(%1), %%mm3\n"
21281+ " movq %%mm0, 32(%2)\n"
21282+ " movq %%mm1, 40(%2)\n"
21283+ " movq %%mm2, 48(%2)\n"
21284+ " movq %%mm3, 56(%2)\n"
21285 ".section .fixup, \"ax\"\n"
21286- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21287+ "3:\n"
21288+
21289+#ifdef CONFIG_PAX_KERNEXEC
21290+ " movl %%cr0, %0\n"
21291+ " movl %0, %%eax\n"
21292+ " andl $0xFFFEFFFF, %%eax\n"
21293+ " movl %%eax, %%cr0\n"
21294+#endif
21295+
21296+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
21297+
21298+#ifdef CONFIG_PAX_KERNEXEC
21299+ " movl %0, %%cr0\n"
21300+#endif
21301+
21302 " jmp 2b\n"
21303 ".previous\n"
21304 _ASM_EXTABLE(1b, 3b)
21305- : : "r" (from), "r" (to) : "memory");
21306+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
21307
21308 from += 64;
21309 to += 64;
21310diff -urNp linux-2.6.32.48/arch/x86/lib/msr-reg.S linux-2.6.32.48/arch/x86/lib/msr-reg.S
21311--- linux-2.6.32.48/arch/x86/lib/msr-reg.S 2011-11-08 19:02:43.000000000 -0500
21312+++ linux-2.6.32.48/arch/x86/lib/msr-reg.S 2011-11-15 19:59:43.000000000 -0500
21313@@ -3,6 +3,7 @@
21314 #include <asm/dwarf2.h>
21315 #include <asm/asm.h>
21316 #include <asm/msr.h>
21317+#include <asm/alternative-asm.h>
21318
21319 #ifdef CONFIG_X86_64
21320 /*
21321@@ -37,6 +38,7 @@ ENTRY(native_\op\()_safe_regs)
21322 movl %edi, 28(%r10)
21323 popq_cfi %rbp
21324 popq_cfi %rbx
21325+ pax_force_retaddr
21326 ret
21327 3:
21328 CFI_RESTORE_STATE
21329diff -urNp linux-2.6.32.48/arch/x86/lib/putuser.S linux-2.6.32.48/arch/x86/lib/putuser.S
21330--- linux-2.6.32.48/arch/x86/lib/putuser.S 2011-11-08 19:02:43.000000000 -0500
21331+++ linux-2.6.32.48/arch/x86/lib/putuser.S 2011-11-15 19:59:43.000000000 -0500
21332@@ -15,7 +15,9 @@
21333 #include <asm/thread_info.h>
21334 #include <asm/errno.h>
21335 #include <asm/asm.h>
21336-
21337+#include <asm/segment.h>
21338+#include <asm/pgtable.h>
21339+#include <asm/alternative-asm.h>
21340
21341 /*
21342 * __put_user_X
21343@@ -29,52 +31,119 @@
21344 * as they get called from within inline assembly.
21345 */
21346
21347-#define ENTER CFI_STARTPROC ; \
21348- GET_THREAD_INFO(%_ASM_BX)
21349-#define EXIT ret ; \
21350+#define ENTER CFI_STARTPROC
21351+#define EXIT pax_force_retaddr; ret ; \
21352 CFI_ENDPROC
21353
21354+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21355+#define _DEST %_ASM_CX,%_ASM_BX
21356+#else
21357+#define _DEST %_ASM_CX
21358+#endif
21359+
21360+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
21361+#define __copyuser_seg gs;
21362+#else
21363+#define __copyuser_seg
21364+#endif
21365+
21366 .text
21367 ENTRY(__put_user_1)
21368 ENTER
21369+
21370+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21371+ GET_THREAD_INFO(%_ASM_BX)
21372 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
21373 jae bad_put_user
21374-1: movb %al,(%_ASM_CX)
21375+
21376+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21377+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21378+ cmp %_ASM_BX,%_ASM_CX
21379+ jb 1234f
21380+ xor %ebx,%ebx
21381+1234:
21382+#endif
21383+
21384+#endif
21385+
21386+1: __copyuser_seg movb %al,(_DEST)
21387 xor %eax,%eax
21388 EXIT
21389 ENDPROC(__put_user_1)
21390
21391 ENTRY(__put_user_2)
21392 ENTER
21393+
21394+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21395+ GET_THREAD_INFO(%_ASM_BX)
21396 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21397 sub $1,%_ASM_BX
21398 cmp %_ASM_BX,%_ASM_CX
21399 jae bad_put_user
21400-2: movw %ax,(%_ASM_CX)
21401+
21402+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21403+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21404+ cmp %_ASM_BX,%_ASM_CX
21405+ jb 1234f
21406+ xor %ebx,%ebx
21407+1234:
21408+#endif
21409+
21410+#endif
21411+
21412+2: __copyuser_seg movw %ax,(_DEST)
21413 xor %eax,%eax
21414 EXIT
21415 ENDPROC(__put_user_2)
21416
21417 ENTRY(__put_user_4)
21418 ENTER
21419+
21420+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21421+ GET_THREAD_INFO(%_ASM_BX)
21422 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21423 sub $3,%_ASM_BX
21424 cmp %_ASM_BX,%_ASM_CX
21425 jae bad_put_user
21426-3: movl %eax,(%_ASM_CX)
21427+
21428+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21429+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21430+ cmp %_ASM_BX,%_ASM_CX
21431+ jb 1234f
21432+ xor %ebx,%ebx
21433+1234:
21434+#endif
21435+
21436+#endif
21437+
21438+3: __copyuser_seg movl %eax,(_DEST)
21439 xor %eax,%eax
21440 EXIT
21441 ENDPROC(__put_user_4)
21442
21443 ENTRY(__put_user_8)
21444 ENTER
21445+
21446+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
21447+ GET_THREAD_INFO(%_ASM_BX)
21448 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
21449 sub $7,%_ASM_BX
21450 cmp %_ASM_BX,%_ASM_CX
21451 jae bad_put_user
21452-4: mov %_ASM_AX,(%_ASM_CX)
21453+
21454+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21455+ mov $PAX_USER_SHADOW_BASE,%_ASM_BX
21456+ cmp %_ASM_BX,%_ASM_CX
21457+ jb 1234f
21458+ xor %ebx,%ebx
21459+1234:
21460+#endif
21461+
21462+#endif
21463+
21464+4: __copyuser_seg mov %_ASM_AX,(_DEST)
21465 #ifdef CONFIG_X86_32
21466-5: movl %edx,4(%_ASM_CX)
21467+5: __copyuser_seg movl %edx,4(_DEST)
21468 #endif
21469 xor %eax,%eax
21470 EXIT
21471diff -urNp linux-2.6.32.48/arch/x86/lib/rwlock_64.S linux-2.6.32.48/arch/x86/lib/rwlock_64.S
21472--- linux-2.6.32.48/arch/x86/lib/rwlock_64.S 2011-11-08 19:02:43.000000000 -0500
21473+++ linux-2.6.32.48/arch/x86/lib/rwlock_64.S 2011-11-15 19:59:43.000000000 -0500
21474@@ -17,6 +17,7 @@ ENTRY(__write_lock_failed)
21475 LOCK_PREFIX
21476 subl $RW_LOCK_BIAS,(%rdi)
21477 jnz __write_lock_failed
21478+ pax_force_retaddr
21479 ret
21480 CFI_ENDPROC
21481 END(__write_lock_failed)
21482@@ -33,6 +34,7 @@ ENTRY(__read_lock_failed)
21483 LOCK_PREFIX
21484 decl (%rdi)
21485 js __read_lock_failed
21486+ pax_force_retaddr
21487 ret
21488 CFI_ENDPROC
21489 END(__read_lock_failed)
21490diff -urNp linux-2.6.32.48/arch/x86/lib/rwsem_64.S linux-2.6.32.48/arch/x86/lib/rwsem_64.S
21491--- linux-2.6.32.48/arch/x86/lib/rwsem_64.S 2011-11-08 19:02:43.000000000 -0500
21492+++ linux-2.6.32.48/arch/x86/lib/rwsem_64.S 2011-11-15 19:59:43.000000000 -0500
21493@@ -48,6 +48,7 @@ ENTRY(call_rwsem_down_read_failed)
21494 call rwsem_down_read_failed
21495 popq %rdx
21496 restore_common_regs
21497+ pax_force_retaddr
21498 ret
21499 ENDPROC(call_rwsem_down_read_failed)
21500
21501@@ -56,6 +57,7 @@ ENTRY(call_rwsem_down_write_failed)
21502 movq %rax,%rdi
21503 call rwsem_down_write_failed
21504 restore_common_regs
21505+ pax_force_retaddr
21506 ret
21507 ENDPROC(call_rwsem_down_write_failed)
21508
21509@@ -66,7 +68,8 @@ ENTRY(call_rwsem_wake)
21510 movq %rax,%rdi
21511 call rwsem_wake
21512 restore_common_regs
21513-1: ret
21514+1: pax_force_retaddr
21515+ ret
21516 ENDPROC(call_rwsem_wake)
21517
21518 /* Fix up special calling conventions */
21519@@ -77,5 +80,6 @@ ENTRY(call_rwsem_downgrade_wake)
21520 call rwsem_downgrade_wake
21521 popq %rdx
21522 restore_common_regs
21523+ pax_force_retaddr
21524 ret
21525 ENDPROC(call_rwsem_downgrade_wake)
21526diff -urNp linux-2.6.32.48/arch/x86/lib/thunk_64.S linux-2.6.32.48/arch/x86/lib/thunk_64.S
21527--- linux-2.6.32.48/arch/x86/lib/thunk_64.S 2011-11-08 19:02:43.000000000 -0500
21528+++ linux-2.6.32.48/arch/x86/lib/thunk_64.S 2011-11-15 19:59:43.000000000 -0500
21529@@ -10,7 +10,8 @@
21530 #include <asm/dwarf2.h>
21531 #include <asm/calling.h>
21532 #include <asm/rwlock.h>
21533-
21534+ #include <asm/alternative-asm.h>
21535+
21536 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
21537 .macro thunk name,func
21538 .globl \name
21539@@ -70,6 +71,7 @@
21540 SAVE_ARGS
21541 restore:
21542 RESTORE_ARGS
21543+ pax_force_retaddr
21544 ret
21545 CFI_ENDPROC
21546
21547@@ -77,5 +79,6 @@ restore:
21548 SAVE_ARGS
21549 restore_norax:
21550 RESTORE_ARGS 1
21551+ pax_force_retaddr
21552 ret
21553 CFI_ENDPROC
21554diff -urNp linux-2.6.32.48/arch/x86/lib/usercopy_32.c linux-2.6.32.48/arch/x86/lib/usercopy_32.c
21555--- linux-2.6.32.48/arch/x86/lib/usercopy_32.c 2011-11-08 19:02:43.000000000 -0500
21556+++ linux-2.6.32.48/arch/x86/lib/usercopy_32.c 2011-11-15 19:59:43.000000000 -0500
21557@@ -43,7 +43,7 @@ do { \
21558 __asm__ __volatile__( \
21559 " testl %1,%1\n" \
21560 " jz 2f\n" \
21561- "0: lodsb\n" \
21562+ "0: "__copyuser_seg"lodsb\n" \
21563 " stosb\n" \
21564 " testb %%al,%%al\n" \
21565 " jz 1f\n" \
21566@@ -128,10 +128,12 @@ do { \
21567 int __d0; \
21568 might_fault(); \
21569 __asm__ __volatile__( \
21570+ __COPYUSER_SET_ES \
21571 "0: rep; stosl\n" \
21572 " movl %2,%0\n" \
21573 "1: rep; stosb\n" \
21574 "2:\n" \
21575+ __COPYUSER_RESTORE_ES \
21576 ".section .fixup,\"ax\"\n" \
21577 "3: lea 0(%2,%0,4),%0\n" \
21578 " jmp 2b\n" \
21579@@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
21580 might_fault();
21581
21582 __asm__ __volatile__(
21583+ __COPYUSER_SET_ES
21584 " testl %0, %0\n"
21585 " jz 3f\n"
21586 " andl %0,%%ecx\n"
21587@@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
21588 " subl %%ecx,%0\n"
21589 " addl %0,%%eax\n"
21590 "1:\n"
21591+ __COPYUSER_RESTORE_ES
21592 ".section .fixup,\"ax\"\n"
21593 "2: xorl %%eax,%%eax\n"
21594 " jmp 1b\n"
21595@@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
21596
21597 #ifdef CONFIG_X86_INTEL_USERCOPY
21598 static unsigned long
21599-__copy_user_intel(void __user *to, const void *from, unsigned long size)
21600+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
21601 {
21602 int d0, d1;
21603 __asm__ __volatile__(
21604@@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
21605 " .align 2,0x90\n"
21606 "3: movl 0(%4), %%eax\n"
21607 "4: movl 4(%4), %%edx\n"
21608- "5: movl %%eax, 0(%3)\n"
21609- "6: movl %%edx, 4(%3)\n"
21610+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
21611+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
21612 "7: movl 8(%4), %%eax\n"
21613 "8: movl 12(%4),%%edx\n"
21614- "9: movl %%eax, 8(%3)\n"
21615- "10: movl %%edx, 12(%3)\n"
21616+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
21617+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
21618 "11: movl 16(%4), %%eax\n"
21619 "12: movl 20(%4), %%edx\n"
21620- "13: movl %%eax, 16(%3)\n"
21621- "14: movl %%edx, 20(%3)\n"
21622+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
21623+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
21624 "15: movl 24(%4), %%eax\n"
21625 "16: movl 28(%4), %%edx\n"
21626- "17: movl %%eax, 24(%3)\n"
21627- "18: movl %%edx, 28(%3)\n"
21628+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
21629+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
21630 "19: movl 32(%4), %%eax\n"
21631 "20: movl 36(%4), %%edx\n"
21632- "21: movl %%eax, 32(%3)\n"
21633- "22: movl %%edx, 36(%3)\n"
21634+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
21635+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
21636 "23: movl 40(%4), %%eax\n"
21637 "24: movl 44(%4), %%edx\n"
21638- "25: movl %%eax, 40(%3)\n"
21639- "26: movl %%edx, 44(%3)\n"
21640+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
21641+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
21642 "27: movl 48(%4), %%eax\n"
21643 "28: movl 52(%4), %%edx\n"
21644- "29: movl %%eax, 48(%3)\n"
21645- "30: movl %%edx, 52(%3)\n"
21646+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
21647+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
21648 "31: movl 56(%4), %%eax\n"
21649 "32: movl 60(%4), %%edx\n"
21650- "33: movl %%eax, 56(%3)\n"
21651- "34: movl %%edx, 60(%3)\n"
21652+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
21653+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
21654 " addl $-64, %0\n"
21655 " addl $64, %4\n"
21656 " addl $64, %3\n"
21657@@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
21658 " shrl $2, %0\n"
21659 " andl $3, %%eax\n"
21660 " cld\n"
21661+ __COPYUSER_SET_ES
21662 "99: rep; movsl\n"
21663 "36: movl %%eax, %0\n"
21664 "37: rep; movsb\n"
21665 "100:\n"
21666+ __COPYUSER_RESTORE_ES
21667+ ".section .fixup,\"ax\"\n"
21668+ "101: lea 0(%%eax,%0,4),%0\n"
21669+ " jmp 100b\n"
21670+ ".previous\n"
21671+ ".section __ex_table,\"a\"\n"
21672+ " .align 4\n"
21673+ " .long 1b,100b\n"
21674+ " .long 2b,100b\n"
21675+ " .long 3b,100b\n"
21676+ " .long 4b,100b\n"
21677+ " .long 5b,100b\n"
21678+ " .long 6b,100b\n"
21679+ " .long 7b,100b\n"
21680+ " .long 8b,100b\n"
21681+ " .long 9b,100b\n"
21682+ " .long 10b,100b\n"
21683+ " .long 11b,100b\n"
21684+ " .long 12b,100b\n"
21685+ " .long 13b,100b\n"
21686+ " .long 14b,100b\n"
21687+ " .long 15b,100b\n"
21688+ " .long 16b,100b\n"
21689+ " .long 17b,100b\n"
21690+ " .long 18b,100b\n"
21691+ " .long 19b,100b\n"
21692+ " .long 20b,100b\n"
21693+ " .long 21b,100b\n"
21694+ " .long 22b,100b\n"
21695+ " .long 23b,100b\n"
21696+ " .long 24b,100b\n"
21697+ " .long 25b,100b\n"
21698+ " .long 26b,100b\n"
21699+ " .long 27b,100b\n"
21700+ " .long 28b,100b\n"
21701+ " .long 29b,100b\n"
21702+ " .long 30b,100b\n"
21703+ " .long 31b,100b\n"
21704+ " .long 32b,100b\n"
21705+ " .long 33b,100b\n"
21706+ " .long 34b,100b\n"
21707+ " .long 35b,100b\n"
21708+ " .long 36b,100b\n"
21709+ " .long 37b,100b\n"
21710+ " .long 99b,101b\n"
21711+ ".previous"
21712+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
21713+ : "1"(to), "2"(from), "0"(size)
21714+ : "eax", "edx", "memory");
21715+ return size;
21716+}
21717+
21718+static unsigned long
21719+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
21720+{
21721+ int d0, d1;
21722+ __asm__ __volatile__(
21723+ " .align 2,0x90\n"
21724+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
21725+ " cmpl $67, %0\n"
21726+ " jbe 3f\n"
21727+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
21728+ " .align 2,0x90\n"
21729+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
21730+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
21731+ "5: movl %%eax, 0(%3)\n"
21732+ "6: movl %%edx, 4(%3)\n"
21733+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
21734+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
21735+ "9: movl %%eax, 8(%3)\n"
21736+ "10: movl %%edx, 12(%3)\n"
21737+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
21738+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
21739+ "13: movl %%eax, 16(%3)\n"
21740+ "14: movl %%edx, 20(%3)\n"
21741+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
21742+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
21743+ "17: movl %%eax, 24(%3)\n"
21744+ "18: movl %%edx, 28(%3)\n"
21745+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
21746+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
21747+ "21: movl %%eax, 32(%3)\n"
21748+ "22: movl %%edx, 36(%3)\n"
21749+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
21750+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
21751+ "25: movl %%eax, 40(%3)\n"
21752+ "26: movl %%edx, 44(%3)\n"
21753+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
21754+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
21755+ "29: movl %%eax, 48(%3)\n"
21756+ "30: movl %%edx, 52(%3)\n"
21757+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
21758+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
21759+ "33: movl %%eax, 56(%3)\n"
21760+ "34: movl %%edx, 60(%3)\n"
21761+ " addl $-64, %0\n"
21762+ " addl $64, %4\n"
21763+ " addl $64, %3\n"
21764+ " cmpl $63, %0\n"
21765+ " ja 1b\n"
21766+ "35: movl %0, %%eax\n"
21767+ " shrl $2, %0\n"
21768+ " andl $3, %%eax\n"
21769+ " cld\n"
21770+ "99: rep; "__copyuser_seg" movsl\n"
21771+ "36: movl %%eax, %0\n"
21772+ "37: rep; "__copyuser_seg" movsb\n"
21773+ "100:\n"
21774 ".section .fixup,\"ax\"\n"
21775 "101: lea 0(%%eax,%0,4),%0\n"
21776 " jmp 100b\n"
21777@@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
21778 int d0, d1;
21779 __asm__ __volatile__(
21780 " .align 2,0x90\n"
21781- "0: movl 32(%4), %%eax\n"
21782+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21783 " cmpl $67, %0\n"
21784 " jbe 2f\n"
21785- "1: movl 64(%4), %%eax\n"
21786+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21787 " .align 2,0x90\n"
21788- "2: movl 0(%4), %%eax\n"
21789- "21: movl 4(%4), %%edx\n"
21790+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21791+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21792 " movl %%eax, 0(%3)\n"
21793 " movl %%edx, 4(%3)\n"
21794- "3: movl 8(%4), %%eax\n"
21795- "31: movl 12(%4),%%edx\n"
21796+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21797+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21798 " movl %%eax, 8(%3)\n"
21799 " movl %%edx, 12(%3)\n"
21800- "4: movl 16(%4), %%eax\n"
21801- "41: movl 20(%4), %%edx\n"
21802+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21803+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21804 " movl %%eax, 16(%3)\n"
21805 " movl %%edx, 20(%3)\n"
21806- "10: movl 24(%4), %%eax\n"
21807- "51: movl 28(%4), %%edx\n"
21808+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21809+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21810 " movl %%eax, 24(%3)\n"
21811 " movl %%edx, 28(%3)\n"
21812- "11: movl 32(%4), %%eax\n"
21813- "61: movl 36(%4), %%edx\n"
21814+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21815+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21816 " movl %%eax, 32(%3)\n"
21817 " movl %%edx, 36(%3)\n"
21818- "12: movl 40(%4), %%eax\n"
21819- "71: movl 44(%4), %%edx\n"
21820+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21821+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21822 " movl %%eax, 40(%3)\n"
21823 " movl %%edx, 44(%3)\n"
21824- "13: movl 48(%4), %%eax\n"
21825- "81: movl 52(%4), %%edx\n"
21826+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21827+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21828 " movl %%eax, 48(%3)\n"
21829 " movl %%edx, 52(%3)\n"
21830- "14: movl 56(%4), %%eax\n"
21831- "91: movl 60(%4), %%edx\n"
21832+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21833+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21834 " movl %%eax, 56(%3)\n"
21835 " movl %%edx, 60(%3)\n"
21836 " addl $-64, %0\n"
21837@@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
21838 " shrl $2, %0\n"
21839 " andl $3, %%eax\n"
21840 " cld\n"
21841- "6: rep; movsl\n"
21842+ "6: rep; "__copyuser_seg" movsl\n"
21843 " movl %%eax,%0\n"
21844- "7: rep; movsb\n"
21845+ "7: rep; "__copyuser_seg" movsb\n"
21846 "8:\n"
21847 ".section .fixup,\"ax\"\n"
21848 "9: lea 0(%%eax,%0,4),%0\n"
21849@@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
21850
21851 __asm__ __volatile__(
21852 " .align 2,0x90\n"
21853- "0: movl 32(%4), %%eax\n"
21854+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21855 " cmpl $67, %0\n"
21856 " jbe 2f\n"
21857- "1: movl 64(%4), %%eax\n"
21858+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21859 " .align 2,0x90\n"
21860- "2: movl 0(%4), %%eax\n"
21861- "21: movl 4(%4), %%edx\n"
21862+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21863+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21864 " movnti %%eax, 0(%3)\n"
21865 " movnti %%edx, 4(%3)\n"
21866- "3: movl 8(%4), %%eax\n"
21867- "31: movl 12(%4),%%edx\n"
21868+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21869+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21870 " movnti %%eax, 8(%3)\n"
21871 " movnti %%edx, 12(%3)\n"
21872- "4: movl 16(%4), %%eax\n"
21873- "41: movl 20(%4), %%edx\n"
21874+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21875+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21876 " movnti %%eax, 16(%3)\n"
21877 " movnti %%edx, 20(%3)\n"
21878- "10: movl 24(%4), %%eax\n"
21879- "51: movl 28(%4), %%edx\n"
21880+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21881+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21882 " movnti %%eax, 24(%3)\n"
21883 " movnti %%edx, 28(%3)\n"
21884- "11: movl 32(%4), %%eax\n"
21885- "61: movl 36(%4), %%edx\n"
21886+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21887+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21888 " movnti %%eax, 32(%3)\n"
21889 " movnti %%edx, 36(%3)\n"
21890- "12: movl 40(%4), %%eax\n"
21891- "71: movl 44(%4), %%edx\n"
21892+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21893+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21894 " movnti %%eax, 40(%3)\n"
21895 " movnti %%edx, 44(%3)\n"
21896- "13: movl 48(%4), %%eax\n"
21897- "81: movl 52(%4), %%edx\n"
21898+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21899+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21900 " movnti %%eax, 48(%3)\n"
21901 " movnti %%edx, 52(%3)\n"
21902- "14: movl 56(%4), %%eax\n"
21903- "91: movl 60(%4), %%edx\n"
21904+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21905+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21906 " movnti %%eax, 56(%3)\n"
21907 " movnti %%edx, 60(%3)\n"
21908 " addl $-64, %0\n"
21909@@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
21910 " shrl $2, %0\n"
21911 " andl $3, %%eax\n"
21912 " cld\n"
21913- "6: rep; movsl\n"
21914+ "6: rep; "__copyuser_seg" movsl\n"
21915 " movl %%eax,%0\n"
21916- "7: rep; movsb\n"
21917+ "7: rep; "__copyuser_seg" movsb\n"
21918 "8:\n"
21919 ".section .fixup,\"ax\"\n"
21920 "9: lea 0(%%eax,%0,4),%0\n"
21921@@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
21922
21923 __asm__ __volatile__(
21924 " .align 2,0x90\n"
21925- "0: movl 32(%4), %%eax\n"
21926+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
21927 " cmpl $67, %0\n"
21928 " jbe 2f\n"
21929- "1: movl 64(%4), %%eax\n"
21930+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
21931 " .align 2,0x90\n"
21932- "2: movl 0(%4), %%eax\n"
21933- "21: movl 4(%4), %%edx\n"
21934+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
21935+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
21936 " movnti %%eax, 0(%3)\n"
21937 " movnti %%edx, 4(%3)\n"
21938- "3: movl 8(%4), %%eax\n"
21939- "31: movl 12(%4),%%edx\n"
21940+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
21941+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
21942 " movnti %%eax, 8(%3)\n"
21943 " movnti %%edx, 12(%3)\n"
21944- "4: movl 16(%4), %%eax\n"
21945- "41: movl 20(%4), %%edx\n"
21946+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
21947+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
21948 " movnti %%eax, 16(%3)\n"
21949 " movnti %%edx, 20(%3)\n"
21950- "10: movl 24(%4), %%eax\n"
21951- "51: movl 28(%4), %%edx\n"
21952+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
21953+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
21954 " movnti %%eax, 24(%3)\n"
21955 " movnti %%edx, 28(%3)\n"
21956- "11: movl 32(%4), %%eax\n"
21957- "61: movl 36(%4), %%edx\n"
21958+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
21959+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
21960 " movnti %%eax, 32(%3)\n"
21961 " movnti %%edx, 36(%3)\n"
21962- "12: movl 40(%4), %%eax\n"
21963- "71: movl 44(%4), %%edx\n"
21964+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
21965+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
21966 " movnti %%eax, 40(%3)\n"
21967 " movnti %%edx, 44(%3)\n"
21968- "13: movl 48(%4), %%eax\n"
21969- "81: movl 52(%4), %%edx\n"
21970+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
21971+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
21972 " movnti %%eax, 48(%3)\n"
21973 " movnti %%edx, 52(%3)\n"
21974- "14: movl 56(%4), %%eax\n"
21975- "91: movl 60(%4), %%edx\n"
21976+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
21977+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
21978 " movnti %%eax, 56(%3)\n"
21979 " movnti %%edx, 60(%3)\n"
21980 " addl $-64, %0\n"
21981@@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
21982 " shrl $2, %0\n"
21983 " andl $3, %%eax\n"
21984 " cld\n"
21985- "6: rep; movsl\n"
21986+ "6: rep; "__copyuser_seg" movsl\n"
21987 " movl %%eax,%0\n"
21988- "7: rep; movsb\n"
21989+ "7: rep; "__copyuser_seg" movsb\n"
21990 "8:\n"
21991 ".section .fixup,\"ax\"\n"
21992 "9: lea 0(%%eax,%0,4),%0\n"
21993@@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
21994 */
21995 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
21996 unsigned long size);
21997-unsigned long __copy_user_intel(void __user *to, const void *from,
21998+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
21999+ unsigned long size);
22000+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
22001 unsigned long size);
22002 unsigned long __copy_user_zeroing_intel_nocache(void *to,
22003 const void __user *from, unsigned long size);
22004 #endif /* CONFIG_X86_INTEL_USERCOPY */
22005
22006 /* Generic arbitrary sized copy. */
22007-#define __copy_user(to, from, size) \
22008+#define __copy_user(to, from, size, prefix, set, restore) \
22009 do { \
22010 int __d0, __d1, __d2; \
22011 __asm__ __volatile__( \
22012+ set \
22013 " cmp $7,%0\n" \
22014 " jbe 1f\n" \
22015 " movl %1,%0\n" \
22016 " negl %0\n" \
22017 " andl $7,%0\n" \
22018 " subl %0,%3\n" \
22019- "4: rep; movsb\n" \
22020+ "4: rep; "prefix"movsb\n" \
22021 " movl %3,%0\n" \
22022 " shrl $2,%0\n" \
22023 " andl $3,%3\n" \
22024 " .align 2,0x90\n" \
22025- "0: rep; movsl\n" \
22026+ "0: rep; "prefix"movsl\n" \
22027 " movl %3,%0\n" \
22028- "1: rep; movsb\n" \
22029+ "1: rep; "prefix"movsb\n" \
22030 "2:\n" \
22031+ restore \
22032 ".section .fixup,\"ax\"\n" \
22033 "5: addl %3,%0\n" \
22034 " jmp 2b\n" \
22035@@ -682,14 +799,14 @@ do { \
22036 " negl %0\n" \
22037 " andl $7,%0\n" \
22038 " subl %0,%3\n" \
22039- "4: rep; movsb\n" \
22040+ "4: rep; "__copyuser_seg"movsb\n" \
22041 " movl %3,%0\n" \
22042 " shrl $2,%0\n" \
22043 " andl $3,%3\n" \
22044 " .align 2,0x90\n" \
22045- "0: rep; movsl\n" \
22046+ "0: rep; "__copyuser_seg"movsl\n" \
22047 " movl %3,%0\n" \
22048- "1: rep; movsb\n" \
22049+ "1: rep; "__copyuser_seg"movsb\n" \
22050 "2:\n" \
22051 ".section .fixup,\"ax\"\n" \
22052 "5: addl %3,%0\n" \
22053@@ -775,9 +892,9 @@ survive:
22054 }
22055 #endif
22056 if (movsl_is_ok(to, from, n))
22057- __copy_user(to, from, n);
22058+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
22059 else
22060- n = __copy_user_intel(to, from, n);
22061+ n = __generic_copy_to_user_intel(to, from, n);
22062 return n;
22063 }
22064 EXPORT_SYMBOL(__copy_to_user_ll);
22065@@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
22066 unsigned long n)
22067 {
22068 if (movsl_is_ok(to, from, n))
22069- __copy_user(to, from, n);
22070+ __copy_user(to, from, n, __copyuser_seg, "", "");
22071 else
22072- n = __copy_user_intel((void __user *)to,
22073- (const void *)from, n);
22074+ n = __generic_copy_from_user_intel(to, from, n);
22075 return n;
22076 }
22077 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
22078@@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
22079 if (n > 64 && cpu_has_xmm2)
22080 n = __copy_user_intel_nocache(to, from, n);
22081 else
22082- __copy_user(to, from, n);
22083+ __copy_user(to, from, n, __copyuser_seg, "", "");
22084 #else
22085- __copy_user(to, from, n);
22086+ __copy_user(to, from, n, __copyuser_seg, "", "");
22087 #endif
22088 return n;
22089 }
22090 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
22091
22092-/**
22093- * copy_to_user: - Copy a block of data into user space.
22094- * @to: Destination address, in user space.
22095- * @from: Source address, in kernel space.
22096- * @n: Number of bytes to copy.
22097- *
22098- * Context: User context only. This function may sleep.
22099- *
22100- * Copy data from kernel space to user space.
22101- *
22102- * Returns number of bytes that could not be copied.
22103- * On success, this will be zero.
22104- */
22105-unsigned long
22106-copy_to_user(void __user *to, const void *from, unsigned long n)
22107+#ifdef CONFIG_PAX_MEMORY_UDEREF
22108+void __set_fs(mm_segment_t x)
22109 {
22110- if (access_ok(VERIFY_WRITE, to, n))
22111- n = __copy_to_user(to, from, n);
22112- return n;
22113+ switch (x.seg) {
22114+ case 0:
22115+ loadsegment(gs, 0);
22116+ break;
22117+ case TASK_SIZE_MAX:
22118+ loadsegment(gs, __USER_DS);
22119+ break;
22120+ case -1UL:
22121+ loadsegment(gs, __KERNEL_DS);
22122+ break;
22123+ default:
22124+ BUG();
22125+ }
22126+ return;
22127 }
22128-EXPORT_SYMBOL(copy_to_user);
22129+EXPORT_SYMBOL(__set_fs);
22130
22131-/**
22132- * copy_from_user: - Copy a block of data from user space.
22133- * @to: Destination address, in kernel space.
22134- * @from: Source address, in user space.
22135- * @n: Number of bytes to copy.
22136- *
22137- * Context: User context only. This function may sleep.
22138- *
22139- * Copy data from user space to kernel space.
22140- *
22141- * Returns number of bytes that could not be copied.
22142- * On success, this will be zero.
22143- *
22144- * If some data could not be copied, this function will pad the copied
22145- * data to the requested size using zero bytes.
22146- */
22147-unsigned long
22148-copy_from_user(void *to, const void __user *from, unsigned long n)
22149+void set_fs(mm_segment_t x)
22150 {
22151- if (access_ok(VERIFY_READ, from, n))
22152- n = __copy_from_user(to, from, n);
22153- else
22154- memset(to, 0, n);
22155- return n;
22156+ current_thread_info()->addr_limit = x;
22157+ __set_fs(x);
22158 }
22159-EXPORT_SYMBOL(copy_from_user);
22160+EXPORT_SYMBOL(set_fs);
22161+#endif
22162diff -urNp linux-2.6.32.48/arch/x86/lib/usercopy_64.c linux-2.6.32.48/arch/x86/lib/usercopy_64.c
22163--- linux-2.6.32.48/arch/x86/lib/usercopy_64.c 2011-11-08 19:02:43.000000000 -0500
22164+++ linux-2.6.32.48/arch/x86/lib/usercopy_64.c 2011-11-15 19:59:43.000000000 -0500
22165@@ -42,6 +42,12 @@ long
22166 __strncpy_from_user(char *dst, const char __user *src, long count)
22167 {
22168 long res;
22169+
22170+#ifdef CONFIG_PAX_MEMORY_UDEREF
22171+ if ((unsigned long)src < PAX_USER_SHADOW_BASE)
22172+ src += PAX_USER_SHADOW_BASE;
22173+#endif
22174+
22175 __do_strncpy_from_user(dst, src, count, res);
22176 return res;
22177 }
22178@@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
22179 {
22180 long __d0;
22181 might_fault();
22182+
22183+#ifdef CONFIG_PAX_MEMORY_UDEREF
22184+ if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
22185+ addr += PAX_USER_SHADOW_BASE;
22186+#endif
22187+
22188 /* no memory constraint because it doesn't change any memory gcc knows
22189 about */
22190 asm volatile(
22191@@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
22192
22193 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
22194 {
22195- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22196- return copy_user_generic((__force void *)to, (__force void *)from, len);
22197- }
22198- return len;
22199+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
22200+
22201+#ifdef CONFIG_PAX_MEMORY_UDEREF
22202+ if ((unsigned long)to < PAX_USER_SHADOW_BASE)
22203+ to += PAX_USER_SHADOW_BASE;
22204+ if ((unsigned long)from < PAX_USER_SHADOW_BASE)
22205+ from += PAX_USER_SHADOW_BASE;
22206+#endif
22207+
22208+ return copy_user_generic((void __force_kernel *)to, (void __force_kernel *)from, len);
22209+ }
22210+ return len;
22211 }
22212 EXPORT_SYMBOL(copy_in_user);
22213
22214@@ -164,7 +184,7 @@ EXPORT_SYMBOL(copy_in_user);
22215 * it is not necessary to optimize tail handling.
22216 */
22217 unsigned long
22218-copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest)
22219+copy_user_handle_tail(char __user *to, char __user *from, unsigned len, unsigned zerorest)
22220 {
22221 char c;
22222 unsigned zero_len;
22223diff -urNp linux-2.6.32.48/arch/x86/Makefile linux-2.6.32.48/arch/x86/Makefile
22224--- linux-2.6.32.48/arch/x86/Makefile 2011-11-08 19:02:43.000000000 -0500
22225+++ linux-2.6.32.48/arch/x86/Makefile 2011-11-15 19:59:43.000000000 -0500
22226@@ -44,6 +44,7 @@ ifeq ($(CONFIG_X86_32),y)
22227 else
22228 BITS := 64
22229 UTS_MACHINE := x86_64
22230+ biarch := $(call cc-option,-m64)
22231 CHECKFLAGS += -D__x86_64__ -m64
22232
22233 KBUILD_AFLAGS += -m64
22234@@ -189,3 +190,12 @@ define archhelp
22235 echo ' FDARGS="..." arguments for the booted kernel'
22236 echo ' FDINITRD=file initrd for the booted kernel'
22237 endef
22238+
22239+define OLD_LD
22240+
22241+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
22242+*** Please upgrade your binutils to 2.18 or newer
22243+endef
22244+
22245+archprepare:
22246+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
22247diff -urNp linux-2.6.32.48/arch/x86/mm/extable.c linux-2.6.32.48/arch/x86/mm/extable.c
22248--- linux-2.6.32.48/arch/x86/mm/extable.c 2011-11-08 19:02:43.000000000 -0500
22249+++ linux-2.6.32.48/arch/x86/mm/extable.c 2011-11-15 19:59:43.000000000 -0500
22250@@ -1,14 +1,71 @@
22251 #include <linux/module.h>
22252 #include <linux/spinlock.h>
22253+#include <linux/sort.h>
22254 #include <asm/uaccess.h>
22255+#include <asm/pgtable.h>
22256
22257+/*
22258+ * The exception table needs to be sorted so that the binary
22259+ * search that we use to find entries in it works properly.
22260+ * This is used both for the kernel exception table and for
22261+ * the exception tables of modules that get loaded.
22262+ */
22263+static int cmp_ex(const void *a, const void *b)
22264+{
22265+ const struct exception_table_entry *x = a, *y = b;
22266+
22267+ /* avoid overflow */
22268+ if (x->insn > y->insn)
22269+ return 1;
22270+ if (x->insn < y->insn)
22271+ return -1;
22272+ return 0;
22273+}
22274+
22275+static void swap_ex(void *a, void *b, int size)
22276+{
22277+ struct exception_table_entry t, *x = a, *y = b;
22278+
22279+ t = *x;
22280+
22281+ pax_open_kernel();
22282+ *x = *y;
22283+ *y = t;
22284+ pax_close_kernel();
22285+}
22286+
22287+void sort_extable(struct exception_table_entry *start,
22288+ struct exception_table_entry *finish)
22289+{
22290+ sort(start, finish - start, sizeof(struct exception_table_entry),
22291+ cmp_ex, swap_ex);
22292+}
22293+
22294+#ifdef CONFIG_MODULES
22295+/*
22296+ * If the exception table is sorted, any referring to the module init
22297+ * will be at the beginning or the end.
22298+ */
22299+void trim_init_extable(struct module *m)
22300+{
22301+ /*trim the beginning*/
22302+ while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
22303+ m->extable++;
22304+ m->num_exentries--;
22305+ }
22306+ /*trim the end*/
22307+ while (m->num_exentries &&
22308+ within_module_init(m->extable[m->num_exentries-1].insn, m))
22309+ m->num_exentries--;
22310+}
22311+#endif /* CONFIG_MODULES */
22312
22313 int fixup_exception(struct pt_regs *regs)
22314 {
22315 const struct exception_table_entry *fixup;
22316
22317 #ifdef CONFIG_PNPBIOS
22318- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
22319+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
22320 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
22321 extern u32 pnp_bios_is_utter_crap;
22322 pnp_bios_is_utter_crap = 1;
22323diff -urNp linux-2.6.32.48/arch/x86/mm/fault.c linux-2.6.32.48/arch/x86/mm/fault.c
22324--- linux-2.6.32.48/arch/x86/mm/fault.c 2011-11-08 19:02:43.000000000 -0500
22325+++ linux-2.6.32.48/arch/x86/mm/fault.c 2011-11-18 18:07:11.000000000 -0500
22326@@ -11,10 +11,19 @@
22327 #include <linux/kprobes.h> /* __kprobes, ... */
22328 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
22329 #include <linux/perf_event.h> /* perf_sw_event */
22330+#include <linux/unistd.h>
22331+#include <linux/compiler.h>
22332
22333 #include <asm/traps.h> /* dotraplinkage, ... */
22334 #include <asm/pgalloc.h> /* pgd_*(), ... */
22335 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
22336+#include <asm/vsyscall.h>
22337+#include <asm/tlbflush.h>
22338+
22339+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22340+#include <asm/stacktrace.h>
22341+#include "../kernel/dumpstack.h"
22342+#endif
22343
22344 /*
22345 * Page fault error code bits:
22346@@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
22347 int ret = 0;
22348
22349 /* kprobe_running() needs smp_processor_id() */
22350- if (kprobes_built_in() && !user_mode_vm(regs)) {
22351+ if (kprobes_built_in() && !user_mode(regs)) {
22352 preempt_disable();
22353 if (kprobe_running() && kprobe_fault_handler(regs, 14))
22354 ret = 1;
22355@@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
22356 return !instr_lo || (instr_lo>>1) == 1;
22357 case 0x00:
22358 /* Prefetch instruction is 0x0F0D or 0x0F18 */
22359- if (probe_kernel_address(instr, opcode))
22360+ if (user_mode(regs)) {
22361+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22362+ return 0;
22363+ } else if (probe_kernel_address(instr, opcode))
22364 return 0;
22365
22366 *prefetch = (instr_lo == 0xF) &&
22367@@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
22368 while (instr < max_instr) {
22369 unsigned char opcode;
22370
22371- if (probe_kernel_address(instr, opcode))
22372+ if (user_mode(regs)) {
22373+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
22374+ break;
22375+ } else if (probe_kernel_address(instr, opcode))
22376 break;
22377
22378 instr++;
22379@@ -172,6 +187,34 @@ force_sig_info_fault(int si_signo, int s
22380 force_sig_info(si_signo, &info, tsk);
22381 }
22382
22383+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22384+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
22385+#endif
22386+
22387+#ifdef CONFIG_PAX_EMUTRAMP
22388+static int pax_handle_fetch_fault(struct pt_regs *regs);
22389+#endif
22390+
22391+#ifdef CONFIG_PAX_PAGEEXEC
22392+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
22393+{
22394+ pgd_t *pgd;
22395+ pud_t *pud;
22396+ pmd_t *pmd;
22397+
22398+ pgd = pgd_offset(mm, address);
22399+ if (!pgd_present(*pgd))
22400+ return NULL;
22401+ pud = pud_offset(pgd, address);
22402+ if (!pud_present(*pud))
22403+ return NULL;
22404+ pmd = pmd_offset(pud, address);
22405+ if (!pmd_present(*pmd))
22406+ return NULL;
22407+ return pmd;
22408+}
22409+#endif
22410+
22411 DEFINE_SPINLOCK(pgd_lock);
22412 LIST_HEAD(pgd_list);
22413
22414@@ -224,11 +267,24 @@ void vmalloc_sync_all(void)
22415 address += PMD_SIZE) {
22416
22417 unsigned long flags;
22418+
22419+#ifdef CONFIG_PAX_PER_CPU_PGD
22420+ unsigned long cpu;
22421+#else
22422 struct page *page;
22423+#endif
22424
22425 spin_lock_irqsave(&pgd_lock, flags);
22426+
22427+#ifdef CONFIG_PAX_PER_CPU_PGD
22428+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22429+ pgd_t *pgd = get_cpu_pgd(cpu);
22430+#else
22431 list_for_each_entry(page, &pgd_list, lru) {
22432- if (!vmalloc_sync_one(page_address(page), address))
22433+ pgd_t *pgd = page_address(page);
22434+#endif
22435+
22436+ if (!vmalloc_sync_one(pgd, address))
22437 break;
22438 }
22439 spin_unlock_irqrestore(&pgd_lock, flags);
22440@@ -258,6 +314,11 @@ static noinline int vmalloc_fault(unsign
22441 * an interrupt in the middle of a task switch..
22442 */
22443 pgd_paddr = read_cr3();
22444+
22445+#ifdef CONFIG_PAX_PER_CPU_PGD
22446+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
22447+#endif
22448+
22449 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
22450 if (!pmd_k)
22451 return -1;
22452@@ -332,15 +393,27 @@ void vmalloc_sync_all(void)
22453
22454 const pgd_t *pgd_ref = pgd_offset_k(address);
22455 unsigned long flags;
22456+
22457+#ifdef CONFIG_PAX_PER_CPU_PGD
22458+ unsigned long cpu;
22459+#else
22460 struct page *page;
22461+#endif
22462
22463 if (pgd_none(*pgd_ref))
22464 continue;
22465
22466 spin_lock_irqsave(&pgd_lock, flags);
22467+
22468+#ifdef CONFIG_PAX_PER_CPU_PGD
22469+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
22470+ pgd_t *pgd = pgd_offset_cpu(cpu, address);
22471+#else
22472 list_for_each_entry(page, &pgd_list, lru) {
22473 pgd_t *pgd;
22474 pgd = (pgd_t *)page_address(page) + pgd_index(address);
22475+#endif
22476+
22477 if (pgd_none(*pgd))
22478 set_pgd(pgd, *pgd_ref);
22479 else
22480@@ -373,7 +446,14 @@ static noinline int vmalloc_fault(unsign
22481 * happen within a race in page table update. In the later
22482 * case just flush:
22483 */
22484+
22485+#ifdef CONFIG_PAX_PER_CPU_PGD
22486+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
22487+ pgd = pgd_offset_cpu(smp_processor_id(), address);
22488+#else
22489 pgd = pgd_offset(current->active_mm, address);
22490+#endif
22491+
22492 pgd_ref = pgd_offset_k(address);
22493 if (pgd_none(*pgd_ref))
22494 return -1;
22495@@ -535,7 +615,7 @@ static int is_errata93(struct pt_regs *r
22496 static int is_errata100(struct pt_regs *regs, unsigned long address)
22497 {
22498 #ifdef CONFIG_X86_64
22499- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
22500+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
22501 return 1;
22502 #endif
22503 return 0;
22504@@ -562,7 +642,7 @@ static int is_f00f_bug(struct pt_regs *r
22505 }
22506
22507 static const char nx_warning[] = KERN_CRIT
22508-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
22509+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
22510
22511 static void
22512 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
22513@@ -571,15 +651,26 @@ show_fault_oops(struct pt_regs *regs, un
22514 if (!oops_may_print())
22515 return;
22516
22517- if (error_code & PF_INSTR) {
22518+ if (nx_enabled && (error_code & PF_INSTR)) {
22519 unsigned int level;
22520
22521 pte_t *pte = lookup_address(address, &level);
22522
22523 if (pte && pte_present(*pte) && !pte_exec(*pte))
22524- printk(nx_warning, current_uid());
22525+ printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
22526 }
22527
22528+#ifdef CONFIG_PAX_KERNEXEC
22529+ if (init_mm.start_code <= address && address < init_mm.end_code) {
22530+ if (current->signal->curr_ip)
22531+ printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22532+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
22533+ else
22534+ printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
22535+ current->comm, task_pid_nr(current), current_uid(), current_euid());
22536+ }
22537+#endif
22538+
22539 printk(KERN_ALERT "BUG: unable to handle kernel ");
22540 if (address < PAGE_SIZE)
22541 printk(KERN_CONT "NULL pointer dereference");
22542@@ -705,6 +796,23 @@ __bad_area_nosemaphore(struct pt_regs *r
22543 {
22544 struct task_struct *tsk = current;
22545
22546+#ifdef CONFIG_X86_64
22547+ struct mm_struct *mm = tsk->mm;
22548+
22549+ if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
22550+ if (regs->ip == (unsigned long)vgettimeofday) {
22551+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
22552+ return;
22553+ } else if (regs->ip == (unsigned long)vtime) {
22554+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
22555+ return;
22556+ } else if (regs->ip == (unsigned long)vgetcpu) {
22557+ regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
22558+ return;
22559+ }
22560+ }
22561+#endif
22562+
22563 /* User mode accesses just cause a SIGSEGV */
22564 if (error_code & PF_USER) {
22565 /*
22566@@ -722,6 +830,21 @@ __bad_area_nosemaphore(struct pt_regs *r
22567 if (is_errata100(regs, address))
22568 return;
22569
22570+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22571+ if (pax_is_fetch_fault(regs, error_code, address)) {
22572+
22573+#ifdef CONFIG_PAX_EMUTRAMP
22574+ switch (pax_handle_fetch_fault(regs)) {
22575+ case 2:
22576+ return;
22577+ }
22578+#endif
22579+
22580+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
22581+ do_group_exit(SIGKILL);
22582+ }
22583+#endif
22584+
22585 if (unlikely(show_unhandled_signals))
22586 show_signal_msg(regs, error_code, address, tsk);
22587
22588@@ -818,7 +941,7 @@ do_sigbus(struct pt_regs *regs, unsigned
22589 if (fault & VM_FAULT_HWPOISON) {
22590 printk(KERN_ERR
22591 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
22592- tsk->comm, tsk->pid, address);
22593+ tsk->comm, task_pid_nr(tsk), address);
22594 code = BUS_MCEERR_AR;
22595 }
22596 #endif
22597@@ -857,6 +980,99 @@ static int spurious_fault_check(unsigned
22598 return 1;
22599 }
22600
22601+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22602+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
22603+{
22604+ pte_t *pte;
22605+ pmd_t *pmd;
22606+ spinlock_t *ptl;
22607+ unsigned char pte_mask;
22608+
22609+ if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
22610+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
22611+ return 0;
22612+
22613+ /* PaX: it's our fault, let's handle it if we can */
22614+
22615+ /* PaX: take a look at read faults before acquiring any locks */
22616+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
22617+ /* instruction fetch attempt from a protected page in user mode */
22618+ up_read(&mm->mmap_sem);
22619+
22620+#ifdef CONFIG_PAX_EMUTRAMP
22621+ switch (pax_handle_fetch_fault(regs)) {
22622+ case 2:
22623+ return 1;
22624+ }
22625+#endif
22626+
22627+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
22628+ do_group_exit(SIGKILL);
22629+ }
22630+
22631+ pmd = pax_get_pmd(mm, address);
22632+ if (unlikely(!pmd))
22633+ return 0;
22634+
22635+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
22636+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
22637+ pte_unmap_unlock(pte, ptl);
22638+ return 0;
22639+ }
22640+
22641+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
22642+ /* write attempt to a protected page in user mode */
22643+ pte_unmap_unlock(pte, ptl);
22644+ return 0;
22645+ }
22646+
22647+#ifdef CONFIG_SMP
22648+ if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
22649+#else
22650+ if (likely(address > get_limit(regs->cs)))
22651+#endif
22652+ {
22653+ set_pte(pte, pte_mkread(*pte));
22654+ __flush_tlb_one(address);
22655+ pte_unmap_unlock(pte, ptl);
22656+ up_read(&mm->mmap_sem);
22657+ return 1;
22658+ }
22659+
22660+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
22661+
22662+ /*
22663+ * PaX: fill DTLB with user rights and retry
22664+ */
22665+ __asm__ __volatile__ (
22666+ "orb %2,(%1)\n"
22667+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
22668+/*
22669+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
22670+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
22671+ * page fault when examined during a TLB load attempt. this is true not only
22672+ * for PTEs holding a non-present entry but also present entries that will
22673+ * raise a page fault (such as those set up by PaX, or the copy-on-write
22674+ * mechanism). in effect it means that we do *not* need to flush the TLBs
22675+ * for our target pages since their PTEs are simply not in the TLBs at all.
22676+
22677+ * the best thing in omitting it is that we gain around 15-20% speed in the
22678+ * fast path of the page fault handler and can get rid of tracing since we
22679+ * can no longer flush unintended entries.
22680+ */
22681+ "invlpg (%0)\n"
22682+#endif
22683+ __copyuser_seg"testb $0,(%0)\n"
22684+ "xorb %3,(%1)\n"
22685+ :
22686+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
22687+ : "memory", "cc");
22688+ pte_unmap_unlock(pte, ptl);
22689+ up_read(&mm->mmap_sem);
22690+ return 1;
22691+}
22692+#endif
22693+
22694 /*
22695 * Handle a spurious fault caused by a stale TLB entry.
22696 *
22697@@ -923,6 +1139,9 @@ int show_unhandled_signals = 1;
22698 static inline int
22699 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
22700 {
22701+ if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
22702+ return 1;
22703+
22704 if (write) {
22705 /* write, present and write, not present: */
22706 if (unlikely(!(vma->vm_flags & VM_WRITE)))
22707@@ -956,17 +1175,31 @@ do_page_fault(struct pt_regs *regs, unsi
22708 {
22709 struct vm_area_struct *vma;
22710 struct task_struct *tsk;
22711- unsigned long address;
22712 struct mm_struct *mm;
22713 int write;
22714 int fault;
22715
22716+ /* Get the faulting address: */
22717+ unsigned long address = read_cr2();
22718+
22719+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22720+ if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
22721+ if (!search_exception_tables(regs->ip)) {
22722+ bad_area_nosemaphore(regs, error_code, address);
22723+ return;
22724+ }
22725+ if (address < PAX_USER_SHADOW_BASE) {
22726+ printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
22727+ printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
22728+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
22729+ } else
22730+ address -= PAX_USER_SHADOW_BASE;
22731+ }
22732+#endif
22733+
22734 tsk = current;
22735 mm = tsk->mm;
22736
22737- /* Get the faulting address: */
22738- address = read_cr2();
22739-
22740 /*
22741 * Detect and handle instructions that would cause a page fault for
22742 * both a tracked kernel page and a userspace page.
22743@@ -1026,7 +1259,7 @@ do_page_fault(struct pt_regs *regs, unsi
22744 * User-mode registers count as a user access even for any
22745 * potential system fault or CPU buglet:
22746 */
22747- if (user_mode_vm(regs)) {
22748+ if (user_mode(regs)) {
22749 local_irq_enable();
22750 error_code |= PF_USER;
22751 } else {
22752@@ -1080,6 +1313,11 @@ do_page_fault(struct pt_regs *regs, unsi
22753 might_sleep();
22754 }
22755
22756+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
22757+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
22758+ return;
22759+#endif
22760+
22761 vma = find_vma(mm, address);
22762 if (unlikely(!vma)) {
22763 bad_area(regs, error_code, address);
22764@@ -1091,18 +1329,24 @@ do_page_fault(struct pt_regs *regs, unsi
22765 bad_area(regs, error_code, address);
22766 return;
22767 }
22768- if (error_code & PF_USER) {
22769- /*
22770- * Accessing the stack below %sp is always a bug.
22771- * The large cushion allows instructions like enter
22772- * and pusha to work. ("enter $65535, $31" pushes
22773- * 32 pointers and then decrements %sp by 65535.)
22774- */
22775- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
22776- bad_area(regs, error_code, address);
22777- return;
22778- }
22779+ /*
22780+ * Accessing the stack below %sp is always a bug.
22781+ * The large cushion allows instructions like enter
22782+ * and pusha to work. ("enter $65535, $31" pushes
22783+ * 32 pointers and then decrements %sp by 65535.)
22784+ */
22785+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
22786+ bad_area(regs, error_code, address);
22787+ return;
22788+ }
22789+
22790+#ifdef CONFIG_PAX_SEGMEXEC
22791+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
22792+ bad_area(regs, error_code, address);
22793+ return;
22794 }
22795+#endif
22796+
22797 if (unlikely(expand_stack(vma, address))) {
22798 bad_area(regs, error_code, address);
22799 return;
22800@@ -1146,3 +1390,240 @@ good_area:
22801
22802 up_read(&mm->mmap_sem);
22803 }
22804+
22805+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22806+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
22807+{
22808+ struct mm_struct *mm = current->mm;
22809+ unsigned long ip = regs->ip;
22810+
22811+ if (v8086_mode(regs))
22812+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
22813+
22814+#ifdef CONFIG_PAX_PAGEEXEC
22815+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
22816+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
22817+ return true;
22818+ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
22819+ return true;
22820+ return false;
22821+ }
22822+#endif
22823+
22824+#ifdef CONFIG_PAX_SEGMEXEC
22825+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
22826+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
22827+ return true;
22828+ return false;
22829+ }
22830+#endif
22831+
22832+ return false;
22833+}
22834+#endif
22835+
22836+#ifdef CONFIG_PAX_EMUTRAMP
22837+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
22838+{
22839+ int err;
22840+
22841+ do { /* PaX: gcc trampoline emulation #1 */
22842+ unsigned char mov1, mov2;
22843+ unsigned short jmp;
22844+ unsigned int addr1, addr2;
22845+
22846+#ifdef CONFIG_X86_64
22847+ if ((regs->ip + 11) >> 32)
22848+ break;
22849+#endif
22850+
22851+ err = get_user(mov1, (unsigned char __user *)regs->ip);
22852+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22853+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
22854+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22855+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
22856+
22857+ if (err)
22858+ break;
22859+
22860+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
22861+ regs->cx = addr1;
22862+ regs->ax = addr2;
22863+ regs->ip = addr2;
22864+ return 2;
22865+ }
22866+ } while (0);
22867+
22868+ do { /* PaX: gcc trampoline emulation #2 */
22869+ unsigned char mov, jmp;
22870+ unsigned int addr1, addr2;
22871+
22872+#ifdef CONFIG_X86_64
22873+ if ((regs->ip + 9) >> 32)
22874+ break;
22875+#endif
22876+
22877+ err = get_user(mov, (unsigned char __user *)regs->ip);
22878+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
22879+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
22880+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
22881+
22882+ if (err)
22883+ break;
22884+
22885+ if (mov == 0xB9 && jmp == 0xE9) {
22886+ regs->cx = addr1;
22887+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
22888+ return 2;
22889+ }
22890+ } while (0);
22891+
22892+ return 1; /* PaX in action */
22893+}
22894+
22895+#ifdef CONFIG_X86_64
22896+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
22897+{
22898+ int err;
22899+
22900+ do { /* PaX: gcc trampoline emulation #1 */
22901+ unsigned short mov1, mov2, jmp1;
22902+ unsigned char jmp2;
22903+ unsigned int addr1;
22904+ unsigned long addr2;
22905+
22906+ err = get_user(mov1, (unsigned short __user *)regs->ip);
22907+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
22908+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
22909+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
22910+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
22911+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
22912+
22913+ if (err)
22914+ break;
22915+
22916+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22917+ regs->r11 = addr1;
22918+ regs->r10 = addr2;
22919+ regs->ip = addr1;
22920+ return 2;
22921+ }
22922+ } while (0);
22923+
22924+ do { /* PaX: gcc trampoline emulation #2 */
22925+ unsigned short mov1, mov2, jmp1;
22926+ unsigned char jmp2;
22927+ unsigned long addr1, addr2;
22928+
22929+ err = get_user(mov1, (unsigned short __user *)regs->ip);
22930+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
22931+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
22932+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
22933+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
22934+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
22935+
22936+ if (err)
22937+ break;
22938+
22939+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
22940+ regs->r11 = addr1;
22941+ regs->r10 = addr2;
22942+ regs->ip = addr1;
22943+ return 2;
22944+ }
22945+ } while (0);
22946+
22947+ return 1; /* PaX in action */
22948+}
22949+#endif
22950+
22951+/*
22952+ * PaX: decide what to do with offenders (regs->ip = fault address)
22953+ *
22954+ * returns 1 when task should be killed
22955+ * 2 when gcc trampoline was detected
22956+ */
22957+static int pax_handle_fetch_fault(struct pt_regs *regs)
22958+{
22959+ if (v8086_mode(regs))
22960+ return 1;
22961+
22962+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
22963+ return 1;
22964+
22965+#ifdef CONFIG_X86_32
22966+ return pax_handle_fetch_fault_32(regs);
22967+#else
22968+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
22969+ return pax_handle_fetch_fault_32(regs);
22970+ else
22971+ return pax_handle_fetch_fault_64(regs);
22972+#endif
22973+}
22974+#endif
22975+
22976+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
22977+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
22978+{
22979+ long i;
22980+
22981+ printk(KERN_ERR "PAX: bytes at PC: ");
22982+ for (i = 0; i < 20; i++) {
22983+ unsigned char c;
22984+ if (get_user(c, (unsigned char __force_user *)pc+i))
22985+ printk(KERN_CONT "?? ");
22986+ else
22987+ printk(KERN_CONT "%02x ", c);
22988+ }
22989+ printk("\n");
22990+
22991+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
22992+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
22993+ unsigned long c;
22994+ if (get_user(c, (unsigned long __force_user *)sp+i)) {
22995+#ifdef CONFIG_X86_32
22996+ printk(KERN_CONT "???????? ");
22997+#else
22998+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
22999+ printk(KERN_CONT "???????? ???????? ");
23000+ else
23001+ printk(KERN_CONT "???????????????? ");
23002+#endif
23003+ } else {
23004+#ifdef CONFIG_X86_64
23005+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
23006+ printk(KERN_CONT "%08x ", (unsigned int)c);
23007+ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
23008+ } else
23009+#endif
23010+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
23011+ }
23012+ }
23013+ printk("\n");
23014+}
23015+#endif
23016+
23017+/**
23018+ * probe_kernel_write(): safely attempt to write to a location
23019+ * @dst: address to write to
23020+ * @src: pointer to the data that shall be written
23021+ * @size: size of the data chunk
23022+ *
23023+ * Safely write to address @dst from the buffer at @src. If a kernel fault
23024+ * happens, handle that and return -EFAULT.
23025+ */
23026+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
23027+{
23028+ long ret;
23029+ mm_segment_t old_fs = get_fs();
23030+
23031+ set_fs(KERNEL_DS);
23032+ pagefault_disable();
23033+ pax_open_kernel();
23034+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
23035+ pax_close_kernel();
23036+ pagefault_enable();
23037+ set_fs(old_fs);
23038+
23039+ return ret ? -EFAULT : 0;
23040+}
23041diff -urNp linux-2.6.32.48/arch/x86/mm/gup.c linux-2.6.32.48/arch/x86/mm/gup.c
23042--- linux-2.6.32.48/arch/x86/mm/gup.c 2011-11-08 19:02:43.000000000 -0500
23043+++ linux-2.6.32.48/arch/x86/mm/gup.c 2011-11-15 19:59:43.000000000 -0500
23044@@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
23045 addr = start;
23046 len = (unsigned long) nr_pages << PAGE_SHIFT;
23047 end = start + len;
23048- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23049+ if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
23050 (void __user *)start, len)))
23051 return 0;
23052
23053diff -urNp linux-2.6.32.48/arch/x86/mm/highmem_32.c linux-2.6.32.48/arch/x86/mm/highmem_32.c
23054--- linux-2.6.32.48/arch/x86/mm/highmem_32.c 2011-11-08 19:02:43.000000000 -0500
23055+++ linux-2.6.32.48/arch/x86/mm/highmem_32.c 2011-11-15 19:59:43.000000000 -0500
23056@@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
23057 idx = type + KM_TYPE_NR*smp_processor_id();
23058 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23059 BUG_ON(!pte_none(*(kmap_pte-idx)));
23060+
23061+ pax_open_kernel();
23062 set_pte(kmap_pte-idx, mk_pte(page, prot));
23063+ pax_close_kernel();
23064
23065 return (void *)vaddr;
23066 }
23067diff -urNp linux-2.6.32.48/arch/x86/mm/hugetlbpage.c linux-2.6.32.48/arch/x86/mm/hugetlbpage.c
23068--- linux-2.6.32.48/arch/x86/mm/hugetlbpage.c 2011-11-08 19:02:43.000000000 -0500
23069+++ linux-2.6.32.48/arch/x86/mm/hugetlbpage.c 2011-11-15 19:59:43.000000000 -0500
23070@@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
23071 struct hstate *h = hstate_file(file);
23072 struct mm_struct *mm = current->mm;
23073 struct vm_area_struct *vma;
23074- unsigned long start_addr;
23075+ unsigned long start_addr, pax_task_size = TASK_SIZE;
23076+
23077+#ifdef CONFIG_PAX_SEGMEXEC
23078+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23079+ pax_task_size = SEGMEXEC_TASK_SIZE;
23080+#endif
23081+
23082+ pax_task_size -= PAGE_SIZE;
23083
23084 if (len > mm->cached_hole_size) {
23085- start_addr = mm->free_area_cache;
23086+ start_addr = mm->free_area_cache;
23087 } else {
23088- start_addr = TASK_UNMAPPED_BASE;
23089- mm->cached_hole_size = 0;
23090+ start_addr = mm->mmap_base;
23091+ mm->cached_hole_size = 0;
23092 }
23093
23094 full_search:
23095@@ -281,26 +288,27 @@ full_search:
23096
23097 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
23098 /* At this point: (!vma || addr < vma->vm_end). */
23099- if (TASK_SIZE - len < addr) {
23100+ if (pax_task_size - len < addr) {
23101 /*
23102 * Start a new search - just in case we missed
23103 * some holes.
23104 */
23105- if (start_addr != TASK_UNMAPPED_BASE) {
23106- start_addr = TASK_UNMAPPED_BASE;
23107+ if (start_addr != mm->mmap_base) {
23108+ start_addr = mm->mmap_base;
23109 mm->cached_hole_size = 0;
23110 goto full_search;
23111 }
23112 return -ENOMEM;
23113 }
23114- if (!vma || addr + len <= vma->vm_start) {
23115- mm->free_area_cache = addr + len;
23116- return addr;
23117- }
23118+ if (check_heap_stack_gap(vma, addr, len))
23119+ break;
23120 if (addr + mm->cached_hole_size < vma->vm_start)
23121 mm->cached_hole_size = vma->vm_start - addr;
23122 addr = ALIGN(vma->vm_end, huge_page_size(h));
23123 }
23124+
23125+ mm->free_area_cache = addr + len;
23126+ return addr;
23127 }
23128
23129 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
23130@@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
23131 {
23132 struct hstate *h = hstate_file(file);
23133 struct mm_struct *mm = current->mm;
23134- struct vm_area_struct *vma, *prev_vma;
23135- unsigned long base = mm->mmap_base, addr = addr0;
23136+ struct vm_area_struct *vma;
23137+ unsigned long base = mm->mmap_base, addr;
23138 unsigned long largest_hole = mm->cached_hole_size;
23139- int first_time = 1;
23140
23141 /* don't allow allocations above current base */
23142 if (mm->free_area_cache > base)
23143@@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
23144 largest_hole = 0;
23145 mm->free_area_cache = base;
23146 }
23147-try_again:
23148+
23149 /* make sure it can fit in the remaining address space */
23150 if (mm->free_area_cache < len)
23151 goto fail;
23152
23153 /* either no address requested or cant fit in requested address hole */
23154- addr = (mm->free_area_cache - len) & huge_page_mask(h);
23155+ addr = (mm->free_area_cache - len);
23156 do {
23157+ addr &= huge_page_mask(h);
23158+ vma = find_vma(mm, addr);
23159 /*
23160 * Lookup failure means no vma is above this address,
23161 * i.e. return with success:
23162- */
23163- if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
23164- return addr;
23165-
23166- /*
23167 * new region fits between prev_vma->vm_end and
23168 * vma->vm_start, use it:
23169 */
23170- if (addr + len <= vma->vm_start &&
23171- (!prev_vma || (addr >= prev_vma->vm_end))) {
23172+ if (check_heap_stack_gap(vma, addr, len)) {
23173 /* remember the address as a hint for next time */
23174- mm->cached_hole_size = largest_hole;
23175- return (mm->free_area_cache = addr);
23176- } else {
23177- /* pull free_area_cache down to the first hole */
23178- if (mm->free_area_cache == vma->vm_end) {
23179- mm->free_area_cache = vma->vm_start;
23180- mm->cached_hole_size = largest_hole;
23181- }
23182+ mm->cached_hole_size = largest_hole;
23183+ return (mm->free_area_cache = addr);
23184+ }
23185+ /* pull free_area_cache down to the first hole */
23186+ if (mm->free_area_cache == vma->vm_end) {
23187+ mm->free_area_cache = vma->vm_start;
23188+ mm->cached_hole_size = largest_hole;
23189 }
23190
23191 /* remember the largest hole we saw so far */
23192 if (addr + largest_hole < vma->vm_start)
23193- largest_hole = vma->vm_start - addr;
23194+ largest_hole = vma->vm_start - addr;
23195
23196 /* try just below the current vma->vm_start */
23197- addr = (vma->vm_start - len) & huge_page_mask(h);
23198- } while (len <= vma->vm_start);
23199+ addr = skip_heap_stack_gap(vma, len);
23200+ } while (!IS_ERR_VALUE(addr));
23201
23202 fail:
23203 /*
23204- * if hint left us with no space for the requested
23205- * mapping then try again:
23206- */
23207- if (first_time) {
23208- mm->free_area_cache = base;
23209- largest_hole = 0;
23210- first_time = 0;
23211- goto try_again;
23212- }
23213- /*
23214 * A failed mmap() very likely causes application failure,
23215 * so fall back to the bottom-up function here. This scenario
23216 * can happen with large stack limits and large mmap()
23217 * allocations.
23218 */
23219- mm->free_area_cache = TASK_UNMAPPED_BASE;
23220+
23221+#ifdef CONFIG_PAX_SEGMEXEC
23222+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23223+ mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
23224+ else
23225+#endif
23226+
23227+ mm->mmap_base = TASK_UNMAPPED_BASE;
23228+
23229+#ifdef CONFIG_PAX_RANDMMAP
23230+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23231+ mm->mmap_base += mm->delta_mmap;
23232+#endif
23233+
23234+ mm->free_area_cache = mm->mmap_base;
23235 mm->cached_hole_size = ~0UL;
23236 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
23237 len, pgoff, flags);
23238@@ -387,6 +393,7 @@ fail:
23239 /*
23240 * Restore the topdown base:
23241 */
23242+ mm->mmap_base = base;
23243 mm->free_area_cache = base;
23244 mm->cached_hole_size = ~0UL;
23245
23246@@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
23247 struct hstate *h = hstate_file(file);
23248 struct mm_struct *mm = current->mm;
23249 struct vm_area_struct *vma;
23250+ unsigned long pax_task_size = TASK_SIZE;
23251
23252 if (len & ~huge_page_mask(h))
23253 return -EINVAL;
23254- if (len > TASK_SIZE)
23255+
23256+#ifdef CONFIG_PAX_SEGMEXEC
23257+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23258+ pax_task_size = SEGMEXEC_TASK_SIZE;
23259+#endif
23260+
23261+ pax_task_size -= PAGE_SIZE;
23262+
23263+ if (len > pax_task_size)
23264 return -ENOMEM;
23265
23266 if (flags & MAP_FIXED) {
23267@@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
23268 if (addr) {
23269 addr = ALIGN(addr, huge_page_size(h));
23270 vma = find_vma(mm, addr);
23271- if (TASK_SIZE - len >= addr &&
23272- (!vma || addr + len <= vma->vm_start))
23273+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
23274 return addr;
23275 }
23276 if (mm->get_unmapped_area == arch_get_unmapped_area)
23277diff -urNp linux-2.6.32.48/arch/x86/mm/init_32.c linux-2.6.32.48/arch/x86/mm/init_32.c
23278--- linux-2.6.32.48/arch/x86/mm/init_32.c 2011-11-08 19:02:43.000000000 -0500
23279+++ linux-2.6.32.48/arch/x86/mm/init_32.c 2011-11-15 19:59:43.000000000 -0500
23280@@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
23281 }
23282
23283 /*
23284- * Creates a middle page table and puts a pointer to it in the
23285- * given global directory entry. This only returns the gd entry
23286- * in non-PAE compilation mode, since the middle layer is folded.
23287- */
23288-static pmd_t * __init one_md_table_init(pgd_t *pgd)
23289-{
23290- pud_t *pud;
23291- pmd_t *pmd_table;
23292-
23293-#ifdef CONFIG_X86_PAE
23294- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
23295- if (after_bootmem)
23296- pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
23297- else
23298- pmd_table = (pmd_t *)alloc_low_page();
23299- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
23300- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
23301- pud = pud_offset(pgd, 0);
23302- BUG_ON(pmd_table != pmd_offset(pud, 0));
23303-
23304- return pmd_table;
23305- }
23306-#endif
23307- pud = pud_offset(pgd, 0);
23308- pmd_table = pmd_offset(pud, 0);
23309-
23310- return pmd_table;
23311-}
23312-
23313-/*
23314 * Create a page table and place a pointer to it in a middle page
23315 * directory entry:
23316 */
23317@@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
23318 page_table = (pte_t *)alloc_low_page();
23319
23320 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
23321+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
23322+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
23323+#else
23324 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
23325+#endif
23326 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
23327 }
23328
23329 return pte_offset_kernel(pmd, 0);
23330 }
23331
23332+static pmd_t * __init one_md_table_init(pgd_t *pgd)
23333+{
23334+ pud_t *pud;
23335+ pmd_t *pmd_table;
23336+
23337+ pud = pud_offset(pgd, 0);
23338+ pmd_table = pmd_offset(pud, 0);
23339+
23340+ return pmd_table;
23341+}
23342+
23343 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
23344 {
23345 int pgd_idx = pgd_index(vaddr);
23346@@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
23347 int pgd_idx, pmd_idx;
23348 unsigned long vaddr;
23349 pgd_t *pgd;
23350+ pud_t *pud;
23351 pmd_t *pmd;
23352 pte_t *pte = NULL;
23353
23354@@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
23355 pgd = pgd_base + pgd_idx;
23356
23357 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
23358- pmd = one_md_table_init(pgd);
23359- pmd = pmd + pmd_index(vaddr);
23360+ pud = pud_offset(pgd, vaddr);
23361+ pmd = pmd_offset(pud, vaddr);
23362+
23363+#ifdef CONFIG_X86_PAE
23364+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23365+#endif
23366+
23367 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
23368 pmd++, pmd_idx++) {
23369 pte = page_table_kmap_check(one_page_table_init(pmd),
23370@@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
23371 }
23372 }
23373
23374-static inline int is_kernel_text(unsigned long addr)
23375+static inline int is_kernel_text(unsigned long start, unsigned long end)
23376 {
23377- if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
23378- return 1;
23379- return 0;
23380+ if ((start > ktla_ktva((unsigned long)_etext) ||
23381+ end <= ktla_ktva((unsigned long)_stext)) &&
23382+ (start > ktla_ktva((unsigned long)_einittext) ||
23383+ end <= ktla_ktva((unsigned long)_sinittext)) &&
23384+
23385+#ifdef CONFIG_ACPI_SLEEP
23386+ (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
23387+#endif
23388+
23389+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
23390+ return 0;
23391+ return 1;
23392 }
23393
23394 /*
23395@@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
23396 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
23397 unsigned long start_pfn, end_pfn;
23398 pgd_t *pgd_base = swapper_pg_dir;
23399- int pgd_idx, pmd_idx, pte_ofs;
23400+ unsigned int pgd_idx, pmd_idx, pte_ofs;
23401 unsigned long pfn;
23402 pgd_t *pgd;
23403+ pud_t *pud;
23404 pmd_t *pmd;
23405 pte_t *pte;
23406 unsigned pages_2m, pages_4k;
23407@@ -278,8 +279,13 @@ repeat:
23408 pfn = start_pfn;
23409 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23410 pgd = pgd_base + pgd_idx;
23411- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
23412- pmd = one_md_table_init(pgd);
23413+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
23414+ pud = pud_offset(pgd, 0);
23415+ pmd = pmd_offset(pud, 0);
23416+
23417+#ifdef CONFIG_X86_PAE
23418+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
23419+#endif
23420
23421 if (pfn >= end_pfn)
23422 continue;
23423@@ -291,14 +297,13 @@ repeat:
23424 #endif
23425 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
23426 pmd++, pmd_idx++) {
23427- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
23428+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
23429
23430 /*
23431 * Map with big pages if possible, otherwise
23432 * create normal page tables:
23433 */
23434 if (use_pse) {
23435- unsigned int addr2;
23436 pgprot_t prot = PAGE_KERNEL_LARGE;
23437 /*
23438 * first pass will use the same initial
23439@@ -308,11 +313,7 @@ repeat:
23440 __pgprot(PTE_IDENT_ATTR |
23441 _PAGE_PSE);
23442
23443- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
23444- PAGE_OFFSET + PAGE_SIZE-1;
23445-
23446- if (is_kernel_text(addr) ||
23447- is_kernel_text(addr2))
23448+ if (is_kernel_text(address, address + PMD_SIZE))
23449 prot = PAGE_KERNEL_LARGE_EXEC;
23450
23451 pages_2m++;
23452@@ -329,7 +330,7 @@ repeat:
23453 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
23454 pte += pte_ofs;
23455 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
23456- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
23457+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
23458 pgprot_t prot = PAGE_KERNEL;
23459 /*
23460 * first pass will use the same initial
23461@@ -337,7 +338,7 @@ repeat:
23462 */
23463 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
23464
23465- if (is_kernel_text(addr))
23466+ if (is_kernel_text(address, address + PAGE_SIZE))
23467 prot = PAGE_KERNEL_EXEC;
23468
23469 pages_4k++;
23470@@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
23471
23472 pud = pud_offset(pgd, va);
23473 pmd = pmd_offset(pud, va);
23474- if (!pmd_present(*pmd))
23475+ if (!pmd_present(*pmd) || pmd_huge(*pmd))
23476 break;
23477
23478 pte = pte_offset_kernel(pmd, va);
23479@@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
23480
23481 static void __init pagetable_init(void)
23482 {
23483- pgd_t *pgd_base = swapper_pg_dir;
23484-
23485- permanent_kmaps_init(pgd_base);
23486+ permanent_kmaps_init(swapper_pg_dir);
23487 }
23488
23489 #ifdef CONFIG_ACPI_SLEEP
23490@@ -551,12 +550,12 @@ static void __init pagetable_init(void)
23491 * ACPI suspend needs this for resume, because things like the intel-agp
23492 * driver might have split up a kernel 4MB mapping.
23493 */
23494-char swsusp_pg_dir[PAGE_SIZE]
23495+pgd_t swsusp_pg_dir[PTRS_PER_PGD]
23496 __attribute__ ((aligned(PAGE_SIZE)));
23497
23498 static inline void save_pg_dir(void)
23499 {
23500- memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
23501+ clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
23502 }
23503 #else /* !CONFIG_ACPI_SLEEP */
23504 static inline void save_pg_dir(void)
23505@@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
23506 flush_tlb_all();
23507 }
23508
23509-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23510+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
23511 EXPORT_SYMBOL_GPL(__supported_pte_mask);
23512
23513 /* user-defined highmem size */
23514@@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
23515 * Initialize the boot-time allocator (with low memory only):
23516 */
23517 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
23518- bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23519+ bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
23520 PAGE_SIZE);
23521 if (bootmap == -1L)
23522 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
23523@@ -864,6 +863,12 @@ void __init mem_init(void)
23524
23525 pci_iommu_alloc();
23526
23527+#ifdef CONFIG_PAX_PER_CPU_PGD
23528+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23529+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23530+ KERNEL_PGD_PTRS);
23531+#endif
23532+
23533 #ifdef CONFIG_FLATMEM
23534 BUG_ON(!mem_map);
23535 #endif
23536@@ -881,7 +886,7 @@ void __init mem_init(void)
23537 set_highmem_pages_init();
23538
23539 codesize = (unsigned long) &_etext - (unsigned long) &_text;
23540- datasize = (unsigned long) &_edata - (unsigned long) &_etext;
23541+ datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
23542 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
23543
23544 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
23545@@ -923,10 +928,10 @@ void __init mem_init(void)
23546 ((unsigned long)&__init_end -
23547 (unsigned long)&__init_begin) >> 10,
23548
23549- (unsigned long)&_etext, (unsigned long)&_edata,
23550- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
23551+ (unsigned long)&_sdata, (unsigned long)&_edata,
23552+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
23553
23554- (unsigned long)&_text, (unsigned long)&_etext,
23555+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
23556 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
23557
23558 /*
23559@@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
23560 if (!kernel_set_to_readonly)
23561 return;
23562
23563+ start = ktla_ktva(start);
23564 pr_debug("Set kernel text: %lx - %lx for read write\n",
23565 start, start+size);
23566
23567@@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
23568 if (!kernel_set_to_readonly)
23569 return;
23570
23571+ start = ktla_ktva(start);
23572 pr_debug("Set kernel text: %lx - %lx for read only\n",
23573 start, start+size);
23574
23575@@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
23576 unsigned long start = PFN_ALIGN(_text);
23577 unsigned long size = PFN_ALIGN(_etext) - start;
23578
23579+ start = ktla_ktva(start);
23580 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
23581 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
23582 size >> 10);
23583diff -urNp linux-2.6.32.48/arch/x86/mm/init_64.c linux-2.6.32.48/arch/x86/mm/init_64.c
23584--- linux-2.6.32.48/arch/x86/mm/init_64.c 2011-11-08 19:02:43.000000000 -0500
23585+++ linux-2.6.32.48/arch/x86/mm/init_64.c 2011-11-15 19:59:43.000000000 -0500
23586@@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
23587 pmd = fill_pmd(pud, vaddr);
23588 pte = fill_pte(pmd, vaddr);
23589
23590+ pax_open_kernel();
23591 set_pte(pte, new_pte);
23592+ pax_close_kernel();
23593
23594 /*
23595 * It's enough to flush this one mapping.
23596@@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
23597 pgd = pgd_offset_k((unsigned long)__va(phys));
23598 if (pgd_none(*pgd)) {
23599 pud = (pud_t *) spp_getpage();
23600- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
23601- _PAGE_USER));
23602+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
23603 }
23604 pud = pud_offset(pgd, (unsigned long)__va(phys));
23605 if (pud_none(*pud)) {
23606 pmd = (pmd_t *) spp_getpage();
23607- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
23608- _PAGE_USER));
23609+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
23610 }
23611 pmd = pmd_offset(pud, phys);
23612 BUG_ON(!pmd_none(*pmd));
23613@@ -675,6 +675,12 @@ void __init mem_init(void)
23614
23615 pci_iommu_alloc();
23616
23617+#ifdef CONFIG_PAX_PER_CPU_PGD
23618+ clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
23619+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
23620+ KERNEL_PGD_PTRS);
23621+#endif
23622+
23623 /* clear_bss() already clear the empty_zero_page */
23624
23625 reservedpages = 0;
23626@@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
23627 static struct vm_area_struct gate_vma = {
23628 .vm_start = VSYSCALL_START,
23629 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
23630- .vm_page_prot = PAGE_READONLY_EXEC,
23631- .vm_flags = VM_READ | VM_EXEC
23632+ .vm_page_prot = PAGE_READONLY,
23633+ .vm_flags = VM_READ
23634 };
23635
23636 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
23637@@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
23638
23639 const char *arch_vma_name(struct vm_area_struct *vma)
23640 {
23641- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
23642+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
23643 return "[vdso]";
23644 if (vma == &gate_vma)
23645 return "[vsyscall]";
23646diff -urNp linux-2.6.32.48/arch/x86/mm/init.c linux-2.6.32.48/arch/x86/mm/init.c
23647--- linux-2.6.32.48/arch/x86/mm/init.c 2011-11-08 19:02:43.000000000 -0500
23648+++ linux-2.6.32.48/arch/x86/mm/init.c 2011-11-15 19:59:43.000000000 -0500
23649@@ -69,11 +69,7 @@ static void __init find_early_table_spac
23650 * cause a hotspot and fill up ZONE_DMA. The page tables
23651 * need roughly 0.5KB per GB.
23652 */
23653-#ifdef CONFIG_X86_32
23654- start = 0x7000;
23655-#else
23656- start = 0x8000;
23657-#endif
23658+ start = 0x100000;
23659 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
23660 tables, PAGE_SIZE);
23661 if (e820_table_start == -1UL)
23662@@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
23663 #endif
23664
23665 set_nx();
23666- if (nx_enabled)
23667+ if (nx_enabled && cpu_has_nx)
23668 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
23669
23670 /* Enable PSE if available */
23671@@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
23672 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
23673 * mmio resources as well as potential bios/acpi data regions.
23674 */
23675+
23676 int devmem_is_allowed(unsigned long pagenr)
23677 {
23678+#ifdef CONFIG_GRKERNSEC_KMEM
23679+ /* allow BDA */
23680+ if (!pagenr)
23681+ return 1;
23682+ /* allow EBDA */
23683+ if ((0x9f000 >> PAGE_SHIFT) == pagenr)
23684+ return 1;
23685+ /* allow ISA/video mem */
23686+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23687+ return 1;
23688+ /* throw out everything else below 1MB */
23689+ if (pagenr <= 256)
23690+ return 0;
23691+#else
23692 if (pagenr <= 256)
23693 return 1;
23694+#endif
23695+
23696 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
23697 return 0;
23698 if (!page_is_ram(pagenr))
23699@@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
23700
23701 void free_initmem(void)
23702 {
23703+
23704+#ifdef CONFIG_PAX_KERNEXEC
23705+#ifdef CONFIG_X86_32
23706+ /* PaX: limit KERNEL_CS to actual size */
23707+ unsigned long addr, limit;
23708+ struct desc_struct d;
23709+ int cpu;
23710+
23711+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
23712+ limit = (limit - 1UL) >> PAGE_SHIFT;
23713+
23714+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
23715+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
23716+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
23717+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
23718+ }
23719+
23720+ /* PaX: make KERNEL_CS read-only */
23721+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
23722+ if (!paravirt_enabled())
23723+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
23724+/*
23725+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
23726+ pgd = pgd_offset_k(addr);
23727+ pud = pud_offset(pgd, addr);
23728+ pmd = pmd_offset(pud, addr);
23729+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23730+ }
23731+*/
23732+#ifdef CONFIG_X86_PAE
23733+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
23734+/*
23735+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
23736+ pgd = pgd_offset_k(addr);
23737+ pud = pud_offset(pgd, addr);
23738+ pmd = pmd_offset(pud, addr);
23739+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23740+ }
23741+*/
23742+#endif
23743+
23744+#ifdef CONFIG_MODULES
23745+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
23746+#endif
23747+
23748+#else
23749+ pgd_t *pgd;
23750+ pud_t *pud;
23751+ pmd_t *pmd;
23752+ unsigned long addr, end;
23753+
23754+ /* PaX: make kernel code/rodata read-only, rest non-executable */
23755+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
23756+ pgd = pgd_offset_k(addr);
23757+ pud = pud_offset(pgd, addr);
23758+ pmd = pmd_offset(pud, addr);
23759+ if (!pmd_present(*pmd))
23760+ continue;
23761+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
23762+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23763+ else
23764+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
23765+ }
23766+
23767+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
23768+ end = addr + KERNEL_IMAGE_SIZE;
23769+ for (; addr < end; addr += PMD_SIZE) {
23770+ pgd = pgd_offset_k(addr);
23771+ pud = pud_offset(pgd, addr);
23772+ pmd = pmd_offset(pud, addr);
23773+ if (!pmd_present(*pmd))
23774+ continue;
23775+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
23776+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
23777+ }
23778+#endif
23779+
23780+ flush_tlb_all();
23781+#endif
23782+
23783 free_init_pages("unused kernel memory",
23784 (unsigned long)(&__init_begin),
23785 (unsigned long)(&__init_end));
23786diff -urNp linux-2.6.32.48/arch/x86/mm/iomap_32.c linux-2.6.32.48/arch/x86/mm/iomap_32.c
23787--- linux-2.6.32.48/arch/x86/mm/iomap_32.c 2011-11-08 19:02:43.000000000 -0500
23788+++ linux-2.6.32.48/arch/x86/mm/iomap_32.c 2011-11-15 19:59:43.000000000 -0500
23789@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
23790 debug_kmap_atomic(type);
23791 idx = type + KM_TYPE_NR * smp_processor_id();
23792 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
23793+
23794+ pax_open_kernel();
23795 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
23796+ pax_close_kernel();
23797+
23798 arch_flush_lazy_mmu_mode();
23799
23800 return (void *)vaddr;
23801diff -urNp linux-2.6.32.48/arch/x86/mm/ioremap.c linux-2.6.32.48/arch/x86/mm/ioremap.c
23802--- linux-2.6.32.48/arch/x86/mm/ioremap.c 2011-11-08 19:02:43.000000000 -0500
23803+++ linux-2.6.32.48/arch/x86/mm/ioremap.c 2011-11-15 19:59:43.000000000 -0500
23804@@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
23805 * Second special case: Some BIOSen report the PC BIOS
23806 * area (640->1Mb) as ram even though it is not.
23807 */
23808- if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
23809- pagenr < (BIOS_END >> PAGE_SHIFT))
23810+ if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
23811+ pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
23812 return 0;
23813
23814 for (i = 0; i < e820.nr_map; i++) {
23815@@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
23816 /*
23817 * Don't allow anybody to remap normal RAM that we're using..
23818 */
23819- for (pfn = phys_addr >> PAGE_SHIFT;
23820- (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
23821- pfn++) {
23822-
23823+ for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
23824 int is_ram = page_is_ram(pfn);
23825
23826- if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
23827+ if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
23828 return NULL;
23829 WARN_ON_ONCE(is_ram);
23830 }
23831@@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
23832 early_param("early_ioremap_debug", early_ioremap_debug_setup);
23833
23834 static __initdata int after_paging_init;
23835-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
23836+static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
23837
23838 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
23839 {
23840@@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
23841 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
23842
23843 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
23844- memset(bm_pte, 0, sizeof(bm_pte));
23845- pmd_populate_kernel(&init_mm, pmd, bm_pte);
23846+ pmd_populate_user(&init_mm, pmd, bm_pte);
23847
23848 /*
23849 * The boot-ioremap range spans multiple pmds, for which
23850diff -urNp linux-2.6.32.48/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.48/arch/x86/mm/kmemcheck/kmemcheck.c
23851--- linux-2.6.32.48/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-08 19:02:43.000000000 -0500
23852+++ linux-2.6.32.48/arch/x86/mm/kmemcheck/kmemcheck.c 2011-11-15 19:59:43.000000000 -0500
23853@@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
23854 * memory (e.g. tracked pages)? For now, we need this to avoid
23855 * invoking kmemcheck for PnP BIOS calls.
23856 */
23857- if (regs->flags & X86_VM_MASK)
23858+ if (v8086_mode(regs))
23859 return false;
23860- if (regs->cs != __KERNEL_CS)
23861+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
23862 return false;
23863
23864 pte = kmemcheck_pte_lookup(address);
23865diff -urNp linux-2.6.32.48/arch/x86/mm/mmap.c linux-2.6.32.48/arch/x86/mm/mmap.c
23866--- linux-2.6.32.48/arch/x86/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
23867+++ linux-2.6.32.48/arch/x86/mm/mmap.c 2011-11-15 19:59:43.000000000 -0500
23868@@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
23869 * Leave an at least ~128 MB hole with possible stack randomization.
23870 */
23871 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
23872-#define MAX_GAP (TASK_SIZE/6*5)
23873+#define MAX_GAP (pax_task_size/6*5)
23874
23875 /*
23876 * True on X86_32 or when emulating IA32 on X86_64
23877@@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
23878 return rnd << PAGE_SHIFT;
23879 }
23880
23881-static unsigned long mmap_base(void)
23882+static unsigned long mmap_base(struct mm_struct *mm)
23883 {
23884 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
23885+ unsigned long pax_task_size = TASK_SIZE;
23886+
23887+#ifdef CONFIG_PAX_SEGMEXEC
23888+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23889+ pax_task_size = SEGMEXEC_TASK_SIZE;
23890+#endif
23891
23892 if (gap < MIN_GAP)
23893 gap = MIN_GAP;
23894 else if (gap > MAX_GAP)
23895 gap = MAX_GAP;
23896
23897- return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
23898+ return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
23899 }
23900
23901 /*
23902 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
23903 * does, but not when emulating X86_32
23904 */
23905-static unsigned long mmap_legacy_base(void)
23906+static unsigned long mmap_legacy_base(struct mm_struct *mm)
23907 {
23908- if (mmap_is_ia32())
23909+ if (mmap_is_ia32()) {
23910+
23911+#ifdef CONFIG_PAX_SEGMEXEC
23912+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
23913+ return SEGMEXEC_TASK_UNMAPPED_BASE;
23914+ else
23915+#endif
23916+
23917 return TASK_UNMAPPED_BASE;
23918- else
23919+ } else
23920 return TASK_UNMAPPED_BASE + mmap_rnd();
23921 }
23922
23923@@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
23924 void arch_pick_mmap_layout(struct mm_struct *mm)
23925 {
23926 if (mmap_is_legacy()) {
23927- mm->mmap_base = mmap_legacy_base();
23928+ mm->mmap_base = mmap_legacy_base(mm);
23929+
23930+#ifdef CONFIG_PAX_RANDMMAP
23931+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23932+ mm->mmap_base += mm->delta_mmap;
23933+#endif
23934+
23935 mm->get_unmapped_area = arch_get_unmapped_area;
23936 mm->unmap_area = arch_unmap_area;
23937 } else {
23938- mm->mmap_base = mmap_base();
23939+ mm->mmap_base = mmap_base(mm);
23940+
23941+#ifdef CONFIG_PAX_RANDMMAP
23942+ if (mm->pax_flags & MF_PAX_RANDMMAP)
23943+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
23944+#endif
23945+
23946 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
23947 mm->unmap_area = arch_unmap_area_topdown;
23948 }
23949diff -urNp linux-2.6.32.48/arch/x86/mm/mmio-mod.c linux-2.6.32.48/arch/x86/mm/mmio-mod.c
23950--- linux-2.6.32.48/arch/x86/mm/mmio-mod.c 2011-11-08 19:02:43.000000000 -0500
23951+++ linux-2.6.32.48/arch/x86/mm/mmio-mod.c 2011-11-15 19:59:43.000000000 -0500
23952@@ -193,7 +193,7 @@ static void pre(struct kmmio_probe *p, s
23953 break;
23954 default:
23955 {
23956- unsigned char *ip = (unsigned char *)instptr;
23957+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
23958 my_trace->opcode = MMIO_UNKNOWN_OP;
23959 my_trace->width = 0;
23960 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
23961@@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
23962 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
23963 void __iomem *addr)
23964 {
23965- static atomic_t next_id;
23966+ static atomic_unchecked_t next_id;
23967 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
23968 /* These are page-unaligned. */
23969 struct mmiotrace_map map = {
23970@@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
23971 .private = trace
23972 },
23973 .phys = offset,
23974- .id = atomic_inc_return(&next_id)
23975+ .id = atomic_inc_return_unchecked(&next_id)
23976 };
23977 map.map_id = trace->id;
23978
23979diff -urNp linux-2.6.32.48/arch/x86/mm/numa_32.c linux-2.6.32.48/arch/x86/mm/numa_32.c
23980--- linux-2.6.32.48/arch/x86/mm/numa_32.c 2011-11-08 19:02:43.000000000 -0500
23981+++ linux-2.6.32.48/arch/x86/mm/numa_32.c 2011-11-15 19:59:43.000000000 -0500
23982@@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
23983 }
23984 #endif
23985
23986-extern unsigned long find_max_low_pfn(void);
23987 extern unsigned long highend_pfn, highstart_pfn;
23988
23989 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
23990diff -urNp linux-2.6.32.48/arch/x86/mm/pageattr.c linux-2.6.32.48/arch/x86/mm/pageattr.c
23991--- linux-2.6.32.48/arch/x86/mm/pageattr.c 2011-11-08 19:02:43.000000000 -0500
23992+++ linux-2.6.32.48/arch/x86/mm/pageattr.c 2011-11-15 19:59:43.000000000 -0500
23993@@ -261,16 +261,17 @@ static inline pgprot_t static_protection
23994 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
23995 */
23996 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
23997- pgprot_val(forbidden) |= _PAGE_NX;
23998+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
23999
24000 /*
24001 * The kernel text needs to be executable for obvious reasons
24002 * Does not cover __inittext since that is gone later on. On
24003 * 64bit we do not enforce !NX on the low mapping
24004 */
24005- if (within(address, (unsigned long)_text, (unsigned long)_etext))
24006- pgprot_val(forbidden) |= _PAGE_NX;
24007+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
24008+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24009
24010+#ifdef CONFIG_DEBUG_RODATA
24011 /*
24012 * The .rodata section needs to be read-only. Using the pfn
24013 * catches all aliases.
24014@@ -278,6 +279,14 @@ static inline pgprot_t static_protection
24015 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
24016 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
24017 pgprot_val(forbidden) |= _PAGE_RW;
24018+#endif
24019+
24020+#ifdef CONFIG_PAX_KERNEXEC
24021+ if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
24022+ pgprot_val(forbidden) |= _PAGE_RW;
24023+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
24024+ }
24025+#endif
24026
24027 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
24028
24029@@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
24030 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
24031 {
24032 /* change init_mm */
24033+ pax_open_kernel();
24034 set_pte_atomic(kpte, pte);
24035+
24036 #ifdef CONFIG_X86_32
24037 if (!SHARED_KERNEL_PMD) {
24038+
24039+#ifdef CONFIG_PAX_PER_CPU_PGD
24040+ unsigned long cpu;
24041+#else
24042 struct page *page;
24043+#endif
24044
24045+#ifdef CONFIG_PAX_PER_CPU_PGD
24046+ for (cpu = 0; cpu < NR_CPUS; ++cpu) {
24047+ pgd_t *pgd = get_cpu_pgd(cpu);
24048+#else
24049 list_for_each_entry(page, &pgd_list, lru) {
24050- pgd_t *pgd;
24051+ pgd_t *pgd = (pgd_t *)page_address(page);
24052+#endif
24053+
24054 pud_t *pud;
24055 pmd_t *pmd;
24056
24057- pgd = (pgd_t *)page_address(page) + pgd_index(address);
24058+ pgd += pgd_index(address);
24059 pud = pud_offset(pgd, address);
24060 pmd = pmd_offset(pud, address);
24061 set_pte_atomic((pte_t *)pmd, pte);
24062 }
24063 }
24064 #endif
24065+ pax_close_kernel();
24066 }
24067
24068 static int
24069diff -urNp linux-2.6.32.48/arch/x86/mm/pageattr-test.c linux-2.6.32.48/arch/x86/mm/pageattr-test.c
24070--- linux-2.6.32.48/arch/x86/mm/pageattr-test.c 2011-11-08 19:02:43.000000000 -0500
24071+++ linux-2.6.32.48/arch/x86/mm/pageattr-test.c 2011-11-15 19:59:43.000000000 -0500
24072@@ -36,7 +36,7 @@ enum {
24073
24074 static int pte_testbit(pte_t pte)
24075 {
24076- return pte_flags(pte) & _PAGE_UNUSED1;
24077+ return pte_flags(pte) & _PAGE_CPA_TEST;
24078 }
24079
24080 struct split_state {
24081diff -urNp linux-2.6.32.48/arch/x86/mm/pat.c linux-2.6.32.48/arch/x86/mm/pat.c
24082--- linux-2.6.32.48/arch/x86/mm/pat.c 2011-11-08 19:02:43.000000000 -0500
24083+++ linux-2.6.32.48/arch/x86/mm/pat.c 2011-11-15 19:59:43.000000000 -0500
24084@@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
24085
24086 conflict:
24087 printk(KERN_INFO "%s:%d conflicting memory types "
24088- "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
24089+ "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
24090 new->end, cattr_name(new->type), cattr_name(entry->type));
24091 return -EBUSY;
24092 }
24093@@ -559,7 +559,7 @@ unlock_ret:
24094
24095 if (err) {
24096 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
24097- current->comm, current->pid, start, end);
24098+ current->comm, task_pid_nr(current), start, end);
24099 }
24100
24101 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
24102@@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
24103 while (cursor < to) {
24104 if (!devmem_is_allowed(pfn)) {
24105 printk(KERN_INFO
24106- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
24107- current->comm, from, to);
24108+ "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
24109+ current->comm, from, to, cursor);
24110 return 0;
24111 }
24112 cursor += PAGE_SIZE;
24113@@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
24114 printk(KERN_INFO
24115 "%s:%d ioremap_change_attr failed %s "
24116 "for %Lx-%Lx\n",
24117- current->comm, current->pid,
24118+ current->comm, task_pid_nr(current),
24119 cattr_name(flags),
24120 base, (unsigned long long)(base + size));
24121 return -EINVAL;
24122@@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
24123 free_memtype(paddr, paddr + size);
24124 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
24125 " for %Lx-%Lx, got %s\n",
24126- current->comm, current->pid,
24127+ current->comm, task_pid_nr(current),
24128 cattr_name(want_flags),
24129 (unsigned long long)paddr,
24130 (unsigned long long)(paddr + size),
24131diff -urNp linux-2.6.32.48/arch/x86/mm/pf_in.c linux-2.6.32.48/arch/x86/mm/pf_in.c
24132--- linux-2.6.32.48/arch/x86/mm/pf_in.c 2011-11-08 19:02:43.000000000 -0500
24133+++ linux-2.6.32.48/arch/x86/mm/pf_in.c 2011-11-15 19:59:43.000000000 -0500
24134@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned l
24135 int i;
24136 enum reason_type rv = OTHERS;
24137
24138- p = (unsigned char *)ins_addr;
24139+ p = (unsigned char *)ktla_ktva(ins_addr);
24140 p += skip_prefix(p, &prf);
24141 p += get_opcode(p, &opcode);
24142
24143@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(un
24144 struct prefix_bits prf;
24145 int i;
24146
24147- p = (unsigned char *)ins_addr;
24148+ p = (unsigned char *)ktla_ktva(ins_addr);
24149 p += skip_prefix(p, &prf);
24150 p += get_opcode(p, &opcode);
24151
24152@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned
24153 struct prefix_bits prf;
24154 int i;
24155
24156- p = (unsigned char *)ins_addr;
24157+ p = (unsigned char *)ktla_ktva(ins_addr);
24158 p += skip_prefix(p, &prf);
24159 p += get_opcode(p, &opcode);
24160
24161@@ -417,7 +417,7 @@ unsigned long get_ins_reg_val(unsigned l
24162 int i;
24163 unsigned long rv;
24164
24165- p = (unsigned char *)ins_addr;
24166+ p = (unsigned char *)ktla_ktva(ins_addr);
24167 p += skip_prefix(p, &prf);
24168 p += get_opcode(p, &opcode);
24169 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
24170@@ -472,7 +472,7 @@ unsigned long get_ins_imm_val(unsigned l
24171 int i;
24172 unsigned long rv;
24173
24174- p = (unsigned char *)ins_addr;
24175+ p = (unsigned char *)ktla_ktva(ins_addr);
24176 p += skip_prefix(p, &prf);
24177 p += get_opcode(p, &opcode);
24178 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
24179diff -urNp linux-2.6.32.48/arch/x86/mm/pgtable_32.c linux-2.6.32.48/arch/x86/mm/pgtable_32.c
24180--- linux-2.6.32.48/arch/x86/mm/pgtable_32.c 2011-11-08 19:02:43.000000000 -0500
24181+++ linux-2.6.32.48/arch/x86/mm/pgtable_32.c 2011-11-15 19:59:43.000000000 -0500
24182@@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
24183 return;
24184 }
24185 pte = pte_offset_kernel(pmd, vaddr);
24186+
24187+ pax_open_kernel();
24188 if (pte_val(pteval))
24189 set_pte_at(&init_mm, vaddr, pte, pteval);
24190 else
24191 pte_clear(&init_mm, vaddr, pte);
24192+ pax_close_kernel();
24193
24194 /*
24195 * It's enough to flush this one mapping.
24196diff -urNp linux-2.6.32.48/arch/x86/mm/pgtable.c linux-2.6.32.48/arch/x86/mm/pgtable.c
24197--- linux-2.6.32.48/arch/x86/mm/pgtable.c 2011-11-08 19:02:43.000000000 -0500
24198+++ linux-2.6.32.48/arch/x86/mm/pgtable.c 2011-11-15 19:59:43.000000000 -0500
24199@@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
24200 list_del(&page->lru);
24201 }
24202
24203-#define UNSHARED_PTRS_PER_PGD \
24204- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24205+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24206+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
24207
24208+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24209+{
24210+ while (count--)
24211+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
24212+}
24213+#endif
24214+
24215+#ifdef CONFIG_PAX_PER_CPU_PGD
24216+void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
24217+{
24218+ while (count--)
24219+
24220+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
24221+ *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
24222+#else
24223+ *dst++ = *src++;
24224+#endif
24225+
24226+}
24227+#endif
24228+
24229+#ifdef CONFIG_X86_64
24230+#define pxd_t pud_t
24231+#define pyd_t pgd_t
24232+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
24233+#define pxd_free(mm, pud) pud_free((mm), (pud))
24234+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
24235+#define pyd_offset(mm ,address) pgd_offset((mm), (address))
24236+#define PYD_SIZE PGDIR_SIZE
24237+#else
24238+#define pxd_t pmd_t
24239+#define pyd_t pud_t
24240+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
24241+#define pxd_free(mm, pud) pmd_free((mm), (pud))
24242+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
24243+#define pyd_offset(mm ,address) pud_offset((mm), (address))
24244+#define PYD_SIZE PUD_SIZE
24245+#endif
24246+
24247+#ifdef CONFIG_PAX_PER_CPU_PGD
24248+static inline void pgd_ctor(pgd_t *pgd) {}
24249+static inline void pgd_dtor(pgd_t *pgd) {}
24250+#else
24251 static void pgd_ctor(pgd_t *pgd)
24252 {
24253 /* If the pgd points to a shared pagetable level (either the
24254@@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
24255 pgd_list_del(pgd);
24256 spin_unlock_irqrestore(&pgd_lock, flags);
24257 }
24258+#endif
24259
24260 /*
24261 * List of all pgd's needed for non-PAE so it can invalidate entries
24262@@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
24263 * -- wli
24264 */
24265
24266-#ifdef CONFIG_X86_PAE
24267+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24268 /*
24269 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
24270 * updating the top-level pagetable entries to guarantee the
24271@@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
24272 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
24273 * and initialize the kernel pmds here.
24274 */
24275-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
24276+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
24277
24278 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
24279 {
24280@@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
24281 */
24282 flush_tlb_mm(mm);
24283 }
24284+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
24285+#define PREALLOCATED_PXDS USER_PGD_PTRS
24286 #else /* !CONFIG_X86_PAE */
24287
24288 /* No need to prepopulate any pagetable entries in non-PAE modes. */
24289-#define PREALLOCATED_PMDS 0
24290+#define PREALLOCATED_PXDS 0
24291
24292 #endif /* CONFIG_X86_PAE */
24293
24294-static void free_pmds(pmd_t *pmds[])
24295+static void free_pxds(pxd_t *pxds[])
24296 {
24297 int i;
24298
24299- for(i = 0; i < PREALLOCATED_PMDS; i++)
24300- if (pmds[i])
24301- free_page((unsigned long)pmds[i]);
24302+ for(i = 0; i < PREALLOCATED_PXDS; i++)
24303+ if (pxds[i])
24304+ free_page((unsigned long)pxds[i]);
24305 }
24306
24307-static int preallocate_pmds(pmd_t *pmds[])
24308+static int preallocate_pxds(pxd_t *pxds[])
24309 {
24310 int i;
24311 bool failed = false;
24312
24313- for(i = 0; i < PREALLOCATED_PMDS; i++) {
24314- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
24315- if (pmd == NULL)
24316+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
24317+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
24318+ if (pxd == NULL)
24319 failed = true;
24320- pmds[i] = pmd;
24321+ pxds[i] = pxd;
24322 }
24323
24324 if (failed) {
24325- free_pmds(pmds);
24326+ free_pxds(pxds);
24327 return -ENOMEM;
24328 }
24329
24330@@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
24331 * preallocate which never got a corresponding vma will need to be
24332 * freed manually.
24333 */
24334-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
24335+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
24336 {
24337 int i;
24338
24339- for(i = 0; i < PREALLOCATED_PMDS; i++) {
24340+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
24341 pgd_t pgd = pgdp[i];
24342
24343 if (pgd_val(pgd) != 0) {
24344- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
24345+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
24346
24347- pgdp[i] = native_make_pgd(0);
24348+ set_pgd(pgdp + i, native_make_pgd(0));
24349
24350- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
24351- pmd_free(mm, pmd);
24352+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
24353+ pxd_free(mm, pxd);
24354 }
24355 }
24356 }
24357
24358-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
24359+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
24360 {
24361- pud_t *pud;
24362+ pyd_t *pyd;
24363 unsigned long addr;
24364 int i;
24365
24366- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
24367+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
24368 return;
24369
24370- pud = pud_offset(pgd, 0);
24371+#ifdef CONFIG_X86_64
24372+ pyd = pyd_offset(mm, 0L);
24373+#else
24374+ pyd = pyd_offset(pgd, 0L);
24375+#endif
24376
24377- for (addr = i = 0; i < PREALLOCATED_PMDS;
24378- i++, pud++, addr += PUD_SIZE) {
24379- pmd_t *pmd = pmds[i];
24380+ for (addr = i = 0; i < PREALLOCATED_PXDS;
24381+ i++, pyd++, addr += PYD_SIZE) {
24382+ pxd_t *pxd = pxds[i];
24383
24384 if (i >= KERNEL_PGD_BOUNDARY)
24385- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24386- sizeof(pmd_t) * PTRS_PER_PMD);
24387+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
24388+ sizeof(pxd_t) * PTRS_PER_PMD);
24389
24390- pud_populate(mm, pud, pmd);
24391+ pyd_populate(mm, pyd, pxd);
24392 }
24393 }
24394
24395 pgd_t *pgd_alloc(struct mm_struct *mm)
24396 {
24397 pgd_t *pgd;
24398- pmd_t *pmds[PREALLOCATED_PMDS];
24399+ pxd_t *pxds[PREALLOCATED_PXDS];
24400+
24401 unsigned long flags;
24402
24403 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
24404@@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24405
24406 mm->pgd = pgd;
24407
24408- if (preallocate_pmds(pmds) != 0)
24409+ if (preallocate_pxds(pxds) != 0)
24410 goto out_free_pgd;
24411
24412 if (paravirt_pgd_alloc(mm) != 0)
24413- goto out_free_pmds;
24414+ goto out_free_pxds;
24415
24416 /*
24417 * Make sure that pre-populating the pmds is atomic with
24418@@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
24419 spin_lock_irqsave(&pgd_lock, flags);
24420
24421 pgd_ctor(pgd);
24422- pgd_prepopulate_pmd(mm, pgd, pmds);
24423+ pgd_prepopulate_pxd(mm, pgd, pxds);
24424
24425 spin_unlock_irqrestore(&pgd_lock, flags);
24426
24427 return pgd;
24428
24429-out_free_pmds:
24430- free_pmds(pmds);
24431+out_free_pxds:
24432+ free_pxds(pxds);
24433 out_free_pgd:
24434 free_page((unsigned long)pgd);
24435 out:
24436@@ -287,7 +338,7 @@ out:
24437
24438 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
24439 {
24440- pgd_mop_up_pmds(mm, pgd);
24441+ pgd_mop_up_pxds(mm, pgd);
24442 pgd_dtor(pgd);
24443 paravirt_pgd_free(mm, pgd);
24444 free_page((unsigned long)pgd);
24445diff -urNp linux-2.6.32.48/arch/x86/mm/setup_nx.c linux-2.6.32.48/arch/x86/mm/setup_nx.c
24446--- linux-2.6.32.48/arch/x86/mm/setup_nx.c 2011-11-08 19:02:43.000000000 -0500
24447+++ linux-2.6.32.48/arch/x86/mm/setup_nx.c 2011-11-15 19:59:43.000000000 -0500
24448@@ -4,11 +4,10 @@
24449
24450 #include <asm/pgtable.h>
24451
24452+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
24453 int nx_enabled;
24454
24455-#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
24456-static int disable_nx __cpuinitdata;
24457-
24458+#ifndef CONFIG_PAX_PAGEEXEC
24459 /*
24460 * noexec = on|off
24461 *
24462@@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
24463 if (!str)
24464 return -EINVAL;
24465 if (!strncmp(str, "on", 2)) {
24466- __supported_pte_mask |= _PAGE_NX;
24467- disable_nx = 0;
24468+ nx_enabled = 1;
24469 } else if (!strncmp(str, "off", 3)) {
24470- disable_nx = 1;
24471- __supported_pte_mask &= ~_PAGE_NX;
24472+ nx_enabled = 0;
24473 }
24474 return 0;
24475 }
24476 early_param("noexec", noexec_setup);
24477 #endif
24478+#endif
24479
24480 #ifdef CONFIG_X86_PAE
24481 void __init set_nx(void)
24482 {
24483- unsigned int v[4], l, h;
24484+ if (!nx_enabled && cpu_has_nx) {
24485+ unsigned l, h;
24486
24487- if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
24488- cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
24489-
24490- if ((v[3] & (1 << 20)) && !disable_nx) {
24491- rdmsr(MSR_EFER, l, h);
24492- l |= EFER_NX;
24493- wrmsr(MSR_EFER, l, h);
24494- nx_enabled = 1;
24495- __supported_pte_mask |= _PAGE_NX;
24496- }
24497+ __supported_pte_mask &= ~_PAGE_NX;
24498+ rdmsr(MSR_EFER, l, h);
24499+ l &= ~EFER_NX;
24500+ wrmsr(MSR_EFER, l, h);
24501 }
24502 }
24503 #else
24504@@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
24505 unsigned long efer;
24506
24507 rdmsrl(MSR_EFER, efer);
24508- if (!(efer & EFER_NX) || disable_nx)
24509+ if (!(efer & EFER_NX) || !nx_enabled)
24510 __supported_pte_mask &= ~_PAGE_NX;
24511 }
24512 #endif
24513diff -urNp linux-2.6.32.48/arch/x86/mm/tlb.c linux-2.6.32.48/arch/x86/mm/tlb.c
24514--- linux-2.6.32.48/arch/x86/mm/tlb.c 2011-11-08 19:02:43.000000000 -0500
24515+++ linux-2.6.32.48/arch/x86/mm/tlb.c 2011-11-15 19:59:43.000000000 -0500
24516@@ -61,7 +61,11 @@ void leave_mm(int cpu)
24517 BUG();
24518 cpumask_clear_cpu(cpu,
24519 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
24520+
24521+#ifndef CONFIG_PAX_PER_CPU_PGD
24522 load_cr3(swapper_pg_dir);
24523+#endif
24524+
24525 }
24526 EXPORT_SYMBOL_GPL(leave_mm);
24527
24528diff -urNp linux-2.6.32.48/arch/x86/oprofile/backtrace.c linux-2.6.32.48/arch/x86/oprofile/backtrace.c
24529--- linux-2.6.32.48/arch/x86/oprofile/backtrace.c 2011-11-08 19:02:43.000000000 -0500
24530+++ linux-2.6.32.48/arch/x86/oprofile/backtrace.c 2011-11-15 19:59:43.000000000 -0500
24531@@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
24532 struct frame_head bufhead[2];
24533
24534 /* Also check accessibility of one struct frame_head beyond */
24535- if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
24536+ if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
24537 return NULL;
24538 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
24539 return NULL;
24540@@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
24541 {
24542 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
24543
24544- if (!user_mode_vm(regs)) {
24545+ if (!user_mode(regs)) {
24546 unsigned long stack = kernel_stack_pointer(regs);
24547 if (depth)
24548 dump_trace(NULL, regs, (unsigned long *)stack, 0,
24549diff -urNp linux-2.6.32.48/arch/x86/oprofile/op_model_p4.c linux-2.6.32.48/arch/x86/oprofile/op_model_p4.c
24550--- linux-2.6.32.48/arch/x86/oprofile/op_model_p4.c 2011-11-08 19:02:43.000000000 -0500
24551+++ linux-2.6.32.48/arch/x86/oprofile/op_model_p4.c 2011-11-15 19:59:43.000000000 -0500
24552@@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
24553 #endif
24554 }
24555
24556-static int inline addr_increment(void)
24557+static inline int addr_increment(void)
24558 {
24559 #ifdef CONFIG_SMP
24560 return smp_num_siblings == 2 ? 2 : 1;
24561diff -urNp linux-2.6.32.48/arch/x86/pci/common.c linux-2.6.32.48/arch/x86/pci/common.c
24562--- linux-2.6.32.48/arch/x86/pci/common.c 2011-11-08 19:02:43.000000000 -0500
24563+++ linux-2.6.32.48/arch/x86/pci/common.c 2011-11-15 19:59:43.000000000 -0500
24564@@ -31,8 +31,8 @@ int noioapicreroute = 1;
24565 int pcibios_last_bus = -1;
24566 unsigned long pirq_table_addr;
24567 struct pci_bus *pci_root_bus;
24568-struct pci_raw_ops *raw_pci_ops;
24569-struct pci_raw_ops *raw_pci_ext_ops;
24570+const struct pci_raw_ops *raw_pci_ops;
24571+const struct pci_raw_ops *raw_pci_ext_ops;
24572
24573 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
24574 int reg, int len, u32 *val)
24575diff -urNp linux-2.6.32.48/arch/x86/pci/direct.c linux-2.6.32.48/arch/x86/pci/direct.c
24576--- linux-2.6.32.48/arch/x86/pci/direct.c 2011-11-08 19:02:43.000000000 -0500
24577+++ linux-2.6.32.48/arch/x86/pci/direct.c 2011-11-15 19:59:43.000000000 -0500
24578@@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
24579
24580 #undef PCI_CONF1_ADDRESS
24581
24582-struct pci_raw_ops pci_direct_conf1 = {
24583+const struct pci_raw_ops pci_direct_conf1 = {
24584 .read = pci_conf1_read,
24585 .write = pci_conf1_write,
24586 };
24587@@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
24588
24589 #undef PCI_CONF2_ADDRESS
24590
24591-struct pci_raw_ops pci_direct_conf2 = {
24592+const struct pci_raw_ops pci_direct_conf2 = {
24593 .read = pci_conf2_read,
24594 .write = pci_conf2_write,
24595 };
24596@@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
24597 * This should be close to trivial, but it isn't, because there are buggy
24598 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
24599 */
24600-static int __init pci_sanity_check(struct pci_raw_ops *o)
24601+static int __init pci_sanity_check(const struct pci_raw_ops *o)
24602 {
24603 u32 x = 0;
24604 int year, devfn;
24605diff -urNp linux-2.6.32.48/arch/x86/pci/mmconfig_32.c linux-2.6.32.48/arch/x86/pci/mmconfig_32.c
24606--- linux-2.6.32.48/arch/x86/pci/mmconfig_32.c 2011-11-08 19:02:43.000000000 -0500
24607+++ linux-2.6.32.48/arch/x86/pci/mmconfig_32.c 2011-11-15 19:59:43.000000000 -0500
24608@@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
24609 return 0;
24610 }
24611
24612-static struct pci_raw_ops pci_mmcfg = {
24613+static const struct pci_raw_ops pci_mmcfg = {
24614 .read = pci_mmcfg_read,
24615 .write = pci_mmcfg_write,
24616 };
24617diff -urNp linux-2.6.32.48/arch/x86/pci/mmconfig_64.c linux-2.6.32.48/arch/x86/pci/mmconfig_64.c
24618--- linux-2.6.32.48/arch/x86/pci/mmconfig_64.c 2011-11-08 19:02:43.000000000 -0500
24619+++ linux-2.6.32.48/arch/x86/pci/mmconfig_64.c 2011-11-15 19:59:43.000000000 -0500
24620@@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
24621 return 0;
24622 }
24623
24624-static struct pci_raw_ops pci_mmcfg = {
24625+static const struct pci_raw_ops pci_mmcfg = {
24626 .read = pci_mmcfg_read,
24627 .write = pci_mmcfg_write,
24628 };
24629diff -urNp linux-2.6.32.48/arch/x86/pci/numaq_32.c linux-2.6.32.48/arch/x86/pci/numaq_32.c
24630--- linux-2.6.32.48/arch/x86/pci/numaq_32.c 2011-11-08 19:02:43.000000000 -0500
24631+++ linux-2.6.32.48/arch/x86/pci/numaq_32.c 2011-11-15 19:59:43.000000000 -0500
24632@@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
24633
24634 #undef PCI_CONF1_MQ_ADDRESS
24635
24636-static struct pci_raw_ops pci_direct_conf1_mq = {
24637+static const struct pci_raw_ops pci_direct_conf1_mq = {
24638 .read = pci_conf1_mq_read,
24639 .write = pci_conf1_mq_write
24640 };
24641diff -urNp linux-2.6.32.48/arch/x86/pci/olpc.c linux-2.6.32.48/arch/x86/pci/olpc.c
24642--- linux-2.6.32.48/arch/x86/pci/olpc.c 2011-11-08 19:02:43.000000000 -0500
24643+++ linux-2.6.32.48/arch/x86/pci/olpc.c 2011-11-15 19:59:43.000000000 -0500
24644@@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
24645 return 0;
24646 }
24647
24648-static struct pci_raw_ops pci_olpc_conf = {
24649+static const struct pci_raw_ops pci_olpc_conf = {
24650 .read = pci_olpc_read,
24651 .write = pci_olpc_write,
24652 };
24653diff -urNp linux-2.6.32.48/arch/x86/pci/pcbios.c linux-2.6.32.48/arch/x86/pci/pcbios.c
24654--- linux-2.6.32.48/arch/x86/pci/pcbios.c 2011-11-08 19:02:43.000000000 -0500
24655+++ linux-2.6.32.48/arch/x86/pci/pcbios.c 2011-11-15 19:59:43.000000000 -0500
24656@@ -56,50 +56,93 @@ union bios32 {
24657 static struct {
24658 unsigned long address;
24659 unsigned short segment;
24660-} bios32_indirect = { 0, __KERNEL_CS };
24661+} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
24662
24663 /*
24664 * Returns the entry point for the given service, NULL on error
24665 */
24666
24667-static unsigned long bios32_service(unsigned long service)
24668+static unsigned long __devinit bios32_service(unsigned long service)
24669 {
24670 unsigned char return_code; /* %al */
24671 unsigned long address; /* %ebx */
24672 unsigned long length; /* %ecx */
24673 unsigned long entry; /* %edx */
24674 unsigned long flags;
24675+ struct desc_struct d, *gdt;
24676
24677 local_irq_save(flags);
24678- __asm__("lcall *(%%edi); cld"
24679+
24680+ gdt = get_cpu_gdt_table(smp_processor_id());
24681+
24682+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
24683+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24684+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
24685+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24686+
24687+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
24688 : "=a" (return_code),
24689 "=b" (address),
24690 "=c" (length),
24691 "=d" (entry)
24692 : "0" (service),
24693 "1" (0),
24694- "D" (&bios32_indirect));
24695+ "D" (&bios32_indirect),
24696+ "r"(__PCIBIOS_DS)
24697+ : "memory");
24698+
24699+ pax_open_kernel();
24700+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
24701+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
24702+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
24703+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
24704+ pax_close_kernel();
24705+
24706 local_irq_restore(flags);
24707
24708 switch (return_code) {
24709- case 0:
24710- return address + entry;
24711- case 0x80: /* Not present */
24712- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24713- return 0;
24714- default: /* Shouldn't happen */
24715- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24716- service, return_code);
24717+ case 0: {
24718+ int cpu;
24719+ unsigned char flags;
24720+
24721+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
24722+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
24723+ printk(KERN_WARNING "bios32_service: not valid\n");
24724 return 0;
24725+ }
24726+ address = address + PAGE_OFFSET;
24727+ length += 16UL; /* some BIOSs underreport this... */
24728+ flags = 4;
24729+ if (length >= 64*1024*1024) {
24730+ length >>= PAGE_SHIFT;
24731+ flags |= 8;
24732+ }
24733+
24734+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
24735+ gdt = get_cpu_gdt_table(cpu);
24736+ pack_descriptor(&d, address, length, 0x9b, flags);
24737+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
24738+ pack_descriptor(&d, address, length, 0x93, flags);
24739+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
24740+ }
24741+ return entry;
24742+ }
24743+ case 0x80: /* Not present */
24744+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
24745+ return 0;
24746+ default: /* Shouldn't happen */
24747+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
24748+ service, return_code);
24749+ return 0;
24750 }
24751 }
24752
24753 static struct {
24754 unsigned long address;
24755 unsigned short segment;
24756-} pci_indirect = { 0, __KERNEL_CS };
24757+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
24758
24759-static int pci_bios_present;
24760+static int pci_bios_present __read_only;
24761
24762 static int __devinit check_pcibios(void)
24763 {
24764@@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
24765 unsigned long flags, pcibios_entry;
24766
24767 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
24768- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
24769+ pci_indirect.address = pcibios_entry;
24770
24771 local_irq_save(flags);
24772- __asm__(
24773- "lcall *(%%edi); cld\n\t"
24774+ __asm__("movw %w6, %%ds\n\t"
24775+ "lcall *%%ss:(%%edi); cld\n\t"
24776+ "push %%ss\n\t"
24777+ "pop %%ds\n\t"
24778 "jc 1f\n\t"
24779 "xor %%ah, %%ah\n"
24780 "1:"
24781@@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
24782 "=b" (ebx),
24783 "=c" (ecx)
24784 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
24785- "D" (&pci_indirect)
24786+ "D" (&pci_indirect),
24787+ "r" (__PCIBIOS_DS)
24788 : "memory");
24789 local_irq_restore(flags);
24790
24791@@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
24792
24793 switch (len) {
24794 case 1:
24795- __asm__("lcall *(%%esi); cld\n\t"
24796+ __asm__("movw %w6, %%ds\n\t"
24797+ "lcall *%%ss:(%%esi); cld\n\t"
24798+ "push %%ss\n\t"
24799+ "pop %%ds\n\t"
24800 "jc 1f\n\t"
24801 "xor %%ah, %%ah\n"
24802 "1:"
24803@@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
24804 : "1" (PCIBIOS_READ_CONFIG_BYTE),
24805 "b" (bx),
24806 "D" ((long)reg),
24807- "S" (&pci_indirect));
24808+ "S" (&pci_indirect),
24809+ "r" (__PCIBIOS_DS));
24810 /*
24811 * Zero-extend the result beyond 8 bits, do not trust the
24812 * BIOS having done it:
24813@@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
24814 *value &= 0xff;
24815 break;
24816 case 2:
24817- __asm__("lcall *(%%esi); cld\n\t"
24818+ __asm__("movw %w6, %%ds\n\t"
24819+ "lcall *%%ss:(%%esi); cld\n\t"
24820+ "push %%ss\n\t"
24821+ "pop %%ds\n\t"
24822 "jc 1f\n\t"
24823 "xor %%ah, %%ah\n"
24824 "1:"
24825@@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
24826 : "1" (PCIBIOS_READ_CONFIG_WORD),
24827 "b" (bx),
24828 "D" ((long)reg),
24829- "S" (&pci_indirect));
24830+ "S" (&pci_indirect),
24831+ "r" (__PCIBIOS_DS));
24832 /*
24833 * Zero-extend the result beyond 16 bits, do not trust the
24834 * BIOS having done it:
24835@@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
24836 *value &= 0xffff;
24837 break;
24838 case 4:
24839- __asm__("lcall *(%%esi); cld\n\t"
24840+ __asm__("movw %w6, %%ds\n\t"
24841+ "lcall *%%ss:(%%esi); cld\n\t"
24842+ "push %%ss\n\t"
24843+ "pop %%ds\n\t"
24844 "jc 1f\n\t"
24845 "xor %%ah, %%ah\n"
24846 "1:"
24847@@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
24848 : "1" (PCIBIOS_READ_CONFIG_DWORD),
24849 "b" (bx),
24850 "D" ((long)reg),
24851- "S" (&pci_indirect));
24852+ "S" (&pci_indirect),
24853+ "r" (__PCIBIOS_DS));
24854 break;
24855 }
24856
24857@@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
24858
24859 switch (len) {
24860 case 1:
24861- __asm__("lcall *(%%esi); cld\n\t"
24862+ __asm__("movw %w6, %%ds\n\t"
24863+ "lcall *%%ss:(%%esi); cld\n\t"
24864+ "push %%ss\n\t"
24865+ "pop %%ds\n\t"
24866 "jc 1f\n\t"
24867 "xor %%ah, %%ah\n"
24868 "1:"
24869@@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
24870 "c" (value),
24871 "b" (bx),
24872 "D" ((long)reg),
24873- "S" (&pci_indirect));
24874+ "S" (&pci_indirect),
24875+ "r" (__PCIBIOS_DS));
24876 break;
24877 case 2:
24878- __asm__("lcall *(%%esi); cld\n\t"
24879+ __asm__("movw %w6, %%ds\n\t"
24880+ "lcall *%%ss:(%%esi); cld\n\t"
24881+ "push %%ss\n\t"
24882+ "pop %%ds\n\t"
24883 "jc 1f\n\t"
24884 "xor %%ah, %%ah\n"
24885 "1:"
24886@@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
24887 "c" (value),
24888 "b" (bx),
24889 "D" ((long)reg),
24890- "S" (&pci_indirect));
24891+ "S" (&pci_indirect),
24892+ "r" (__PCIBIOS_DS));
24893 break;
24894 case 4:
24895- __asm__("lcall *(%%esi); cld\n\t"
24896+ __asm__("movw %w6, %%ds\n\t"
24897+ "lcall *%%ss:(%%esi); cld\n\t"
24898+ "push %%ss\n\t"
24899+ "pop %%ds\n\t"
24900 "jc 1f\n\t"
24901 "xor %%ah, %%ah\n"
24902 "1:"
24903@@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
24904 "c" (value),
24905 "b" (bx),
24906 "D" ((long)reg),
24907- "S" (&pci_indirect));
24908+ "S" (&pci_indirect),
24909+ "r" (__PCIBIOS_DS));
24910 break;
24911 }
24912
24913@@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
24914 * Function table for BIOS32 access
24915 */
24916
24917-static struct pci_raw_ops pci_bios_access = {
24918+static const struct pci_raw_ops pci_bios_access = {
24919 .read = pci_bios_read,
24920 .write = pci_bios_write
24921 };
24922@@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
24923 * Try to find PCI BIOS.
24924 */
24925
24926-static struct pci_raw_ops * __devinit pci_find_bios(void)
24927+static const struct pci_raw_ops * __devinit pci_find_bios(void)
24928 {
24929 union bios32 *check;
24930 unsigned char sum;
24931@@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
24932
24933 DBG("PCI: Fetching IRQ routing table... ");
24934 __asm__("push %%es\n\t"
24935+ "movw %w8, %%ds\n\t"
24936 "push %%ds\n\t"
24937 "pop %%es\n\t"
24938- "lcall *(%%esi); cld\n\t"
24939+ "lcall *%%ss:(%%esi); cld\n\t"
24940 "pop %%es\n\t"
24941+ "push %%ss\n\t"
24942+ "pop %%ds\n"
24943 "jc 1f\n\t"
24944 "xor %%ah, %%ah\n"
24945 "1:"
24946@@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
24947 "1" (0),
24948 "D" ((long) &opt),
24949 "S" (&pci_indirect),
24950- "m" (opt)
24951+ "m" (opt),
24952+ "r" (__PCIBIOS_DS)
24953 : "memory");
24954 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
24955 if (ret & 0xff00)
24956@@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
24957 {
24958 int ret;
24959
24960- __asm__("lcall *(%%esi); cld\n\t"
24961+ __asm__("movw %w5, %%ds\n\t"
24962+ "lcall *%%ss:(%%esi); cld\n\t"
24963+ "push %%ss\n\t"
24964+ "pop %%ds\n"
24965 "jc 1f\n\t"
24966 "xor %%ah, %%ah\n"
24967 "1:"
24968@@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
24969 : "0" (PCIBIOS_SET_PCI_HW_INT),
24970 "b" ((dev->bus->number << 8) | dev->devfn),
24971 "c" ((irq << 8) | (pin + 10)),
24972- "S" (&pci_indirect));
24973+ "S" (&pci_indirect),
24974+ "r" (__PCIBIOS_DS));
24975 return !(ret & 0xff00);
24976 }
24977 EXPORT_SYMBOL(pcibios_set_irq_routing);
24978diff -urNp linux-2.6.32.48/arch/x86/power/cpu.c linux-2.6.32.48/arch/x86/power/cpu.c
24979--- linux-2.6.32.48/arch/x86/power/cpu.c 2011-11-08 19:02:43.000000000 -0500
24980+++ linux-2.6.32.48/arch/x86/power/cpu.c 2011-11-15 19:59:43.000000000 -0500
24981@@ -129,7 +129,7 @@ static void do_fpu_end(void)
24982 static void fix_processor_context(void)
24983 {
24984 int cpu = smp_processor_id();
24985- struct tss_struct *t = &per_cpu(init_tss, cpu);
24986+ struct tss_struct *t = init_tss + cpu;
24987
24988 set_tss_desc(cpu, t); /*
24989 * This just modifies memory; should not be
24990@@ -139,7 +139,9 @@ static void fix_processor_context(void)
24991 */
24992
24993 #ifdef CONFIG_X86_64
24994+ pax_open_kernel();
24995 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
24996+ pax_close_kernel();
24997
24998 syscall_init(); /* This sets MSR_*STAR and related */
24999 #endif
25000diff -urNp linux-2.6.32.48/arch/x86/vdso/Makefile linux-2.6.32.48/arch/x86/vdso/Makefile
25001--- linux-2.6.32.48/arch/x86/vdso/Makefile 2011-11-08 19:02:43.000000000 -0500
25002+++ linux-2.6.32.48/arch/x86/vdso/Makefile 2011-11-15 19:59:43.000000000 -0500
25003@@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
25004 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
25005 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
25006
25007-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25008+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
25009 GCOV_PROFILE := n
25010
25011 #
25012diff -urNp linux-2.6.32.48/arch/x86/vdso/vclock_gettime.c linux-2.6.32.48/arch/x86/vdso/vclock_gettime.c
25013--- linux-2.6.32.48/arch/x86/vdso/vclock_gettime.c 2011-11-08 19:02:43.000000000 -0500
25014+++ linux-2.6.32.48/arch/x86/vdso/vclock_gettime.c 2011-11-15 19:59:43.000000000 -0500
25015@@ -22,24 +22,48 @@
25016 #include <asm/hpet.h>
25017 #include <asm/unistd.h>
25018 #include <asm/io.h>
25019+#include <asm/fixmap.h>
25020 #include "vextern.h"
25021
25022 #define gtod vdso_vsyscall_gtod_data
25023
25024+notrace noinline long __vdso_fallback_time(long *t)
25025+{
25026+ long secs;
25027+ asm volatile("syscall"
25028+ : "=a" (secs)
25029+ : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
25030+ return secs;
25031+}
25032+
25033 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
25034 {
25035 long ret;
25036 asm("syscall" : "=a" (ret) :
25037- "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
25038+ "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
25039 return ret;
25040 }
25041
25042+notrace static inline cycle_t __vdso_vread_hpet(void)
25043+{
25044+ return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
25045+}
25046+
25047+notrace static inline cycle_t __vdso_vread_tsc(void)
25048+{
25049+ cycle_t ret = (cycle_t)vget_cycles();
25050+
25051+ return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
25052+}
25053+
25054 notrace static inline long vgetns(void)
25055 {
25056 long v;
25057- cycles_t (*vread)(void);
25058- vread = gtod->clock.vread;
25059- v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
25060+ if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
25061+ v = __vdso_vread_tsc();
25062+ else
25063+ v = __vdso_vread_hpet();
25064+ v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
25065 return (v * gtod->clock.mult) >> gtod->clock.shift;
25066 }
25067
25068@@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
25069
25070 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
25071 {
25072- if (likely(gtod->sysctl_enabled))
25073+ if (likely(gtod->sysctl_enabled &&
25074+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25075+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25076 switch (clock) {
25077 case CLOCK_REALTIME:
25078 if (likely(gtod->clock.vread))
25079@@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
25080 int clock_gettime(clockid_t, struct timespec *)
25081 __attribute__((weak, alias("__vdso_clock_gettime")));
25082
25083-notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25084+notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
25085 {
25086 long ret;
25087- if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
25088+ asm("syscall" : "=a" (ret) :
25089+ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
25090+ return ret;
25091+}
25092+
25093+notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
25094+{
25095+ if (likely(gtod->sysctl_enabled &&
25096+ ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
25097+ (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
25098+ {
25099 if (likely(tv != NULL)) {
25100 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
25101 offsetof(struct timespec, tv_nsec) ||
25102@@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
25103 }
25104 return 0;
25105 }
25106- asm("syscall" : "=a" (ret) :
25107- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
25108- return ret;
25109+ return __vdso_fallback_gettimeofday(tv, tz);
25110 }
25111 int gettimeofday(struct timeval *, struct timezone *)
25112 __attribute__((weak, alias("__vdso_gettimeofday")));
25113diff -urNp linux-2.6.32.48/arch/x86/vdso/vdso32-setup.c linux-2.6.32.48/arch/x86/vdso/vdso32-setup.c
25114--- linux-2.6.32.48/arch/x86/vdso/vdso32-setup.c 2011-11-08 19:02:43.000000000 -0500
25115+++ linux-2.6.32.48/arch/x86/vdso/vdso32-setup.c 2011-11-15 19:59:43.000000000 -0500
25116@@ -25,6 +25,7 @@
25117 #include <asm/tlbflush.h>
25118 #include <asm/vdso.h>
25119 #include <asm/proto.h>
25120+#include <asm/mman.h>
25121
25122 enum {
25123 VDSO_DISABLED = 0,
25124@@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
25125 void enable_sep_cpu(void)
25126 {
25127 int cpu = get_cpu();
25128- struct tss_struct *tss = &per_cpu(init_tss, cpu);
25129+ struct tss_struct *tss = init_tss + cpu;
25130
25131 if (!boot_cpu_has(X86_FEATURE_SEP)) {
25132 put_cpu();
25133@@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
25134 gate_vma.vm_start = FIXADDR_USER_START;
25135 gate_vma.vm_end = FIXADDR_USER_END;
25136 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
25137- gate_vma.vm_page_prot = __P101;
25138+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
25139 /*
25140 * Make sure the vDSO gets into every core dump.
25141 * Dumping its contents makes post-mortem fully interpretable later
25142@@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
25143 if (compat)
25144 addr = VDSO_HIGH_BASE;
25145 else {
25146- addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
25147+ addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
25148 if (IS_ERR_VALUE(addr)) {
25149 ret = addr;
25150 goto up_fail;
25151 }
25152 }
25153
25154- current->mm->context.vdso = (void *)addr;
25155+ current->mm->context.vdso = addr;
25156
25157 if (compat_uses_vma || !compat) {
25158 /*
25159@@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
25160 }
25161
25162 current_thread_info()->sysenter_return =
25163- VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25164+ (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
25165
25166 up_fail:
25167 if (ret)
25168- current->mm->context.vdso = NULL;
25169+ current->mm->context.vdso = 0;
25170
25171 up_write(&mm->mmap_sem);
25172
25173@@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
25174
25175 const char *arch_vma_name(struct vm_area_struct *vma)
25176 {
25177- if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
25178+ if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
25179 return "[vdso]";
25180+
25181+#ifdef CONFIG_PAX_SEGMEXEC
25182+ if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
25183+ return "[vdso]";
25184+#endif
25185+
25186 return NULL;
25187 }
25188
25189@@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
25190 struct mm_struct *mm = tsk->mm;
25191
25192 /* Check to see if this task was created in compat vdso mode */
25193- if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
25194+ if (mm && mm->context.vdso == VDSO_HIGH_BASE)
25195 return &gate_vma;
25196 return NULL;
25197 }
25198diff -urNp linux-2.6.32.48/arch/x86/vdso/vdso.lds.S linux-2.6.32.48/arch/x86/vdso/vdso.lds.S
25199--- linux-2.6.32.48/arch/x86/vdso/vdso.lds.S 2011-11-08 19:02:43.000000000 -0500
25200+++ linux-2.6.32.48/arch/x86/vdso/vdso.lds.S 2011-11-15 19:59:43.000000000 -0500
25201@@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
25202 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
25203 #include "vextern.h"
25204 #undef VEXTERN
25205+
25206+#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
25207+VEXTERN(fallback_gettimeofday)
25208+VEXTERN(fallback_time)
25209+VEXTERN(getcpu)
25210+#undef VEXTERN
25211diff -urNp linux-2.6.32.48/arch/x86/vdso/vextern.h linux-2.6.32.48/arch/x86/vdso/vextern.h
25212--- linux-2.6.32.48/arch/x86/vdso/vextern.h 2011-11-08 19:02:43.000000000 -0500
25213+++ linux-2.6.32.48/arch/x86/vdso/vextern.h 2011-11-15 19:59:43.000000000 -0500
25214@@ -11,6 +11,5 @@
25215 put into vextern.h and be referenced as a pointer with vdso prefix.
25216 The main kernel later fills in the values. */
25217
25218-VEXTERN(jiffies)
25219 VEXTERN(vgetcpu_mode)
25220 VEXTERN(vsyscall_gtod_data)
25221diff -urNp linux-2.6.32.48/arch/x86/vdso/vma.c linux-2.6.32.48/arch/x86/vdso/vma.c
25222--- linux-2.6.32.48/arch/x86/vdso/vma.c 2011-11-08 19:02:43.000000000 -0500
25223+++ linux-2.6.32.48/arch/x86/vdso/vma.c 2011-11-18 18:01:52.000000000 -0500
25224@@ -17,8 +17,6 @@
25225 #include "vextern.h" /* Just for VMAGIC. */
25226 #undef VEXTERN
25227
25228-unsigned int __read_mostly vdso_enabled = 1;
25229-
25230 extern char vdso_start[], vdso_end[];
25231 extern unsigned short vdso_sync_cpuid;
25232
25233@@ -27,10 +25,8 @@ static unsigned vdso_size;
25234
25235 static inline void *var_ref(void *p, char *name)
25236 {
25237- if (*(void **)p != (void *)VMAGIC) {
25238- printk("VDSO: variable %s broken\n", name);
25239- vdso_enabled = 0;
25240- }
25241+ if (*(void **)p != (void *)VMAGIC)
25242+ panic("VDSO: variable %s broken\n", name);
25243 return p;
25244 }
25245
25246@@ -57,21 +53,18 @@ static int __init init_vdso_vars(void)
25247 if (!vbase)
25248 goto oom;
25249
25250- if (memcmp(vbase, "\177ELF", 4)) {
25251- printk("VDSO: I'm broken; not ELF\n");
25252- vdso_enabled = 0;
25253- }
25254+ if (memcmp(vbase, ELFMAG, SELFMAG))
25255+ panic("VDSO: I'm broken; not ELF\n");
25256
25257 #define VEXTERN(x) \
25258 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
25259 #include "vextern.h"
25260 #undef VEXTERN
25261+ vunmap(vbase);
25262 return 0;
25263
25264 oom:
25265- printk("Cannot allocate vdso\n");
25266- vdso_enabled = 0;
25267- return -ENOMEM;
25268+ panic("Cannot allocate vdso\n");
25269 }
25270 __initcall(init_vdso_vars);
25271
25272@@ -102,13 +95,15 @@ static unsigned long vdso_addr(unsigned
25273 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
25274 {
25275 struct mm_struct *mm = current->mm;
25276- unsigned long addr;
25277+ unsigned long addr = 0;
25278 int ret;
25279
25280- if (!vdso_enabled)
25281- return 0;
25282-
25283 down_write(&mm->mmap_sem);
25284+
25285+#ifdef CONFIG_PAX_RANDMMAP
25286+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
25287+#endif
25288+
25289 addr = vdso_addr(mm->start_stack, vdso_size);
25290 addr = get_unmapped_area(NULL, addr, vdso_size, 0, 0);
25291 if (IS_ERR_VALUE(addr)) {
25292@@ -116,7 +111,7 @@ int arch_setup_additional_pages(struct l
25293 goto up_fail;
25294 }
25295
25296- current->mm->context.vdso = (void *)addr;
25297+ current->mm->context.vdso = addr;
25298
25299 ret = install_special_mapping(mm, addr, vdso_size,
25300 VM_READ|VM_EXEC|
25301@@ -124,7 +119,7 @@ int arch_setup_additional_pages(struct l
25302 VM_ALWAYSDUMP,
25303 vdso_pages);
25304 if (ret) {
25305- current->mm->context.vdso = NULL;
25306+ current->mm->context.vdso = 0;
25307 goto up_fail;
25308 }
25309
25310@@ -132,10 +127,3 @@ up_fail:
25311 up_write(&mm->mmap_sem);
25312 return ret;
25313 }
25314-
25315-static __init int vdso_setup(char *s)
25316-{
25317- vdso_enabled = simple_strtoul(s, NULL, 0);
25318- return 0;
25319-}
25320-__setup("vdso=", vdso_setup);
25321diff -urNp linux-2.6.32.48/arch/x86/xen/enlighten.c linux-2.6.32.48/arch/x86/xen/enlighten.c
25322--- linux-2.6.32.48/arch/x86/xen/enlighten.c 2011-11-08 19:02:43.000000000 -0500
25323+++ linux-2.6.32.48/arch/x86/xen/enlighten.c 2011-11-15 19:59:43.000000000 -0500
25324@@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
25325
25326 struct shared_info xen_dummy_shared_info;
25327
25328-void *xen_initial_gdt;
25329-
25330 /*
25331 * Point at some empty memory to start with. We map the real shared_info
25332 * page as soon as fixmap is up and running.
25333@@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
25334
25335 preempt_disable();
25336
25337- start = __get_cpu_var(idt_desc).address;
25338+ start = (unsigned long)__get_cpu_var(idt_desc).address;
25339 end = start + __get_cpu_var(idt_desc).size + 1;
25340
25341 xen_mc_flush();
25342@@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
25343 #endif
25344 };
25345
25346-static void xen_reboot(int reason)
25347+static __noreturn void xen_reboot(int reason)
25348 {
25349 struct sched_shutdown r = { .reason = reason };
25350
25351@@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
25352 BUG();
25353 }
25354
25355-static void xen_restart(char *msg)
25356+static __noreturn void xen_restart(char *msg)
25357 {
25358 xen_reboot(SHUTDOWN_reboot);
25359 }
25360
25361-static void xen_emergency_restart(void)
25362+static __noreturn void xen_emergency_restart(void)
25363 {
25364 xen_reboot(SHUTDOWN_reboot);
25365 }
25366
25367-static void xen_machine_halt(void)
25368+static __noreturn void xen_machine_halt(void)
25369 {
25370 xen_reboot(SHUTDOWN_poweroff);
25371 }
25372@@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
25373 */
25374 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
25375
25376-#ifdef CONFIG_X86_64
25377 /* Work out if we support NX */
25378- check_efer();
25379+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
25380+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
25381+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
25382+ unsigned l, h;
25383+
25384+#ifdef CONFIG_X86_PAE
25385+ nx_enabled = 1;
25386+#endif
25387+ __supported_pte_mask |= _PAGE_NX;
25388+ rdmsr(MSR_EFER, l, h);
25389+ l |= EFER_NX;
25390+ wrmsr(MSR_EFER, l, h);
25391+ }
25392 #endif
25393
25394 xen_setup_features();
25395@@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
25396
25397 machine_ops = xen_machine_ops;
25398
25399- /*
25400- * The only reliable way to retain the initial address of the
25401- * percpu gdt_page is to remember it here, so we can go and
25402- * mark it RW later, when the initial percpu area is freed.
25403- */
25404- xen_initial_gdt = &per_cpu(gdt_page, 0);
25405-
25406 xen_smp_init();
25407
25408 pgd = (pgd_t *)xen_start_info->pt_base;
25409diff -urNp linux-2.6.32.48/arch/x86/xen/mmu.c linux-2.6.32.48/arch/x86/xen/mmu.c
25410--- linux-2.6.32.48/arch/x86/xen/mmu.c 2011-11-08 19:02:43.000000000 -0500
25411+++ linux-2.6.32.48/arch/x86/xen/mmu.c 2011-11-15 19:59:43.000000000 -0500
25412@@ -1719,6 +1719,8 @@ __init pgd_t *xen_setup_kernel_pagetable
25413 convert_pfn_mfn(init_level4_pgt);
25414 convert_pfn_mfn(level3_ident_pgt);
25415 convert_pfn_mfn(level3_kernel_pgt);
25416+ convert_pfn_mfn(level3_vmalloc_pgt);
25417+ convert_pfn_mfn(level3_vmemmap_pgt);
25418
25419 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
25420 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
25421@@ -1737,7 +1739,10 @@ __init pgd_t *xen_setup_kernel_pagetable
25422 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
25423 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
25424 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
25425+ set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
25426+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
25427 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
25428+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
25429 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
25430 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
25431
25432@@ -1860,6 +1865,7 @@ static __init void xen_post_allocator_in
25433 pv_mmu_ops.set_pud = xen_set_pud;
25434 #if PAGETABLE_LEVELS == 4
25435 pv_mmu_ops.set_pgd = xen_set_pgd;
25436+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
25437 #endif
25438
25439 /* This will work as long as patching hasn't happened yet
25440@@ -1946,6 +1952,7 @@ static const struct pv_mmu_ops xen_mmu_o
25441 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
25442 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
25443 .set_pgd = xen_set_pgd_hyper,
25444+ .set_pgd_batched = xen_set_pgd_hyper,
25445
25446 .alloc_pud = xen_alloc_pmd_init,
25447 .release_pud = xen_release_pmd_init,
25448diff -urNp linux-2.6.32.48/arch/x86/xen/smp.c linux-2.6.32.48/arch/x86/xen/smp.c
25449--- linux-2.6.32.48/arch/x86/xen/smp.c 2011-11-08 19:02:43.000000000 -0500
25450+++ linux-2.6.32.48/arch/x86/xen/smp.c 2011-11-15 19:59:43.000000000 -0500
25451@@ -168,11 +168,6 @@ static void __init xen_smp_prepare_boot_
25452 {
25453 BUG_ON(smp_processor_id() != 0);
25454 native_smp_prepare_boot_cpu();
25455-
25456- /* We've switched to the "real" per-cpu gdt, so make sure the
25457- old memory can be recycled */
25458- make_lowmem_page_readwrite(xen_initial_gdt);
25459-
25460 xen_setup_vcpu_info_placement();
25461 }
25462
25463@@ -241,12 +236,12 @@ cpu_initialize_context(unsigned int cpu,
25464 gdt = get_cpu_gdt_table(cpu);
25465
25466 ctxt->flags = VGCF_IN_KERNEL;
25467- ctxt->user_regs.ds = __USER_DS;
25468- ctxt->user_regs.es = __USER_DS;
25469+ ctxt->user_regs.ds = __KERNEL_DS;
25470+ ctxt->user_regs.es = __KERNEL_DS;
25471 ctxt->user_regs.ss = __KERNEL_DS;
25472 #ifdef CONFIG_X86_32
25473 ctxt->user_regs.fs = __KERNEL_PERCPU;
25474- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
25475+ savesegment(gs, ctxt->user_regs.gs);
25476 #else
25477 ctxt->gs_base_kernel = per_cpu_offset(cpu);
25478 #endif
25479@@ -297,13 +292,12 @@ static int __cpuinit xen_cpu_up(unsigned
25480 int rc;
25481
25482 per_cpu(current_task, cpu) = idle;
25483+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
25484 #ifdef CONFIG_X86_32
25485 irq_ctx_init(cpu);
25486 #else
25487 clear_tsk_thread_flag(idle, TIF_FORK);
25488- per_cpu(kernel_stack, cpu) =
25489- (unsigned long)task_stack_page(idle) -
25490- KERNEL_STACK_OFFSET + THREAD_SIZE;
25491+ per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
25492 #endif
25493 xen_setup_runstate_info(cpu);
25494 xen_setup_timer(cpu);
25495diff -urNp linux-2.6.32.48/arch/x86/xen/xen-asm_32.S linux-2.6.32.48/arch/x86/xen/xen-asm_32.S
25496--- linux-2.6.32.48/arch/x86/xen/xen-asm_32.S 2011-11-08 19:02:43.000000000 -0500
25497+++ linux-2.6.32.48/arch/x86/xen/xen-asm_32.S 2011-11-15 19:59:43.000000000 -0500
25498@@ -83,14 +83,14 @@ ENTRY(xen_iret)
25499 ESP_OFFSET=4 # bytes pushed onto stack
25500
25501 /*
25502- * Store vcpu_info pointer for easy access. Do it this way to
25503- * avoid having to reload %fs
25504+ * Store vcpu_info pointer for easy access.
25505 */
25506 #ifdef CONFIG_SMP
25507- GET_THREAD_INFO(%eax)
25508- movl TI_cpu(%eax), %eax
25509- movl __per_cpu_offset(,%eax,4), %eax
25510- mov per_cpu__xen_vcpu(%eax), %eax
25511+ push %fs
25512+ mov $(__KERNEL_PERCPU), %eax
25513+ mov %eax, %fs
25514+ mov PER_CPU_VAR(xen_vcpu), %eax
25515+ pop %fs
25516 #else
25517 movl per_cpu__xen_vcpu, %eax
25518 #endif
25519diff -urNp linux-2.6.32.48/arch/x86/xen/xen-head.S linux-2.6.32.48/arch/x86/xen/xen-head.S
25520--- linux-2.6.32.48/arch/x86/xen/xen-head.S 2011-11-08 19:02:43.000000000 -0500
25521+++ linux-2.6.32.48/arch/x86/xen/xen-head.S 2011-11-15 19:59:43.000000000 -0500
25522@@ -19,6 +19,17 @@ ENTRY(startup_xen)
25523 #ifdef CONFIG_X86_32
25524 mov %esi,xen_start_info
25525 mov $init_thread_union+THREAD_SIZE,%esp
25526+#ifdef CONFIG_SMP
25527+ movl $cpu_gdt_table,%edi
25528+ movl $__per_cpu_load,%eax
25529+ movw %ax,__KERNEL_PERCPU + 2(%edi)
25530+ rorl $16,%eax
25531+ movb %al,__KERNEL_PERCPU + 4(%edi)
25532+ movb %ah,__KERNEL_PERCPU + 7(%edi)
25533+ movl $__per_cpu_end - 1,%eax
25534+ subl $__per_cpu_start,%eax
25535+ movw %ax,__KERNEL_PERCPU + 0(%edi)
25536+#endif
25537 #else
25538 mov %rsi,xen_start_info
25539 mov $init_thread_union+THREAD_SIZE,%rsp
25540diff -urNp linux-2.6.32.48/arch/x86/xen/xen-ops.h linux-2.6.32.48/arch/x86/xen/xen-ops.h
25541--- linux-2.6.32.48/arch/x86/xen/xen-ops.h 2011-11-08 19:02:43.000000000 -0500
25542+++ linux-2.6.32.48/arch/x86/xen/xen-ops.h 2011-11-15 19:59:43.000000000 -0500
25543@@ -10,8 +10,6 @@
25544 extern const char xen_hypervisor_callback[];
25545 extern const char xen_failsafe_callback[];
25546
25547-extern void *xen_initial_gdt;
25548-
25549 struct trap_info;
25550 void xen_copy_trap_info(struct trap_info *traps);
25551
25552diff -urNp linux-2.6.32.48/block/blk-integrity.c linux-2.6.32.48/block/blk-integrity.c
25553--- linux-2.6.32.48/block/blk-integrity.c 2011-11-08 19:02:43.000000000 -0500
25554+++ linux-2.6.32.48/block/blk-integrity.c 2011-11-15 19:59:43.000000000 -0500
25555@@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
25556 NULL,
25557 };
25558
25559-static struct sysfs_ops integrity_ops = {
25560+static const struct sysfs_ops integrity_ops = {
25561 .show = &integrity_attr_show,
25562 .store = &integrity_attr_store,
25563 };
25564diff -urNp linux-2.6.32.48/block/blk-iopoll.c linux-2.6.32.48/block/blk-iopoll.c
25565--- linux-2.6.32.48/block/blk-iopoll.c 2011-11-08 19:02:43.000000000 -0500
25566+++ linux-2.6.32.48/block/blk-iopoll.c 2011-11-15 19:59:43.000000000 -0500
25567@@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
25568 }
25569 EXPORT_SYMBOL(blk_iopoll_complete);
25570
25571-static void blk_iopoll_softirq(struct softirq_action *h)
25572+static void blk_iopoll_softirq(void)
25573 {
25574 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
25575 int rearm = 0, budget = blk_iopoll_budget;
25576diff -urNp linux-2.6.32.48/block/blk-map.c linux-2.6.32.48/block/blk-map.c
25577--- linux-2.6.32.48/block/blk-map.c 2011-11-08 19:02:43.000000000 -0500
25578+++ linux-2.6.32.48/block/blk-map.c 2011-11-15 19:59:43.000000000 -0500
25579@@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
25580 * direct dma. else, set up kernel bounce buffers
25581 */
25582 uaddr = (unsigned long) ubuf;
25583- if (blk_rq_aligned(q, ubuf, len) && !map_data)
25584+ if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
25585 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
25586 else
25587 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
25588@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
25589 for (i = 0; i < iov_count; i++) {
25590 unsigned long uaddr = (unsigned long)iov[i].iov_base;
25591
25592+ if (!iov[i].iov_len)
25593+ return -EINVAL;
25594+
25595 if (uaddr & queue_dma_alignment(q)) {
25596 unaligned = 1;
25597 break;
25598 }
25599- if (!iov[i].iov_len)
25600- return -EINVAL;
25601 }
25602
25603 if (unaligned || (q->dma_pad_mask & len) || map_data)
25604@@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
25605 if (!len || !kbuf)
25606 return -EINVAL;
25607
25608- do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
25609+ do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
25610 if (do_copy)
25611 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
25612 else
25613diff -urNp linux-2.6.32.48/block/blk-softirq.c linux-2.6.32.48/block/blk-softirq.c
25614--- linux-2.6.32.48/block/blk-softirq.c 2011-11-08 19:02:43.000000000 -0500
25615+++ linux-2.6.32.48/block/blk-softirq.c 2011-11-15 19:59:43.000000000 -0500
25616@@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
25617 * Softirq action handler - move entries to local list and loop over them
25618 * while passing them to the queue registered handler.
25619 */
25620-static void blk_done_softirq(struct softirq_action *h)
25621+static void blk_done_softirq(void)
25622 {
25623 struct list_head *cpu_list, local_list;
25624
25625diff -urNp linux-2.6.32.48/block/blk-sysfs.c linux-2.6.32.48/block/blk-sysfs.c
25626--- linux-2.6.32.48/block/blk-sysfs.c 2011-11-08 19:02:43.000000000 -0500
25627+++ linux-2.6.32.48/block/blk-sysfs.c 2011-11-15 19:59:43.000000000 -0500
25628@@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
25629 kmem_cache_free(blk_requestq_cachep, q);
25630 }
25631
25632-static struct sysfs_ops queue_sysfs_ops = {
25633+static const struct sysfs_ops queue_sysfs_ops = {
25634 .show = queue_attr_show,
25635 .store = queue_attr_store,
25636 };
25637diff -urNp linux-2.6.32.48/block/bsg.c linux-2.6.32.48/block/bsg.c
25638--- linux-2.6.32.48/block/bsg.c 2011-11-08 19:02:43.000000000 -0500
25639+++ linux-2.6.32.48/block/bsg.c 2011-11-15 19:59:43.000000000 -0500
25640@@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
25641 struct sg_io_v4 *hdr, struct bsg_device *bd,
25642 fmode_t has_write_perm)
25643 {
25644+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25645+ unsigned char *cmdptr;
25646+
25647 if (hdr->request_len > BLK_MAX_CDB) {
25648 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
25649 if (!rq->cmd)
25650 return -ENOMEM;
25651- }
25652+ cmdptr = rq->cmd;
25653+ } else
25654+ cmdptr = tmpcmd;
25655
25656- if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
25657+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
25658 hdr->request_len))
25659 return -EFAULT;
25660
25661+ if (cmdptr != rq->cmd)
25662+ memcpy(rq->cmd, cmdptr, hdr->request_len);
25663+
25664 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
25665 if (blk_verify_command(rq->cmd, has_write_perm))
25666 return -EPERM;
25667@@ -282,7 +290,7 @@ bsg_map_hdr(struct bsg_device *bd, struc
25668 rq->next_rq = next_rq;
25669 next_rq->cmd_type = rq->cmd_type;
25670
25671- dxferp = (void*)(unsigned long)hdr->din_xferp;
25672+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25673 ret = blk_rq_map_user(q, next_rq, NULL, dxferp,
25674 hdr->din_xfer_len, GFP_KERNEL);
25675 if (ret)
25676@@ -291,10 +299,10 @@ bsg_map_hdr(struct bsg_device *bd, struc
25677
25678 if (hdr->dout_xfer_len) {
25679 dxfer_len = hdr->dout_xfer_len;
25680- dxferp = (void*)(unsigned long)hdr->dout_xferp;
25681+ dxferp = (void __user *)(unsigned long)hdr->dout_xferp;
25682 } else if (hdr->din_xfer_len) {
25683 dxfer_len = hdr->din_xfer_len;
25684- dxferp = (void*)(unsigned long)hdr->din_xferp;
25685+ dxferp = (void __user *)(unsigned long)hdr->din_xferp;
25686 } else
25687 dxfer_len = 0;
25688
25689@@ -436,7 +444,7 @@ static int blk_complete_sgv4_hdr_rq(stru
25690 int len = min_t(unsigned int, hdr->max_response_len,
25691 rq->sense_len);
25692
25693- ret = copy_to_user((void*)(unsigned long)hdr->response,
25694+ ret = copy_to_user((void __user *)(unsigned long)hdr->response,
25695 rq->sense, len);
25696 if (!ret)
25697 hdr->response_len = len;
25698diff -urNp linux-2.6.32.48/block/compat_ioctl.c linux-2.6.32.48/block/compat_ioctl.c
25699--- linux-2.6.32.48/block/compat_ioctl.c 2011-11-08 19:02:43.000000000 -0500
25700+++ linux-2.6.32.48/block/compat_ioctl.c 2011-11-15 19:59:43.000000000 -0500
25701@@ -354,7 +354,7 @@ static int compat_fd_ioctl(struct block_
25702 err |= __get_user(f->spec1, &uf->spec1);
25703 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
25704 err |= __get_user(name, &uf->name);
25705- f->name = compat_ptr(name);
25706+ f->name = (void __force_kernel *)compat_ptr(name);
25707 if (err) {
25708 err = -EFAULT;
25709 goto out;
25710diff -urNp linux-2.6.32.48/block/elevator.c linux-2.6.32.48/block/elevator.c
25711--- linux-2.6.32.48/block/elevator.c 2011-11-08 19:02:43.000000000 -0500
25712+++ linux-2.6.32.48/block/elevator.c 2011-11-15 19:59:43.000000000 -0500
25713@@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
25714 return error;
25715 }
25716
25717-static struct sysfs_ops elv_sysfs_ops = {
25718+static const struct sysfs_ops elv_sysfs_ops = {
25719 .show = elv_attr_show,
25720 .store = elv_attr_store,
25721 };
25722diff -urNp linux-2.6.32.48/block/scsi_ioctl.c linux-2.6.32.48/block/scsi_ioctl.c
25723--- linux-2.6.32.48/block/scsi_ioctl.c 2011-11-08 19:02:43.000000000 -0500
25724+++ linux-2.6.32.48/block/scsi_ioctl.c 2011-11-15 19:59:43.000000000 -0500
25725@@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
25726 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
25727 struct sg_io_hdr *hdr, fmode_t mode)
25728 {
25729- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
25730+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25731+ unsigned char *cmdptr;
25732+
25733+ if (rq->cmd != rq->__cmd)
25734+ cmdptr = rq->cmd;
25735+ else
25736+ cmdptr = tmpcmd;
25737+
25738+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
25739 return -EFAULT;
25740+
25741+ if (cmdptr != rq->cmd)
25742+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
25743+
25744 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
25745 return -EPERM;
25746
25747@@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
25748 int err;
25749 unsigned int in_len, out_len, bytes, opcode, cmdlen;
25750 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
25751+ unsigned char tmpcmd[sizeof(rq->__cmd)];
25752+ unsigned char *cmdptr;
25753
25754 if (!sic)
25755 return -EINVAL;
25756@@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
25757 */
25758 err = -EFAULT;
25759 rq->cmd_len = cmdlen;
25760- if (copy_from_user(rq->cmd, sic->data, cmdlen))
25761+
25762+ if (rq->cmd != rq->__cmd)
25763+ cmdptr = rq->cmd;
25764+ else
25765+ cmdptr = tmpcmd;
25766+
25767+ if (copy_from_user(cmdptr, sic->data, cmdlen))
25768 goto error;
25769
25770+ if (rq->cmd != cmdptr)
25771+ memcpy(rq->cmd, cmdptr, cmdlen);
25772+
25773 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
25774 goto error;
25775
25776diff -urNp linux-2.6.32.48/crypto/cryptd.c linux-2.6.32.48/crypto/cryptd.c
25777--- linux-2.6.32.48/crypto/cryptd.c 2011-11-08 19:02:43.000000000 -0500
25778+++ linux-2.6.32.48/crypto/cryptd.c 2011-11-15 19:59:43.000000000 -0500
25779@@ -50,7 +50,7 @@ struct cryptd_blkcipher_ctx {
25780
25781 struct cryptd_blkcipher_request_ctx {
25782 crypto_completion_t complete;
25783-};
25784+} __no_const;
25785
25786 struct cryptd_hash_ctx {
25787 struct crypto_shash *child;
25788diff -urNp linux-2.6.32.48/crypto/gf128mul.c linux-2.6.32.48/crypto/gf128mul.c
25789--- linux-2.6.32.48/crypto/gf128mul.c 2011-11-08 19:02:43.000000000 -0500
25790+++ linux-2.6.32.48/crypto/gf128mul.c 2011-11-15 19:59:43.000000000 -0500
25791@@ -182,7 +182,7 @@ void gf128mul_lle(be128 *r, const be128
25792 for (i = 0; i < 7; ++i)
25793 gf128mul_x_lle(&p[i + 1], &p[i]);
25794
25795- memset(r, 0, sizeof(r));
25796+ memset(r, 0, sizeof(*r));
25797 for (i = 0;;) {
25798 u8 ch = ((u8 *)b)[15 - i];
25799
25800@@ -220,7 +220,7 @@ void gf128mul_bbe(be128 *r, const be128
25801 for (i = 0; i < 7; ++i)
25802 gf128mul_x_bbe(&p[i + 1], &p[i]);
25803
25804- memset(r, 0, sizeof(r));
25805+ memset(r, 0, sizeof(*r));
25806 for (i = 0;;) {
25807 u8 ch = ((u8 *)b)[i];
25808
25809diff -urNp linux-2.6.32.48/crypto/serpent.c linux-2.6.32.48/crypto/serpent.c
25810--- linux-2.6.32.48/crypto/serpent.c 2011-11-08 19:02:43.000000000 -0500
25811+++ linux-2.6.32.48/crypto/serpent.c 2011-11-15 19:59:43.000000000 -0500
25812@@ -21,6 +21,7 @@
25813 #include <asm/byteorder.h>
25814 #include <linux/crypto.h>
25815 #include <linux/types.h>
25816+#include <linux/sched.h>
25817
25818 /* Key is padded to the maximum of 256 bits before round key generation.
25819 * Any key length <= 256 bits (32 bytes) is allowed by the algorithm.
25820@@ -224,6 +225,8 @@ static int serpent_setkey(struct crypto_
25821 u32 r0,r1,r2,r3,r4;
25822 int i;
25823
25824+ pax_track_stack();
25825+
25826 /* Copy key, add padding */
25827
25828 for (i = 0; i < keylen; ++i)
25829diff -urNp linux-2.6.32.48/Documentation/dontdiff linux-2.6.32.48/Documentation/dontdiff
25830--- linux-2.6.32.48/Documentation/dontdiff 2011-11-08 19:02:43.000000000 -0500
25831+++ linux-2.6.32.48/Documentation/dontdiff 2011-11-18 18:01:52.000000000 -0500
25832@@ -1,13 +1,16 @@
25833 *.a
25834 *.aux
25835 *.bin
25836+*.cis
25837 *.cpio
25838 *.csp
25839+*.dbg
25840 *.dsp
25841 *.dvi
25842 *.elf
25843 *.eps
25844 *.fw
25845+*.gcno
25846 *.gen.S
25847 *.gif
25848 *.grep
25849@@ -38,8 +41,10 @@
25850 *.tab.h
25851 *.tex
25852 *.ver
25853+*.vim
25854 *.xml
25855 *_MODULES
25856+*_reg_safe.h
25857 *_vga16.c
25858 *~
25859 *.9
25860@@ -49,11 +54,16 @@
25861 53c700_d.h
25862 CVS
25863 ChangeSet
25864+GPATH
25865+GRTAGS
25866+GSYMS
25867+GTAGS
25868 Image
25869 Kerntypes
25870 Module.markers
25871 Module.symvers
25872 PENDING
25873+PERF*
25874 SCCS
25875 System.map*
25876 TAGS
25877@@ -76,7 +86,11 @@ btfixupprep
25878 build
25879 bvmlinux
25880 bzImage*
25881+capability_names.h
25882+capflags.c
25883 classlist.h*
25884+clut_vga16.c
25885+common-cmds.h
25886 comp*.log
25887 compile.h*
25888 conf
25889@@ -84,6 +98,8 @@ config
25890 config-*
25891 config_data.h*
25892 config_data.gz*
25893+config.c
25894+config.tmp
25895 conmakehash
25896 consolemap_deftbl.c*
25897 cpustr.h
25898@@ -97,19 +113,22 @@ elfconfig.h*
25899 fixdep
25900 fore200e_mkfirm
25901 fore200e_pca_fw.c*
25902+gate.lds
25903 gconf
25904 gen-devlist
25905 gen_crc32table
25906 gen_init_cpio
25907 genksyms
25908 *_gray256.c
25909+hash
25910 ihex2fw
25911 ikconfig.h*
25912 initramfs_data.cpio
25913+initramfs_data.cpio.bz2
25914 initramfs_data.cpio.gz
25915 initramfs_list
25916 kallsyms
25917-kconfig
25918+kern_constants.h
25919 keywords.c
25920 ksym.c*
25921 ksym.h*
25922@@ -133,7 +152,9 @@ mkboot
25923 mkbugboot
25924 mkcpustr
25925 mkdep
25926+mkpiggy
25927 mkprep
25928+mkregtable
25929 mktables
25930 mktree
25931 modpost
25932@@ -149,6 +170,7 @@ patches*
25933 pca200e.bin
25934 pca200e_ecd.bin2
25935 piggy.gz
25936+piggy.S
25937 piggyback
25938 pnmtologo
25939 ppc_defs.h*
25940@@ -157,12 +179,15 @@ qconf
25941 raid6altivec*.c
25942 raid6int*.c
25943 raid6tables.c
25944+regdb.c
25945 relocs
25946+rlim_names.h
25947 series
25948 setup
25949 setup.bin
25950 setup.elf
25951 sImage
25952+slabinfo
25953 sm_tbl*
25954 split-include
25955 syscalltab.h
25956@@ -171,6 +196,7 @@ tftpboot.img
25957 timeconst.h
25958 times.h*
25959 trix_boot.h
25960+user_constants.h
25961 utsrelease.h*
25962 vdso-syms.lds
25963 vdso.lds
25964@@ -186,14 +212,20 @@ version.h*
25965 vmlinux
25966 vmlinux-*
25967 vmlinux.aout
25968+vmlinux.bin.all
25969+vmlinux.bin.bz2
25970 vmlinux.lds
25971+vmlinux.relocs
25972+voffset.h
25973 vsyscall.lds
25974 vsyscall_32.lds
25975 wanxlfw.inc
25976 uImage
25977 unifdef
25978+utsrelease.h
25979 wakeup.bin
25980 wakeup.elf
25981 wakeup.lds
25982 zImage*
25983 zconf.hash.c
25984+zoffset.h
25985diff -urNp linux-2.6.32.48/Documentation/kernel-parameters.txt linux-2.6.32.48/Documentation/kernel-parameters.txt
25986--- linux-2.6.32.48/Documentation/kernel-parameters.txt 2011-11-08 19:02:43.000000000 -0500
25987+++ linux-2.6.32.48/Documentation/kernel-parameters.txt 2011-11-15 19:59:43.000000000 -0500
25988@@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
25989 the specified number of seconds. This is to be used if
25990 your oopses keep scrolling off the screen.
25991
25992+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
25993+ virtualization environments that don't cope well with the
25994+ expand down segment used by UDEREF on X86-32 or the frequent
25995+ page table updates on X86-64.
25996+
25997+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
25998+
25999 pcbit= [HW,ISDN]
26000
26001 pcd. [PARIDE]
26002diff -urNp linux-2.6.32.48/drivers/acpi/acpi_pad.c linux-2.6.32.48/drivers/acpi/acpi_pad.c
26003--- linux-2.6.32.48/drivers/acpi/acpi_pad.c 2011-11-08 19:02:43.000000000 -0500
26004+++ linux-2.6.32.48/drivers/acpi/acpi_pad.c 2011-11-15 19:59:43.000000000 -0500
26005@@ -30,7 +30,7 @@
26006 #include <acpi/acpi_bus.h>
26007 #include <acpi/acpi_drivers.h>
26008
26009-#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
26010+#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
26011 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
26012 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
26013 static DEFINE_MUTEX(isolated_cpus_lock);
26014diff -urNp linux-2.6.32.48/drivers/acpi/battery.c linux-2.6.32.48/drivers/acpi/battery.c
26015--- linux-2.6.32.48/drivers/acpi/battery.c 2011-11-08 19:02:43.000000000 -0500
26016+++ linux-2.6.32.48/drivers/acpi/battery.c 2011-11-15 19:59:43.000000000 -0500
26017@@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
26018 }
26019
26020 static struct battery_file {
26021- struct file_operations ops;
26022+ const struct file_operations ops;
26023 mode_t mode;
26024 const char *name;
26025 } acpi_battery_file[] = {
26026diff -urNp linux-2.6.32.48/drivers/acpi/dock.c linux-2.6.32.48/drivers/acpi/dock.c
26027--- linux-2.6.32.48/drivers/acpi/dock.c 2011-11-08 19:02:43.000000000 -0500
26028+++ linux-2.6.32.48/drivers/acpi/dock.c 2011-11-15 19:59:43.000000000 -0500
26029@@ -77,7 +77,7 @@ struct dock_dependent_device {
26030 struct list_head list;
26031 struct list_head hotplug_list;
26032 acpi_handle handle;
26033- struct acpi_dock_ops *ops;
26034+ const struct acpi_dock_ops *ops;
26035 void *context;
26036 };
26037
26038@@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
26039 * the dock driver after _DCK is executed.
26040 */
26041 int
26042-register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
26043+register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
26044 void *context)
26045 {
26046 struct dock_dependent_device *dd;
26047diff -urNp linux-2.6.32.48/drivers/acpi/osl.c linux-2.6.32.48/drivers/acpi/osl.c
26048--- linux-2.6.32.48/drivers/acpi/osl.c 2011-11-08 19:02:43.000000000 -0500
26049+++ linux-2.6.32.48/drivers/acpi/osl.c 2011-11-15 19:59:43.000000000 -0500
26050@@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
26051 void __iomem *virt_addr;
26052
26053 virt_addr = ioremap(phys_addr, width);
26054+ if (!virt_addr)
26055+ return AE_NO_MEMORY;
26056 if (!value)
26057 value = &dummy;
26058
26059@@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
26060 void __iomem *virt_addr;
26061
26062 virt_addr = ioremap(phys_addr, width);
26063+ if (!virt_addr)
26064+ return AE_NO_MEMORY;
26065
26066 switch (width) {
26067 case 8:
26068diff -urNp linux-2.6.32.48/drivers/acpi/power_meter.c linux-2.6.32.48/drivers/acpi/power_meter.c
26069--- linux-2.6.32.48/drivers/acpi/power_meter.c 2011-11-08 19:02:43.000000000 -0500
26070+++ linux-2.6.32.48/drivers/acpi/power_meter.c 2011-11-15 19:59:43.000000000 -0500
26071@@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
26072 return res;
26073
26074 temp /= 1000;
26075- if (temp < 0)
26076- return -EINVAL;
26077
26078 mutex_lock(&resource->lock);
26079 resource->trip[attr->index - 7] = temp;
26080diff -urNp linux-2.6.32.48/drivers/acpi/proc.c linux-2.6.32.48/drivers/acpi/proc.c
26081--- linux-2.6.32.48/drivers/acpi/proc.c 2011-11-08 19:02:43.000000000 -0500
26082+++ linux-2.6.32.48/drivers/acpi/proc.c 2011-11-15 19:59:43.000000000 -0500
26083@@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
26084 size_t count, loff_t * ppos)
26085 {
26086 struct list_head *node, *next;
26087- char strbuf[5];
26088- char str[5] = "";
26089- unsigned int len = count;
26090+ char strbuf[5] = {0};
26091 struct acpi_device *found_dev = NULL;
26092
26093- if (len > 4)
26094- len = 4;
26095- if (len < 0)
26096- return -EFAULT;
26097+ if (count > 4)
26098+ count = 4;
26099
26100- if (copy_from_user(strbuf, buffer, len))
26101+ if (copy_from_user(strbuf, buffer, count))
26102 return -EFAULT;
26103- strbuf[len] = '\0';
26104- sscanf(strbuf, "%s", str);
26105+ strbuf[count] = '\0';
26106
26107 mutex_lock(&acpi_device_lock);
26108 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
26109@@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
26110 if (!dev->wakeup.flags.valid)
26111 continue;
26112
26113- if (!strncmp(dev->pnp.bus_id, str, 4)) {
26114+ if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
26115 dev->wakeup.state.enabled =
26116 dev->wakeup.state.enabled ? 0 : 1;
26117 found_dev = dev;
26118diff -urNp linux-2.6.32.48/drivers/acpi/processor_core.c linux-2.6.32.48/drivers/acpi/processor_core.c
26119--- linux-2.6.32.48/drivers/acpi/processor_core.c 2011-11-08 19:02:43.000000000 -0500
26120+++ linux-2.6.32.48/drivers/acpi/processor_core.c 2011-11-15 19:59:43.000000000 -0500
26121@@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
26122 return 0;
26123 }
26124
26125- BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
26126+ BUG_ON(pr->id >= nr_cpu_ids);
26127
26128 /*
26129 * Buggy BIOS check
26130diff -urNp linux-2.6.32.48/drivers/acpi/sbshc.c linux-2.6.32.48/drivers/acpi/sbshc.c
26131--- linux-2.6.32.48/drivers/acpi/sbshc.c 2011-11-08 19:02:43.000000000 -0500
26132+++ linux-2.6.32.48/drivers/acpi/sbshc.c 2011-11-15 19:59:43.000000000 -0500
26133@@ -17,7 +17,7 @@
26134
26135 #define PREFIX "ACPI: "
26136
26137-#define ACPI_SMB_HC_CLASS "smbus_host_controller"
26138+#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
26139 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
26140
26141 struct acpi_smb_hc {
26142diff -urNp linux-2.6.32.48/drivers/acpi/sleep.c linux-2.6.32.48/drivers/acpi/sleep.c
26143--- linux-2.6.32.48/drivers/acpi/sleep.c 2011-11-08 19:02:43.000000000 -0500
26144+++ linux-2.6.32.48/drivers/acpi/sleep.c 2011-11-15 19:59:43.000000000 -0500
26145@@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
26146 }
26147 }
26148
26149-static struct platform_suspend_ops acpi_suspend_ops = {
26150+static const struct platform_suspend_ops acpi_suspend_ops = {
26151 .valid = acpi_suspend_state_valid,
26152 .begin = acpi_suspend_begin,
26153 .prepare_late = acpi_pm_prepare,
26154@@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
26155 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26156 * been requested.
26157 */
26158-static struct platform_suspend_ops acpi_suspend_ops_old = {
26159+static const struct platform_suspend_ops acpi_suspend_ops_old = {
26160 .valid = acpi_suspend_state_valid,
26161 .begin = acpi_suspend_begin_old,
26162 .prepare_late = acpi_pm_disable_gpes,
26163@@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
26164 acpi_enable_all_runtime_gpes();
26165 }
26166
26167-static struct platform_hibernation_ops acpi_hibernation_ops = {
26168+static const struct platform_hibernation_ops acpi_hibernation_ops = {
26169 .begin = acpi_hibernation_begin,
26170 .end = acpi_pm_end,
26171 .pre_snapshot = acpi_hibernation_pre_snapshot,
26172@@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
26173 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
26174 * been requested.
26175 */
26176-static struct platform_hibernation_ops acpi_hibernation_ops_old = {
26177+static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
26178 .begin = acpi_hibernation_begin_old,
26179 .end = acpi_pm_end,
26180 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
26181diff -urNp linux-2.6.32.48/drivers/acpi/video.c linux-2.6.32.48/drivers/acpi/video.c
26182--- linux-2.6.32.48/drivers/acpi/video.c 2011-11-08 19:02:43.000000000 -0500
26183+++ linux-2.6.32.48/drivers/acpi/video.c 2011-11-15 19:59:43.000000000 -0500
26184@@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
26185 vd->brightness->levels[request_level]);
26186 }
26187
26188-static struct backlight_ops acpi_backlight_ops = {
26189+static const struct backlight_ops acpi_backlight_ops = {
26190 .get_brightness = acpi_video_get_brightness,
26191 .update_status = acpi_video_set_brightness,
26192 };
26193diff -urNp linux-2.6.32.48/drivers/ata/ahci.c linux-2.6.32.48/drivers/ata/ahci.c
26194--- linux-2.6.32.48/drivers/ata/ahci.c 2011-11-08 19:02:43.000000000 -0500
26195+++ linux-2.6.32.48/drivers/ata/ahci.c 2011-11-15 19:59:43.000000000 -0500
26196@@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
26197 .sdev_attrs = ahci_sdev_attrs,
26198 };
26199
26200-static struct ata_port_operations ahci_ops = {
26201+static const struct ata_port_operations ahci_ops = {
26202 .inherits = &sata_pmp_port_ops,
26203
26204 .qc_defer = sata_pmp_qc_defer_cmd_switch,
26205@@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
26206 .port_stop = ahci_port_stop,
26207 };
26208
26209-static struct ata_port_operations ahci_vt8251_ops = {
26210+static const struct ata_port_operations ahci_vt8251_ops = {
26211 .inherits = &ahci_ops,
26212 .hardreset = ahci_vt8251_hardreset,
26213 };
26214
26215-static struct ata_port_operations ahci_p5wdh_ops = {
26216+static const struct ata_port_operations ahci_p5wdh_ops = {
26217 .inherits = &ahci_ops,
26218 .hardreset = ahci_p5wdh_hardreset,
26219 };
26220
26221-static struct ata_port_operations ahci_sb600_ops = {
26222+static const struct ata_port_operations ahci_sb600_ops = {
26223 .inherits = &ahci_ops,
26224 .softreset = ahci_sb600_softreset,
26225 .pmp_softreset = ahci_sb600_softreset,
26226diff -urNp linux-2.6.32.48/drivers/ata/ata_generic.c linux-2.6.32.48/drivers/ata/ata_generic.c
26227--- linux-2.6.32.48/drivers/ata/ata_generic.c 2011-11-08 19:02:43.000000000 -0500
26228+++ linux-2.6.32.48/drivers/ata/ata_generic.c 2011-11-15 19:59:43.000000000 -0500
26229@@ -104,7 +104,7 @@ static struct scsi_host_template generic
26230 ATA_BMDMA_SHT(DRV_NAME),
26231 };
26232
26233-static struct ata_port_operations generic_port_ops = {
26234+static const struct ata_port_operations generic_port_ops = {
26235 .inherits = &ata_bmdma_port_ops,
26236 .cable_detect = ata_cable_unknown,
26237 .set_mode = generic_set_mode,
26238diff -urNp linux-2.6.32.48/drivers/ata/ata_piix.c linux-2.6.32.48/drivers/ata/ata_piix.c
26239--- linux-2.6.32.48/drivers/ata/ata_piix.c 2011-11-08 19:02:43.000000000 -0500
26240+++ linux-2.6.32.48/drivers/ata/ata_piix.c 2011-11-15 19:59:43.000000000 -0500
26241@@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
26242 ATA_BMDMA_SHT(DRV_NAME),
26243 };
26244
26245-static struct ata_port_operations piix_pata_ops = {
26246+static const struct ata_port_operations piix_pata_ops = {
26247 .inherits = &ata_bmdma32_port_ops,
26248 .cable_detect = ata_cable_40wire,
26249 .set_piomode = piix_set_piomode,
26250@@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
26251 .prereset = piix_pata_prereset,
26252 };
26253
26254-static struct ata_port_operations piix_vmw_ops = {
26255+static const struct ata_port_operations piix_vmw_ops = {
26256 .inherits = &piix_pata_ops,
26257 .bmdma_status = piix_vmw_bmdma_status,
26258 };
26259
26260-static struct ata_port_operations ich_pata_ops = {
26261+static const struct ata_port_operations ich_pata_ops = {
26262 .inherits = &piix_pata_ops,
26263 .cable_detect = ich_pata_cable_detect,
26264 .set_dmamode = ich_set_dmamode,
26265 };
26266
26267-static struct ata_port_operations piix_sata_ops = {
26268+static const struct ata_port_operations piix_sata_ops = {
26269 .inherits = &ata_bmdma_port_ops,
26270 };
26271
26272-static struct ata_port_operations piix_sidpr_sata_ops = {
26273+static const struct ata_port_operations piix_sidpr_sata_ops = {
26274 .inherits = &piix_sata_ops,
26275 .hardreset = sata_std_hardreset,
26276 .scr_read = piix_sidpr_scr_read,
26277diff -urNp linux-2.6.32.48/drivers/ata/libata-acpi.c linux-2.6.32.48/drivers/ata/libata-acpi.c
26278--- linux-2.6.32.48/drivers/ata/libata-acpi.c 2011-11-08 19:02:43.000000000 -0500
26279+++ linux-2.6.32.48/drivers/ata/libata-acpi.c 2011-11-15 19:59:43.000000000 -0500
26280@@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
26281 ata_acpi_uevent(dev->link->ap, dev, event);
26282 }
26283
26284-static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26285+static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
26286 .handler = ata_acpi_dev_notify_dock,
26287 .uevent = ata_acpi_dev_uevent,
26288 };
26289
26290-static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26291+static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
26292 .handler = ata_acpi_ap_notify_dock,
26293 .uevent = ata_acpi_ap_uevent,
26294 };
26295diff -urNp linux-2.6.32.48/drivers/ata/libata-core.c linux-2.6.32.48/drivers/ata/libata-core.c
26296--- linux-2.6.32.48/drivers/ata/libata-core.c 2011-11-08 19:02:43.000000000 -0500
26297+++ linux-2.6.32.48/drivers/ata/libata-core.c 2011-11-15 19:59:43.000000000 -0500
26298@@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
26299 struct ata_port *ap;
26300 unsigned int tag;
26301
26302- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26303+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26304 ap = qc->ap;
26305
26306 qc->flags = 0;
26307@@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
26308 struct ata_port *ap;
26309 struct ata_link *link;
26310
26311- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26312+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
26313 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
26314 ap = qc->ap;
26315 link = qc->dev->link;
26316@@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
26317 * LOCKING:
26318 * None.
26319 */
26320-static void ata_finalize_port_ops(struct ata_port_operations *ops)
26321+static void ata_finalize_port_ops(const struct ata_port_operations *ops)
26322 {
26323 static DEFINE_SPINLOCK(lock);
26324 const struct ata_port_operations *cur;
26325@@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
26326 return;
26327
26328 spin_lock(&lock);
26329+ pax_open_kernel();
26330
26331 for (cur = ops->inherits; cur; cur = cur->inherits) {
26332 void **inherit = (void **)cur;
26333@@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
26334 if (IS_ERR(*pp))
26335 *pp = NULL;
26336
26337- ops->inherits = NULL;
26338+ *(struct ata_port_operations **)&ops->inherits = NULL;
26339
26340+ pax_close_kernel();
26341 spin_unlock(&lock);
26342 }
26343
26344@@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
26345 */
26346 /* KILLME - the only user left is ipr */
26347 void ata_host_init(struct ata_host *host, struct device *dev,
26348- unsigned long flags, struct ata_port_operations *ops)
26349+ unsigned long flags, const struct ata_port_operations *ops)
26350 {
26351 spin_lock_init(&host->lock);
26352 host->dev = dev;
26353@@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
26354 /* truly dummy */
26355 }
26356
26357-struct ata_port_operations ata_dummy_port_ops = {
26358+const struct ata_port_operations ata_dummy_port_ops = {
26359 .qc_prep = ata_noop_qc_prep,
26360 .qc_issue = ata_dummy_qc_issue,
26361 .error_handler = ata_dummy_error_handler,
26362diff -urNp linux-2.6.32.48/drivers/ata/libata-eh.c linux-2.6.32.48/drivers/ata/libata-eh.c
26363--- linux-2.6.32.48/drivers/ata/libata-eh.c 2011-11-08 19:02:43.000000000 -0500
26364+++ linux-2.6.32.48/drivers/ata/libata-eh.c 2011-11-15 19:59:43.000000000 -0500
26365@@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
26366 {
26367 struct ata_link *link;
26368
26369+ pax_track_stack();
26370+
26371 ata_for_each_link(link, ap, HOST_FIRST)
26372 ata_eh_link_report(link);
26373 }
26374@@ -3594,7 +3596,7 @@ void ata_do_eh(struct ata_port *ap, ata_
26375 */
26376 void ata_std_error_handler(struct ata_port *ap)
26377 {
26378- struct ata_port_operations *ops = ap->ops;
26379+ const struct ata_port_operations *ops = ap->ops;
26380 ata_reset_fn_t hardreset = ops->hardreset;
26381
26382 /* ignore built-in hardreset if SCR access is not available */
26383diff -urNp linux-2.6.32.48/drivers/ata/libata-pmp.c linux-2.6.32.48/drivers/ata/libata-pmp.c
26384--- linux-2.6.32.48/drivers/ata/libata-pmp.c 2011-11-08 19:02:43.000000000 -0500
26385+++ linux-2.6.32.48/drivers/ata/libata-pmp.c 2011-11-15 19:59:43.000000000 -0500
26386@@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
26387 */
26388 static int sata_pmp_eh_recover(struct ata_port *ap)
26389 {
26390- struct ata_port_operations *ops = ap->ops;
26391+ const struct ata_port_operations *ops = ap->ops;
26392 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
26393 struct ata_link *pmp_link = &ap->link;
26394 struct ata_device *pmp_dev = pmp_link->device;
26395diff -urNp linux-2.6.32.48/drivers/ata/pata_acpi.c linux-2.6.32.48/drivers/ata/pata_acpi.c
26396--- linux-2.6.32.48/drivers/ata/pata_acpi.c 2011-11-08 19:02:43.000000000 -0500
26397+++ linux-2.6.32.48/drivers/ata/pata_acpi.c 2011-11-15 19:59:43.000000000 -0500
26398@@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
26399 ATA_BMDMA_SHT(DRV_NAME),
26400 };
26401
26402-static struct ata_port_operations pacpi_ops = {
26403+static const struct ata_port_operations pacpi_ops = {
26404 .inherits = &ata_bmdma_port_ops,
26405 .qc_issue = pacpi_qc_issue,
26406 .cable_detect = pacpi_cable_detect,
26407diff -urNp linux-2.6.32.48/drivers/ata/pata_ali.c linux-2.6.32.48/drivers/ata/pata_ali.c
26408--- linux-2.6.32.48/drivers/ata/pata_ali.c 2011-11-08 19:02:43.000000000 -0500
26409+++ linux-2.6.32.48/drivers/ata/pata_ali.c 2011-11-15 19:59:43.000000000 -0500
26410@@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
26411 * Port operations for PIO only ALi
26412 */
26413
26414-static struct ata_port_operations ali_early_port_ops = {
26415+static const struct ata_port_operations ali_early_port_ops = {
26416 .inherits = &ata_sff_port_ops,
26417 .cable_detect = ata_cable_40wire,
26418 .set_piomode = ali_set_piomode,
26419@@ -382,7 +382,7 @@ static const struct ata_port_operations
26420 * Port operations for DMA capable ALi without cable
26421 * detect
26422 */
26423-static struct ata_port_operations ali_20_port_ops = {
26424+static const struct ata_port_operations ali_20_port_ops = {
26425 .inherits = &ali_dma_base_ops,
26426 .cable_detect = ata_cable_40wire,
26427 .mode_filter = ali_20_filter,
26428@@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
26429 /*
26430 * Port operations for DMA capable ALi with cable detect
26431 */
26432-static struct ata_port_operations ali_c2_port_ops = {
26433+static const struct ata_port_operations ali_c2_port_ops = {
26434 .inherits = &ali_dma_base_ops,
26435 .check_atapi_dma = ali_check_atapi_dma,
26436 .cable_detect = ali_c2_cable_detect,
26437@@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
26438 /*
26439 * Port operations for DMA capable ALi with cable detect
26440 */
26441-static struct ata_port_operations ali_c4_port_ops = {
26442+static const struct ata_port_operations ali_c4_port_ops = {
26443 .inherits = &ali_dma_base_ops,
26444 .check_atapi_dma = ali_check_atapi_dma,
26445 .cable_detect = ali_c2_cable_detect,
26446@@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
26447 /*
26448 * Port operations for DMA capable ALi with cable detect and LBA48
26449 */
26450-static struct ata_port_operations ali_c5_port_ops = {
26451+static const struct ata_port_operations ali_c5_port_ops = {
26452 .inherits = &ali_dma_base_ops,
26453 .check_atapi_dma = ali_check_atapi_dma,
26454 .dev_config = ali_warn_atapi_dma,
26455diff -urNp linux-2.6.32.48/drivers/ata/pata_amd.c linux-2.6.32.48/drivers/ata/pata_amd.c
26456--- linux-2.6.32.48/drivers/ata/pata_amd.c 2011-11-08 19:02:43.000000000 -0500
26457+++ linux-2.6.32.48/drivers/ata/pata_amd.c 2011-11-15 19:59:43.000000000 -0500
26458@@ -397,28 +397,28 @@ static const struct ata_port_operations
26459 .prereset = amd_pre_reset,
26460 };
26461
26462-static struct ata_port_operations amd33_port_ops = {
26463+static const struct ata_port_operations amd33_port_ops = {
26464 .inherits = &amd_base_port_ops,
26465 .cable_detect = ata_cable_40wire,
26466 .set_piomode = amd33_set_piomode,
26467 .set_dmamode = amd33_set_dmamode,
26468 };
26469
26470-static struct ata_port_operations amd66_port_ops = {
26471+static const struct ata_port_operations amd66_port_ops = {
26472 .inherits = &amd_base_port_ops,
26473 .cable_detect = ata_cable_unknown,
26474 .set_piomode = amd66_set_piomode,
26475 .set_dmamode = amd66_set_dmamode,
26476 };
26477
26478-static struct ata_port_operations amd100_port_ops = {
26479+static const struct ata_port_operations amd100_port_ops = {
26480 .inherits = &amd_base_port_ops,
26481 .cable_detect = ata_cable_unknown,
26482 .set_piomode = amd100_set_piomode,
26483 .set_dmamode = amd100_set_dmamode,
26484 };
26485
26486-static struct ata_port_operations amd133_port_ops = {
26487+static const struct ata_port_operations amd133_port_ops = {
26488 .inherits = &amd_base_port_ops,
26489 .cable_detect = amd_cable_detect,
26490 .set_piomode = amd133_set_piomode,
26491@@ -433,13 +433,13 @@ static const struct ata_port_operations
26492 .host_stop = nv_host_stop,
26493 };
26494
26495-static struct ata_port_operations nv100_port_ops = {
26496+static const struct ata_port_operations nv100_port_ops = {
26497 .inherits = &nv_base_port_ops,
26498 .set_piomode = nv100_set_piomode,
26499 .set_dmamode = nv100_set_dmamode,
26500 };
26501
26502-static struct ata_port_operations nv133_port_ops = {
26503+static const struct ata_port_operations nv133_port_ops = {
26504 .inherits = &nv_base_port_ops,
26505 .set_piomode = nv133_set_piomode,
26506 .set_dmamode = nv133_set_dmamode,
26507diff -urNp linux-2.6.32.48/drivers/ata/pata_artop.c linux-2.6.32.48/drivers/ata/pata_artop.c
26508--- linux-2.6.32.48/drivers/ata/pata_artop.c 2011-11-08 19:02:43.000000000 -0500
26509+++ linux-2.6.32.48/drivers/ata/pata_artop.c 2011-11-15 19:59:43.000000000 -0500
26510@@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
26511 ATA_BMDMA_SHT(DRV_NAME),
26512 };
26513
26514-static struct ata_port_operations artop6210_ops = {
26515+static const struct ata_port_operations artop6210_ops = {
26516 .inherits = &ata_bmdma_port_ops,
26517 .cable_detect = ata_cable_40wire,
26518 .set_piomode = artop6210_set_piomode,
26519@@ -320,7 +320,7 @@ static struct ata_port_operations artop6
26520 .qc_defer = artop6210_qc_defer,
26521 };
26522
26523-static struct ata_port_operations artop6260_ops = {
26524+static const struct ata_port_operations artop6260_ops = {
26525 .inherits = &ata_bmdma_port_ops,
26526 .cable_detect = artop6260_cable_detect,
26527 .set_piomode = artop6260_set_piomode,
26528diff -urNp linux-2.6.32.48/drivers/ata/pata_at32.c linux-2.6.32.48/drivers/ata/pata_at32.c
26529--- linux-2.6.32.48/drivers/ata/pata_at32.c 2011-11-08 19:02:43.000000000 -0500
26530+++ linux-2.6.32.48/drivers/ata/pata_at32.c 2011-11-15 19:59:43.000000000 -0500
26531@@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
26532 ATA_PIO_SHT(DRV_NAME),
26533 };
26534
26535-static struct ata_port_operations at32_port_ops = {
26536+static const struct ata_port_operations at32_port_ops = {
26537 .inherits = &ata_sff_port_ops,
26538 .cable_detect = ata_cable_40wire,
26539 .set_piomode = pata_at32_set_piomode,
26540diff -urNp linux-2.6.32.48/drivers/ata/pata_at91.c linux-2.6.32.48/drivers/ata/pata_at91.c
26541--- linux-2.6.32.48/drivers/ata/pata_at91.c 2011-11-08 19:02:43.000000000 -0500
26542+++ linux-2.6.32.48/drivers/ata/pata_at91.c 2011-11-15 19:59:43.000000000 -0500
26543@@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
26544 ATA_PIO_SHT(DRV_NAME),
26545 };
26546
26547-static struct ata_port_operations pata_at91_port_ops = {
26548+static const struct ata_port_operations pata_at91_port_ops = {
26549 .inherits = &ata_sff_port_ops,
26550
26551 .sff_data_xfer = pata_at91_data_xfer_noirq,
26552diff -urNp linux-2.6.32.48/drivers/ata/pata_atiixp.c linux-2.6.32.48/drivers/ata/pata_atiixp.c
26553--- linux-2.6.32.48/drivers/ata/pata_atiixp.c 2011-11-08 19:02:43.000000000 -0500
26554+++ linux-2.6.32.48/drivers/ata/pata_atiixp.c 2011-11-15 19:59:43.000000000 -0500
26555@@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
26556 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26557 };
26558
26559-static struct ata_port_operations atiixp_port_ops = {
26560+static const struct ata_port_operations atiixp_port_ops = {
26561 .inherits = &ata_bmdma_port_ops,
26562
26563 .qc_prep = ata_sff_dumb_qc_prep,
26564diff -urNp linux-2.6.32.48/drivers/ata/pata_atp867x.c linux-2.6.32.48/drivers/ata/pata_atp867x.c
26565--- linux-2.6.32.48/drivers/ata/pata_atp867x.c 2011-11-08 19:02:43.000000000 -0500
26566+++ linux-2.6.32.48/drivers/ata/pata_atp867x.c 2011-11-15 19:59:43.000000000 -0500
26567@@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
26568 ATA_BMDMA_SHT(DRV_NAME),
26569 };
26570
26571-static struct ata_port_operations atp867x_ops = {
26572+static const struct ata_port_operations atp867x_ops = {
26573 .inherits = &ata_bmdma_port_ops,
26574 .cable_detect = atp867x_cable_detect,
26575 .set_piomode = atp867x_set_piomode,
26576diff -urNp linux-2.6.32.48/drivers/ata/pata_bf54x.c linux-2.6.32.48/drivers/ata/pata_bf54x.c
26577--- linux-2.6.32.48/drivers/ata/pata_bf54x.c 2011-11-08 19:02:43.000000000 -0500
26578+++ linux-2.6.32.48/drivers/ata/pata_bf54x.c 2011-11-15 19:59:43.000000000 -0500
26579@@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
26580 .dma_boundary = ATA_DMA_BOUNDARY,
26581 };
26582
26583-static struct ata_port_operations bfin_pata_ops = {
26584+static const struct ata_port_operations bfin_pata_ops = {
26585 .inherits = &ata_sff_port_ops,
26586
26587 .set_piomode = bfin_set_piomode,
26588diff -urNp linux-2.6.32.48/drivers/ata/pata_cmd640.c linux-2.6.32.48/drivers/ata/pata_cmd640.c
26589--- linux-2.6.32.48/drivers/ata/pata_cmd640.c 2011-11-08 19:02:43.000000000 -0500
26590+++ linux-2.6.32.48/drivers/ata/pata_cmd640.c 2011-11-15 19:59:43.000000000 -0500
26591@@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
26592 ATA_BMDMA_SHT(DRV_NAME),
26593 };
26594
26595-static struct ata_port_operations cmd640_port_ops = {
26596+static const struct ata_port_operations cmd640_port_ops = {
26597 .inherits = &ata_bmdma_port_ops,
26598 /* In theory xfer_noirq is not needed once we kill the prefetcher */
26599 .sff_data_xfer = ata_sff_data_xfer_noirq,
26600diff -urNp linux-2.6.32.48/drivers/ata/pata_cmd64x.c linux-2.6.32.48/drivers/ata/pata_cmd64x.c
26601--- linux-2.6.32.48/drivers/ata/pata_cmd64x.c 2011-11-08 19:02:43.000000000 -0500
26602+++ linux-2.6.32.48/drivers/ata/pata_cmd64x.c 2011-11-15 19:59:43.000000000 -0500
26603@@ -271,18 +271,18 @@ static const struct ata_port_operations
26604 .set_dmamode = cmd64x_set_dmamode,
26605 };
26606
26607-static struct ata_port_operations cmd64x_port_ops = {
26608+static const struct ata_port_operations cmd64x_port_ops = {
26609 .inherits = &cmd64x_base_ops,
26610 .cable_detect = ata_cable_40wire,
26611 };
26612
26613-static struct ata_port_operations cmd646r1_port_ops = {
26614+static const struct ata_port_operations cmd646r1_port_ops = {
26615 .inherits = &cmd64x_base_ops,
26616 .bmdma_stop = cmd646r1_bmdma_stop,
26617 .cable_detect = ata_cable_40wire,
26618 };
26619
26620-static struct ata_port_operations cmd648_port_ops = {
26621+static const struct ata_port_operations cmd648_port_ops = {
26622 .inherits = &cmd64x_base_ops,
26623 .bmdma_stop = cmd648_bmdma_stop,
26624 .cable_detect = cmd648_cable_detect,
26625diff -urNp linux-2.6.32.48/drivers/ata/pata_cs5520.c linux-2.6.32.48/drivers/ata/pata_cs5520.c
26626--- linux-2.6.32.48/drivers/ata/pata_cs5520.c 2011-11-08 19:02:43.000000000 -0500
26627+++ linux-2.6.32.48/drivers/ata/pata_cs5520.c 2011-11-15 19:59:43.000000000 -0500
26628@@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
26629 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26630 };
26631
26632-static struct ata_port_operations cs5520_port_ops = {
26633+static const struct ata_port_operations cs5520_port_ops = {
26634 .inherits = &ata_bmdma_port_ops,
26635 .qc_prep = ata_sff_dumb_qc_prep,
26636 .cable_detect = ata_cable_40wire,
26637diff -urNp linux-2.6.32.48/drivers/ata/pata_cs5530.c linux-2.6.32.48/drivers/ata/pata_cs5530.c
26638--- linux-2.6.32.48/drivers/ata/pata_cs5530.c 2011-11-08 19:02:43.000000000 -0500
26639+++ linux-2.6.32.48/drivers/ata/pata_cs5530.c 2011-11-15 19:59:43.000000000 -0500
26640@@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
26641 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
26642 };
26643
26644-static struct ata_port_operations cs5530_port_ops = {
26645+static const struct ata_port_operations cs5530_port_ops = {
26646 .inherits = &ata_bmdma_port_ops,
26647
26648 .qc_prep = ata_sff_dumb_qc_prep,
26649diff -urNp linux-2.6.32.48/drivers/ata/pata_cs5535.c linux-2.6.32.48/drivers/ata/pata_cs5535.c
26650--- linux-2.6.32.48/drivers/ata/pata_cs5535.c 2011-11-08 19:02:43.000000000 -0500
26651+++ linux-2.6.32.48/drivers/ata/pata_cs5535.c 2011-11-15 19:59:43.000000000 -0500
26652@@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
26653 ATA_BMDMA_SHT(DRV_NAME),
26654 };
26655
26656-static struct ata_port_operations cs5535_port_ops = {
26657+static const struct ata_port_operations cs5535_port_ops = {
26658 .inherits = &ata_bmdma_port_ops,
26659 .cable_detect = cs5535_cable_detect,
26660 .set_piomode = cs5535_set_piomode,
26661diff -urNp linux-2.6.32.48/drivers/ata/pata_cs5536.c linux-2.6.32.48/drivers/ata/pata_cs5536.c
26662--- linux-2.6.32.48/drivers/ata/pata_cs5536.c 2011-11-08 19:02:43.000000000 -0500
26663+++ linux-2.6.32.48/drivers/ata/pata_cs5536.c 2011-11-15 19:59:43.000000000 -0500
26664@@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
26665 ATA_BMDMA_SHT(DRV_NAME),
26666 };
26667
26668-static struct ata_port_operations cs5536_port_ops = {
26669+static const struct ata_port_operations cs5536_port_ops = {
26670 .inherits = &ata_bmdma_port_ops,
26671 .cable_detect = cs5536_cable_detect,
26672 .set_piomode = cs5536_set_piomode,
26673diff -urNp linux-2.6.32.48/drivers/ata/pata_cypress.c linux-2.6.32.48/drivers/ata/pata_cypress.c
26674--- linux-2.6.32.48/drivers/ata/pata_cypress.c 2011-11-08 19:02:43.000000000 -0500
26675+++ linux-2.6.32.48/drivers/ata/pata_cypress.c 2011-11-15 19:59:43.000000000 -0500
26676@@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
26677 ATA_BMDMA_SHT(DRV_NAME),
26678 };
26679
26680-static struct ata_port_operations cy82c693_port_ops = {
26681+static const struct ata_port_operations cy82c693_port_ops = {
26682 .inherits = &ata_bmdma_port_ops,
26683 .cable_detect = ata_cable_40wire,
26684 .set_piomode = cy82c693_set_piomode,
26685diff -urNp linux-2.6.32.48/drivers/ata/pata_efar.c linux-2.6.32.48/drivers/ata/pata_efar.c
26686--- linux-2.6.32.48/drivers/ata/pata_efar.c 2011-11-08 19:02:43.000000000 -0500
26687+++ linux-2.6.32.48/drivers/ata/pata_efar.c 2011-11-15 19:59:43.000000000 -0500
26688@@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
26689 ATA_BMDMA_SHT(DRV_NAME),
26690 };
26691
26692-static struct ata_port_operations efar_ops = {
26693+static const struct ata_port_operations efar_ops = {
26694 .inherits = &ata_bmdma_port_ops,
26695 .cable_detect = efar_cable_detect,
26696 .set_piomode = efar_set_piomode,
26697diff -urNp linux-2.6.32.48/drivers/ata/pata_hpt366.c linux-2.6.32.48/drivers/ata/pata_hpt366.c
26698--- linux-2.6.32.48/drivers/ata/pata_hpt366.c 2011-11-08 19:02:43.000000000 -0500
26699+++ linux-2.6.32.48/drivers/ata/pata_hpt366.c 2011-11-15 19:59:43.000000000 -0500
26700@@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
26701 * Configuration for HPT366/68
26702 */
26703
26704-static struct ata_port_operations hpt366_port_ops = {
26705+static const struct ata_port_operations hpt366_port_ops = {
26706 .inherits = &ata_bmdma_port_ops,
26707 .cable_detect = hpt36x_cable_detect,
26708 .mode_filter = hpt366_filter,
26709diff -urNp linux-2.6.32.48/drivers/ata/pata_hpt37x.c linux-2.6.32.48/drivers/ata/pata_hpt37x.c
26710--- linux-2.6.32.48/drivers/ata/pata_hpt37x.c 2011-11-08 19:02:43.000000000 -0500
26711+++ linux-2.6.32.48/drivers/ata/pata_hpt37x.c 2011-11-15 19:59:43.000000000 -0500
26712@@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
26713 * Configuration for HPT370
26714 */
26715
26716-static struct ata_port_operations hpt370_port_ops = {
26717+static const struct ata_port_operations hpt370_port_ops = {
26718 .inherits = &ata_bmdma_port_ops,
26719
26720 .bmdma_stop = hpt370_bmdma_stop,
26721@@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
26722 * Configuration for HPT370A. Close to 370 but less filters
26723 */
26724
26725-static struct ata_port_operations hpt370a_port_ops = {
26726+static const struct ata_port_operations hpt370a_port_ops = {
26727 .inherits = &hpt370_port_ops,
26728 .mode_filter = hpt370a_filter,
26729 };
26730@@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
26731 * and DMA mode setting functionality.
26732 */
26733
26734-static struct ata_port_operations hpt372_port_ops = {
26735+static const struct ata_port_operations hpt372_port_ops = {
26736 .inherits = &ata_bmdma_port_ops,
26737
26738 .bmdma_stop = hpt37x_bmdma_stop,
26739@@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
26740 * but we have a different cable detection procedure for function 1.
26741 */
26742
26743-static struct ata_port_operations hpt374_fn1_port_ops = {
26744+static const struct ata_port_operations hpt374_fn1_port_ops = {
26745 .inherits = &hpt372_port_ops,
26746 .prereset = hpt374_fn1_pre_reset,
26747 };
26748diff -urNp linux-2.6.32.48/drivers/ata/pata_hpt3x2n.c linux-2.6.32.48/drivers/ata/pata_hpt3x2n.c
26749--- linux-2.6.32.48/drivers/ata/pata_hpt3x2n.c 2011-11-08 19:02:43.000000000 -0500
26750+++ linux-2.6.32.48/drivers/ata/pata_hpt3x2n.c 2011-11-15 19:59:43.000000000 -0500
26751@@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
26752 * Configuration for HPT3x2n.
26753 */
26754
26755-static struct ata_port_operations hpt3x2n_port_ops = {
26756+static const struct ata_port_operations hpt3x2n_port_ops = {
26757 .inherits = &ata_bmdma_port_ops,
26758
26759 .bmdma_stop = hpt3x2n_bmdma_stop,
26760diff -urNp linux-2.6.32.48/drivers/ata/pata_hpt3x3.c linux-2.6.32.48/drivers/ata/pata_hpt3x3.c
26761--- linux-2.6.32.48/drivers/ata/pata_hpt3x3.c 2011-11-08 19:02:43.000000000 -0500
26762+++ linux-2.6.32.48/drivers/ata/pata_hpt3x3.c 2011-11-15 19:59:43.000000000 -0500
26763@@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
26764 ATA_BMDMA_SHT(DRV_NAME),
26765 };
26766
26767-static struct ata_port_operations hpt3x3_port_ops = {
26768+static const struct ata_port_operations hpt3x3_port_ops = {
26769 .inherits = &ata_bmdma_port_ops,
26770 .cable_detect = ata_cable_40wire,
26771 .set_piomode = hpt3x3_set_piomode,
26772diff -urNp linux-2.6.32.48/drivers/ata/pata_icside.c linux-2.6.32.48/drivers/ata/pata_icside.c
26773--- linux-2.6.32.48/drivers/ata/pata_icside.c 2011-11-08 19:02:43.000000000 -0500
26774+++ linux-2.6.32.48/drivers/ata/pata_icside.c 2011-11-15 19:59:43.000000000 -0500
26775@@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
26776 }
26777 }
26778
26779-static struct ata_port_operations pata_icside_port_ops = {
26780+static const struct ata_port_operations pata_icside_port_ops = {
26781 .inherits = &ata_sff_port_ops,
26782 /* no need to build any PRD tables for DMA */
26783 .qc_prep = ata_noop_qc_prep,
26784diff -urNp linux-2.6.32.48/drivers/ata/pata_isapnp.c linux-2.6.32.48/drivers/ata/pata_isapnp.c
26785--- linux-2.6.32.48/drivers/ata/pata_isapnp.c 2011-11-08 19:02:43.000000000 -0500
26786+++ linux-2.6.32.48/drivers/ata/pata_isapnp.c 2011-11-15 19:59:43.000000000 -0500
26787@@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
26788 ATA_PIO_SHT(DRV_NAME),
26789 };
26790
26791-static struct ata_port_operations isapnp_port_ops = {
26792+static const struct ata_port_operations isapnp_port_ops = {
26793 .inherits = &ata_sff_port_ops,
26794 .cable_detect = ata_cable_40wire,
26795 };
26796
26797-static struct ata_port_operations isapnp_noalt_port_ops = {
26798+static const struct ata_port_operations isapnp_noalt_port_ops = {
26799 .inherits = &ata_sff_port_ops,
26800 .cable_detect = ata_cable_40wire,
26801 /* No altstatus so we don't want to use the lost interrupt poll */
26802diff -urNp linux-2.6.32.48/drivers/ata/pata_it8213.c linux-2.6.32.48/drivers/ata/pata_it8213.c
26803--- linux-2.6.32.48/drivers/ata/pata_it8213.c 2011-11-08 19:02:43.000000000 -0500
26804+++ linux-2.6.32.48/drivers/ata/pata_it8213.c 2011-11-15 19:59:43.000000000 -0500
26805@@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
26806 };
26807
26808
26809-static struct ata_port_operations it8213_ops = {
26810+static const struct ata_port_operations it8213_ops = {
26811 .inherits = &ata_bmdma_port_ops,
26812 .cable_detect = it8213_cable_detect,
26813 .set_piomode = it8213_set_piomode,
26814diff -urNp linux-2.6.32.48/drivers/ata/pata_it821x.c linux-2.6.32.48/drivers/ata/pata_it821x.c
26815--- linux-2.6.32.48/drivers/ata/pata_it821x.c 2011-11-08 19:02:43.000000000 -0500
26816+++ linux-2.6.32.48/drivers/ata/pata_it821x.c 2011-11-15 19:59:43.000000000 -0500
26817@@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
26818 ATA_BMDMA_SHT(DRV_NAME),
26819 };
26820
26821-static struct ata_port_operations it821x_smart_port_ops = {
26822+static const struct ata_port_operations it821x_smart_port_ops = {
26823 .inherits = &ata_bmdma_port_ops,
26824
26825 .check_atapi_dma= it821x_check_atapi_dma,
26826@@ -814,7 +814,7 @@ static struct ata_port_operations it821x
26827 .port_start = it821x_port_start,
26828 };
26829
26830-static struct ata_port_operations it821x_passthru_port_ops = {
26831+static const struct ata_port_operations it821x_passthru_port_ops = {
26832 .inherits = &ata_bmdma_port_ops,
26833
26834 .check_atapi_dma= it821x_check_atapi_dma,
26835@@ -830,7 +830,7 @@ static struct ata_port_operations it821x
26836 .port_start = it821x_port_start,
26837 };
26838
26839-static struct ata_port_operations it821x_rdc_port_ops = {
26840+static const struct ata_port_operations it821x_rdc_port_ops = {
26841 .inherits = &ata_bmdma_port_ops,
26842
26843 .check_atapi_dma= it821x_check_atapi_dma,
26844diff -urNp linux-2.6.32.48/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.48/drivers/ata/pata_ixp4xx_cf.c
26845--- linux-2.6.32.48/drivers/ata/pata_ixp4xx_cf.c 2011-11-08 19:02:43.000000000 -0500
26846+++ linux-2.6.32.48/drivers/ata/pata_ixp4xx_cf.c 2011-11-15 19:59:43.000000000 -0500
26847@@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
26848 ATA_PIO_SHT(DRV_NAME),
26849 };
26850
26851-static struct ata_port_operations ixp4xx_port_ops = {
26852+static const struct ata_port_operations ixp4xx_port_ops = {
26853 .inherits = &ata_sff_port_ops,
26854 .sff_data_xfer = ixp4xx_mmio_data_xfer,
26855 .cable_detect = ata_cable_40wire,
26856diff -urNp linux-2.6.32.48/drivers/ata/pata_jmicron.c linux-2.6.32.48/drivers/ata/pata_jmicron.c
26857--- linux-2.6.32.48/drivers/ata/pata_jmicron.c 2011-11-08 19:02:43.000000000 -0500
26858+++ linux-2.6.32.48/drivers/ata/pata_jmicron.c 2011-11-15 19:59:43.000000000 -0500
26859@@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
26860 ATA_BMDMA_SHT(DRV_NAME),
26861 };
26862
26863-static struct ata_port_operations jmicron_ops = {
26864+static const struct ata_port_operations jmicron_ops = {
26865 .inherits = &ata_bmdma_port_ops,
26866 .prereset = jmicron_pre_reset,
26867 };
26868diff -urNp linux-2.6.32.48/drivers/ata/pata_legacy.c linux-2.6.32.48/drivers/ata/pata_legacy.c
26869--- linux-2.6.32.48/drivers/ata/pata_legacy.c 2011-11-08 19:02:43.000000000 -0500
26870+++ linux-2.6.32.48/drivers/ata/pata_legacy.c 2011-11-15 19:59:43.000000000 -0500
26871@@ -106,7 +106,7 @@ struct legacy_probe {
26872
26873 struct legacy_controller {
26874 const char *name;
26875- struct ata_port_operations *ops;
26876+ const struct ata_port_operations *ops;
26877 unsigned int pio_mask;
26878 unsigned int flags;
26879 unsigned int pflags;
26880@@ -223,12 +223,12 @@ static const struct ata_port_operations
26881 * pio_mask as well.
26882 */
26883
26884-static struct ata_port_operations simple_port_ops = {
26885+static const struct ata_port_operations simple_port_ops = {
26886 .inherits = &legacy_base_port_ops,
26887 .sff_data_xfer = ata_sff_data_xfer_noirq,
26888 };
26889
26890-static struct ata_port_operations legacy_port_ops = {
26891+static const struct ata_port_operations legacy_port_ops = {
26892 .inherits = &legacy_base_port_ops,
26893 .sff_data_xfer = ata_sff_data_xfer_noirq,
26894 .set_mode = legacy_set_mode,
26895@@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
26896 return buflen;
26897 }
26898
26899-static struct ata_port_operations pdc20230_port_ops = {
26900+static const struct ata_port_operations pdc20230_port_ops = {
26901 .inherits = &legacy_base_port_ops,
26902 .set_piomode = pdc20230_set_piomode,
26903 .sff_data_xfer = pdc_data_xfer_vlb,
26904@@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
26905 ioread8(ap->ioaddr.status_addr);
26906 }
26907
26908-static struct ata_port_operations ht6560a_port_ops = {
26909+static const struct ata_port_operations ht6560a_port_ops = {
26910 .inherits = &legacy_base_port_ops,
26911 .set_piomode = ht6560a_set_piomode,
26912 };
26913@@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
26914 ioread8(ap->ioaddr.status_addr);
26915 }
26916
26917-static struct ata_port_operations ht6560b_port_ops = {
26918+static const struct ata_port_operations ht6560b_port_ops = {
26919 .inherits = &legacy_base_port_ops,
26920 .set_piomode = ht6560b_set_piomode,
26921 };
26922@@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
26923 }
26924
26925
26926-static struct ata_port_operations opti82c611a_port_ops = {
26927+static const struct ata_port_operations opti82c611a_port_ops = {
26928 .inherits = &legacy_base_port_ops,
26929 .set_piomode = opti82c611a_set_piomode,
26930 };
26931@@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
26932 return ata_sff_qc_issue(qc);
26933 }
26934
26935-static struct ata_port_operations opti82c46x_port_ops = {
26936+static const struct ata_port_operations opti82c46x_port_ops = {
26937 .inherits = &legacy_base_port_ops,
26938 .set_piomode = opti82c46x_set_piomode,
26939 .qc_issue = opti82c46x_qc_issue,
26940@@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
26941 return 0;
26942 }
26943
26944-static struct ata_port_operations qdi6500_port_ops = {
26945+static const struct ata_port_operations qdi6500_port_ops = {
26946 .inherits = &legacy_base_port_ops,
26947 .set_piomode = qdi6500_set_piomode,
26948 .qc_issue = qdi_qc_issue,
26949 .sff_data_xfer = vlb32_data_xfer,
26950 };
26951
26952-static struct ata_port_operations qdi6580_port_ops = {
26953+static const struct ata_port_operations qdi6580_port_ops = {
26954 .inherits = &legacy_base_port_ops,
26955 .set_piomode = qdi6580_set_piomode,
26956 .sff_data_xfer = vlb32_data_xfer,
26957 };
26958
26959-static struct ata_port_operations qdi6580dp_port_ops = {
26960+static const struct ata_port_operations qdi6580dp_port_ops = {
26961 .inherits = &legacy_base_port_ops,
26962 .set_piomode = qdi6580dp_set_piomode,
26963 .sff_data_xfer = vlb32_data_xfer,
26964@@ -855,7 +855,7 @@ static int winbond_port(struct platform_
26965 return 0;
26966 }
26967
26968-static struct ata_port_operations winbond_port_ops = {
26969+static const struct ata_port_operations winbond_port_ops = {
26970 .inherits = &legacy_base_port_ops,
26971 .set_piomode = winbond_set_piomode,
26972 .sff_data_xfer = vlb32_data_xfer,
26973@@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
26974 int pio_modes = controller->pio_mask;
26975 unsigned long io = probe->port;
26976 u32 mask = (1 << probe->slot);
26977- struct ata_port_operations *ops = controller->ops;
26978+ const struct ata_port_operations *ops = controller->ops;
26979 struct legacy_data *ld = &legacy_data[probe->slot];
26980 struct ata_host *host = NULL;
26981 struct ata_port *ap;
26982diff -urNp linux-2.6.32.48/drivers/ata/pata_marvell.c linux-2.6.32.48/drivers/ata/pata_marvell.c
26983--- linux-2.6.32.48/drivers/ata/pata_marvell.c 2011-11-08 19:02:43.000000000 -0500
26984+++ linux-2.6.32.48/drivers/ata/pata_marvell.c 2011-11-15 19:59:43.000000000 -0500
26985@@ -100,7 +100,7 @@ static struct scsi_host_template marvell
26986 ATA_BMDMA_SHT(DRV_NAME),
26987 };
26988
26989-static struct ata_port_operations marvell_ops = {
26990+static const struct ata_port_operations marvell_ops = {
26991 .inherits = &ata_bmdma_port_ops,
26992 .cable_detect = marvell_cable_detect,
26993 .prereset = marvell_pre_reset,
26994diff -urNp linux-2.6.32.48/drivers/ata/pata_mpc52xx.c linux-2.6.32.48/drivers/ata/pata_mpc52xx.c
26995--- linux-2.6.32.48/drivers/ata/pata_mpc52xx.c 2011-11-08 19:02:43.000000000 -0500
26996+++ linux-2.6.32.48/drivers/ata/pata_mpc52xx.c 2011-11-15 19:59:43.000000000 -0500
26997@@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
26998 ATA_PIO_SHT(DRV_NAME),
26999 };
27000
27001-static struct ata_port_operations mpc52xx_ata_port_ops = {
27002+static const struct ata_port_operations mpc52xx_ata_port_ops = {
27003 .inherits = &ata_bmdma_port_ops,
27004 .sff_dev_select = mpc52xx_ata_dev_select,
27005 .set_piomode = mpc52xx_ata_set_piomode,
27006diff -urNp linux-2.6.32.48/drivers/ata/pata_mpiix.c linux-2.6.32.48/drivers/ata/pata_mpiix.c
27007--- linux-2.6.32.48/drivers/ata/pata_mpiix.c 2011-11-08 19:02:43.000000000 -0500
27008+++ linux-2.6.32.48/drivers/ata/pata_mpiix.c 2011-11-15 19:59:43.000000000 -0500
27009@@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
27010 ATA_PIO_SHT(DRV_NAME),
27011 };
27012
27013-static struct ata_port_operations mpiix_port_ops = {
27014+static const struct ata_port_operations mpiix_port_ops = {
27015 .inherits = &ata_sff_port_ops,
27016 .qc_issue = mpiix_qc_issue,
27017 .cable_detect = ata_cable_40wire,
27018diff -urNp linux-2.6.32.48/drivers/ata/pata_netcell.c linux-2.6.32.48/drivers/ata/pata_netcell.c
27019--- linux-2.6.32.48/drivers/ata/pata_netcell.c 2011-11-08 19:02:43.000000000 -0500
27020+++ linux-2.6.32.48/drivers/ata/pata_netcell.c 2011-11-15 19:59:43.000000000 -0500
27021@@ -34,7 +34,7 @@ static struct scsi_host_template netcell
27022 ATA_BMDMA_SHT(DRV_NAME),
27023 };
27024
27025-static struct ata_port_operations netcell_ops = {
27026+static const struct ata_port_operations netcell_ops = {
27027 .inherits = &ata_bmdma_port_ops,
27028 .cable_detect = ata_cable_80wire,
27029 .read_id = netcell_read_id,
27030diff -urNp linux-2.6.32.48/drivers/ata/pata_ninja32.c linux-2.6.32.48/drivers/ata/pata_ninja32.c
27031--- linux-2.6.32.48/drivers/ata/pata_ninja32.c 2011-11-08 19:02:43.000000000 -0500
27032+++ linux-2.6.32.48/drivers/ata/pata_ninja32.c 2011-11-15 19:59:43.000000000 -0500
27033@@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
27034 ATA_BMDMA_SHT(DRV_NAME),
27035 };
27036
27037-static struct ata_port_operations ninja32_port_ops = {
27038+static const struct ata_port_operations ninja32_port_ops = {
27039 .inherits = &ata_bmdma_port_ops,
27040 .sff_dev_select = ninja32_dev_select,
27041 .cable_detect = ata_cable_40wire,
27042diff -urNp linux-2.6.32.48/drivers/ata/pata_ns87410.c linux-2.6.32.48/drivers/ata/pata_ns87410.c
27043--- linux-2.6.32.48/drivers/ata/pata_ns87410.c 2011-11-08 19:02:43.000000000 -0500
27044+++ linux-2.6.32.48/drivers/ata/pata_ns87410.c 2011-11-15 19:59:43.000000000 -0500
27045@@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
27046 ATA_PIO_SHT(DRV_NAME),
27047 };
27048
27049-static struct ata_port_operations ns87410_port_ops = {
27050+static const struct ata_port_operations ns87410_port_ops = {
27051 .inherits = &ata_sff_port_ops,
27052 .qc_issue = ns87410_qc_issue,
27053 .cable_detect = ata_cable_40wire,
27054diff -urNp linux-2.6.32.48/drivers/ata/pata_ns87415.c linux-2.6.32.48/drivers/ata/pata_ns87415.c
27055--- linux-2.6.32.48/drivers/ata/pata_ns87415.c 2011-11-08 19:02:43.000000000 -0500
27056+++ linux-2.6.32.48/drivers/ata/pata_ns87415.c 2011-11-15 19:59:43.000000000 -0500
27057@@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
27058 }
27059 #endif /* 87560 SuperIO Support */
27060
27061-static struct ata_port_operations ns87415_pata_ops = {
27062+static const struct ata_port_operations ns87415_pata_ops = {
27063 .inherits = &ata_bmdma_port_ops,
27064
27065 .check_atapi_dma = ns87415_check_atapi_dma,
27066@@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
27067 };
27068
27069 #if defined(CONFIG_SUPERIO)
27070-static struct ata_port_operations ns87560_pata_ops = {
27071+static const struct ata_port_operations ns87560_pata_ops = {
27072 .inherits = &ns87415_pata_ops,
27073 .sff_tf_read = ns87560_tf_read,
27074 .sff_check_status = ns87560_check_status,
27075diff -urNp linux-2.6.32.48/drivers/ata/pata_octeon_cf.c linux-2.6.32.48/drivers/ata/pata_octeon_cf.c
27076--- linux-2.6.32.48/drivers/ata/pata_octeon_cf.c 2011-11-08 19:02:43.000000000 -0500
27077+++ linux-2.6.32.48/drivers/ata/pata_octeon_cf.c 2011-11-15 19:59:43.000000000 -0500
27078@@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
27079 return 0;
27080 }
27081
27082+/* cannot be const */
27083 static struct ata_port_operations octeon_cf_ops = {
27084 .inherits = &ata_sff_port_ops,
27085 .check_atapi_dma = octeon_cf_check_atapi_dma,
27086diff -urNp linux-2.6.32.48/drivers/ata/pata_oldpiix.c linux-2.6.32.48/drivers/ata/pata_oldpiix.c
27087--- linux-2.6.32.48/drivers/ata/pata_oldpiix.c 2011-11-08 19:02:43.000000000 -0500
27088+++ linux-2.6.32.48/drivers/ata/pata_oldpiix.c 2011-11-15 19:59:43.000000000 -0500
27089@@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
27090 ATA_BMDMA_SHT(DRV_NAME),
27091 };
27092
27093-static struct ata_port_operations oldpiix_pata_ops = {
27094+static const struct ata_port_operations oldpiix_pata_ops = {
27095 .inherits = &ata_bmdma_port_ops,
27096 .qc_issue = oldpiix_qc_issue,
27097 .cable_detect = ata_cable_40wire,
27098diff -urNp linux-2.6.32.48/drivers/ata/pata_opti.c linux-2.6.32.48/drivers/ata/pata_opti.c
27099--- linux-2.6.32.48/drivers/ata/pata_opti.c 2011-11-08 19:02:43.000000000 -0500
27100+++ linux-2.6.32.48/drivers/ata/pata_opti.c 2011-11-15 19:59:43.000000000 -0500
27101@@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
27102 ATA_PIO_SHT(DRV_NAME),
27103 };
27104
27105-static struct ata_port_operations opti_port_ops = {
27106+static const struct ata_port_operations opti_port_ops = {
27107 .inherits = &ata_sff_port_ops,
27108 .cable_detect = ata_cable_40wire,
27109 .set_piomode = opti_set_piomode,
27110diff -urNp linux-2.6.32.48/drivers/ata/pata_optidma.c linux-2.6.32.48/drivers/ata/pata_optidma.c
27111--- linux-2.6.32.48/drivers/ata/pata_optidma.c 2011-11-08 19:02:43.000000000 -0500
27112+++ linux-2.6.32.48/drivers/ata/pata_optidma.c 2011-11-15 19:59:43.000000000 -0500
27113@@ -337,7 +337,7 @@ static struct scsi_host_template optidma
27114 ATA_BMDMA_SHT(DRV_NAME),
27115 };
27116
27117-static struct ata_port_operations optidma_port_ops = {
27118+static const struct ata_port_operations optidma_port_ops = {
27119 .inherits = &ata_bmdma_port_ops,
27120 .cable_detect = ata_cable_40wire,
27121 .set_piomode = optidma_set_pio_mode,
27122@@ -346,7 +346,7 @@ static struct ata_port_operations optidm
27123 .prereset = optidma_pre_reset,
27124 };
27125
27126-static struct ata_port_operations optiplus_port_ops = {
27127+static const struct ata_port_operations optiplus_port_ops = {
27128 .inherits = &optidma_port_ops,
27129 .set_piomode = optiplus_set_pio_mode,
27130 .set_dmamode = optiplus_set_dma_mode,
27131diff -urNp linux-2.6.32.48/drivers/ata/pata_palmld.c linux-2.6.32.48/drivers/ata/pata_palmld.c
27132--- linux-2.6.32.48/drivers/ata/pata_palmld.c 2011-11-08 19:02:43.000000000 -0500
27133+++ linux-2.6.32.48/drivers/ata/pata_palmld.c 2011-11-15 19:59:43.000000000 -0500
27134@@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
27135 ATA_PIO_SHT(DRV_NAME),
27136 };
27137
27138-static struct ata_port_operations palmld_port_ops = {
27139+static const struct ata_port_operations palmld_port_ops = {
27140 .inherits = &ata_sff_port_ops,
27141 .sff_data_xfer = ata_sff_data_xfer_noirq,
27142 .cable_detect = ata_cable_40wire,
27143diff -urNp linux-2.6.32.48/drivers/ata/pata_pcmcia.c linux-2.6.32.48/drivers/ata/pata_pcmcia.c
27144--- linux-2.6.32.48/drivers/ata/pata_pcmcia.c 2011-11-08 19:02:43.000000000 -0500
27145+++ linux-2.6.32.48/drivers/ata/pata_pcmcia.c 2011-11-15 19:59:43.000000000 -0500
27146@@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
27147 ATA_PIO_SHT(DRV_NAME),
27148 };
27149
27150-static struct ata_port_operations pcmcia_port_ops = {
27151+static const struct ata_port_operations pcmcia_port_ops = {
27152 .inherits = &ata_sff_port_ops,
27153 .sff_data_xfer = ata_sff_data_xfer_noirq,
27154 .cable_detect = ata_cable_40wire,
27155 .set_mode = pcmcia_set_mode,
27156 };
27157
27158-static struct ata_port_operations pcmcia_8bit_port_ops = {
27159+static const struct ata_port_operations pcmcia_8bit_port_ops = {
27160 .inherits = &ata_sff_port_ops,
27161 .sff_data_xfer = ata_data_xfer_8bit,
27162 .cable_detect = ata_cable_40wire,
27163@@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
27164 unsigned long io_base, ctl_base;
27165 void __iomem *io_addr, *ctl_addr;
27166 int n_ports = 1;
27167- struct ata_port_operations *ops = &pcmcia_port_ops;
27168+ const struct ata_port_operations *ops = &pcmcia_port_ops;
27169
27170 info = kzalloc(sizeof(*info), GFP_KERNEL);
27171 if (info == NULL)
27172diff -urNp linux-2.6.32.48/drivers/ata/pata_pdc2027x.c linux-2.6.32.48/drivers/ata/pata_pdc2027x.c
27173--- linux-2.6.32.48/drivers/ata/pata_pdc2027x.c 2011-11-08 19:02:43.000000000 -0500
27174+++ linux-2.6.32.48/drivers/ata/pata_pdc2027x.c 2011-11-15 19:59:43.000000000 -0500
27175@@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
27176 ATA_BMDMA_SHT(DRV_NAME),
27177 };
27178
27179-static struct ata_port_operations pdc2027x_pata100_ops = {
27180+static const struct ata_port_operations pdc2027x_pata100_ops = {
27181 .inherits = &ata_bmdma_port_ops,
27182 .check_atapi_dma = pdc2027x_check_atapi_dma,
27183 .cable_detect = pdc2027x_cable_detect,
27184 .prereset = pdc2027x_prereset,
27185 };
27186
27187-static struct ata_port_operations pdc2027x_pata133_ops = {
27188+static const struct ata_port_operations pdc2027x_pata133_ops = {
27189 .inherits = &pdc2027x_pata100_ops,
27190 .mode_filter = pdc2027x_mode_filter,
27191 .set_piomode = pdc2027x_set_piomode,
27192diff -urNp linux-2.6.32.48/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.48/drivers/ata/pata_pdc202xx_old.c
27193--- linux-2.6.32.48/drivers/ata/pata_pdc202xx_old.c 2011-11-08 19:02:43.000000000 -0500
27194+++ linux-2.6.32.48/drivers/ata/pata_pdc202xx_old.c 2011-11-15 19:59:43.000000000 -0500
27195@@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
27196 ATA_BMDMA_SHT(DRV_NAME),
27197 };
27198
27199-static struct ata_port_operations pdc2024x_port_ops = {
27200+static const struct ata_port_operations pdc2024x_port_ops = {
27201 .inherits = &ata_bmdma_port_ops,
27202
27203 .cable_detect = ata_cable_40wire,
27204@@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
27205 .sff_exec_command = pdc202xx_exec_command,
27206 };
27207
27208-static struct ata_port_operations pdc2026x_port_ops = {
27209+static const struct ata_port_operations pdc2026x_port_ops = {
27210 .inherits = &pdc2024x_port_ops,
27211
27212 .check_atapi_dma = pdc2026x_check_atapi_dma,
27213diff -urNp linux-2.6.32.48/drivers/ata/pata_platform.c linux-2.6.32.48/drivers/ata/pata_platform.c
27214--- linux-2.6.32.48/drivers/ata/pata_platform.c 2011-11-08 19:02:43.000000000 -0500
27215+++ linux-2.6.32.48/drivers/ata/pata_platform.c 2011-11-15 19:59:43.000000000 -0500
27216@@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
27217 ATA_PIO_SHT(DRV_NAME),
27218 };
27219
27220-static struct ata_port_operations pata_platform_port_ops = {
27221+static const struct ata_port_operations pata_platform_port_ops = {
27222 .inherits = &ata_sff_port_ops,
27223 .sff_data_xfer = ata_sff_data_xfer_noirq,
27224 .cable_detect = ata_cable_unknown,
27225diff -urNp linux-2.6.32.48/drivers/ata/pata_qdi.c linux-2.6.32.48/drivers/ata/pata_qdi.c
27226--- linux-2.6.32.48/drivers/ata/pata_qdi.c 2011-11-08 19:02:43.000000000 -0500
27227+++ linux-2.6.32.48/drivers/ata/pata_qdi.c 2011-11-15 19:59:43.000000000 -0500
27228@@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
27229 ATA_PIO_SHT(DRV_NAME),
27230 };
27231
27232-static struct ata_port_operations qdi6500_port_ops = {
27233+static const struct ata_port_operations qdi6500_port_ops = {
27234 .inherits = &ata_sff_port_ops,
27235 .qc_issue = qdi_qc_issue,
27236 .sff_data_xfer = qdi_data_xfer,
27237@@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
27238 .set_piomode = qdi6500_set_piomode,
27239 };
27240
27241-static struct ata_port_operations qdi6580_port_ops = {
27242+static const struct ata_port_operations qdi6580_port_ops = {
27243 .inherits = &qdi6500_port_ops,
27244 .set_piomode = qdi6580_set_piomode,
27245 };
27246diff -urNp linux-2.6.32.48/drivers/ata/pata_radisys.c linux-2.6.32.48/drivers/ata/pata_radisys.c
27247--- linux-2.6.32.48/drivers/ata/pata_radisys.c 2011-11-08 19:02:43.000000000 -0500
27248+++ linux-2.6.32.48/drivers/ata/pata_radisys.c 2011-11-15 19:59:43.000000000 -0500
27249@@ -187,7 +187,7 @@ static struct scsi_host_template radisys
27250 ATA_BMDMA_SHT(DRV_NAME),
27251 };
27252
27253-static struct ata_port_operations radisys_pata_ops = {
27254+static const struct ata_port_operations radisys_pata_ops = {
27255 .inherits = &ata_bmdma_port_ops,
27256 .qc_issue = radisys_qc_issue,
27257 .cable_detect = ata_cable_unknown,
27258diff -urNp linux-2.6.32.48/drivers/ata/pata_rb532_cf.c linux-2.6.32.48/drivers/ata/pata_rb532_cf.c
27259--- linux-2.6.32.48/drivers/ata/pata_rb532_cf.c 2011-11-08 19:02:43.000000000 -0500
27260+++ linux-2.6.32.48/drivers/ata/pata_rb532_cf.c 2011-11-15 19:59:43.000000000 -0500
27261@@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
27262 return IRQ_HANDLED;
27263 }
27264
27265-static struct ata_port_operations rb532_pata_port_ops = {
27266+static const struct ata_port_operations rb532_pata_port_ops = {
27267 .inherits = &ata_sff_port_ops,
27268 .sff_data_xfer = ata_sff_data_xfer32,
27269 };
27270diff -urNp linux-2.6.32.48/drivers/ata/pata_rdc.c linux-2.6.32.48/drivers/ata/pata_rdc.c
27271--- linux-2.6.32.48/drivers/ata/pata_rdc.c 2011-11-08 19:02:43.000000000 -0500
27272+++ linux-2.6.32.48/drivers/ata/pata_rdc.c 2011-11-15 19:59:43.000000000 -0500
27273@@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
27274 pci_write_config_byte(dev, 0x48, udma_enable);
27275 }
27276
27277-static struct ata_port_operations rdc_pata_ops = {
27278+static const struct ata_port_operations rdc_pata_ops = {
27279 .inherits = &ata_bmdma32_port_ops,
27280 .cable_detect = rdc_pata_cable_detect,
27281 .set_piomode = rdc_set_piomode,
27282diff -urNp linux-2.6.32.48/drivers/ata/pata_rz1000.c linux-2.6.32.48/drivers/ata/pata_rz1000.c
27283--- linux-2.6.32.48/drivers/ata/pata_rz1000.c 2011-11-08 19:02:43.000000000 -0500
27284+++ linux-2.6.32.48/drivers/ata/pata_rz1000.c 2011-11-15 19:59:43.000000000 -0500
27285@@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
27286 ATA_PIO_SHT(DRV_NAME),
27287 };
27288
27289-static struct ata_port_operations rz1000_port_ops = {
27290+static const struct ata_port_operations rz1000_port_ops = {
27291 .inherits = &ata_sff_port_ops,
27292 .cable_detect = ata_cable_40wire,
27293 .set_mode = rz1000_set_mode,
27294diff -urNp linux-2.6.32.48/drivers/ata/pata_sc1200.c linux-2.6.32.48/drivers/ata/pata_sc1200.c
27295--- linux-2.6.32.48/drivers/ata/pata_sc1200.c 2011-11-08 19:02:43.000000000 -0500
27296+++ linux-2.6.32.48/drivers/ata/pata_sc1200.c 2011-11-15 19:59:43.000000000 -0500
27297@@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
27298 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
27299 };
27300
27301-static struct ata_port_operations sc1200_port_ops = {
27302+static const struct ata_port_operations sc1200_port_ops = {
27303 .inherits = &ata_bmdma_port_ops,
27304 .qc_prep = ata_sff_dumb_qc_prep,
27305 .qc_issue = sc1200_qc_issue,
27306diff -urNp linux-2.6.32.48/drivers/ata/pata_scc.c linux-2.6.32.48/drivers/ata/pata_scc.c
27307--- linux-2.6.32.48/drivers/ata/pata_scc.c 2011-11-08 19:02:43.000000000 -0500
27308+++ linux-2.6.32.48/drivers/ata/pata_scc.c 2011-11-15 19:59:43.000000000 -0500
27309@@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
27310 ATA_BMDMA_SHT(DRV_NAME),
27311 };
27312
27313-static struct ata_port_operations scc_pata_ops = {
27314+static const struct ata_port_operations scc_pata_ops = {
27315 .inherits = &ata_bmdma_port_ops,
27316
27317 .set_piomode = scc_set_piomode,
27318diff -urNp linux-2.6.32.48/drivers/ata/pata_sch.c linux-2.6.32.48/drivers/ata/pata_sch.c
27319--- linux-2.6.32.48/drivers/ata/pata_sch.c 2011-11-08 19:02:43.000000000 -0500
27320+++ linux-2.6.32.48/drivers/ata/pata_sch.c 2011-11-15 19:59:43.000000000 -0500
27321@@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
27322 ATA_BMDMA_SHT(DRV_NAME),
27323 };
27324
27325-static struct ata_port_operations sch_pata_ops = {
27326+static const struct ata_port_operations sch_pata_ops = {
27327 .inherits = &ata_bmdma_port_ops,
27328 .cable_detect = ata_cable_unknown,
27329 .set_piomode = sch_set_piomode,
27330diff -urNp linux-2.6.32.48/drivers/ata/pata_serverworks.c linux-2.6.32.48/drivers/ata/pata_serverworks.c
27331--- linux-2.6.32.48/drivers/ata/pata_serverworks.c 2011-11-08 19:02:43.000000000 -0500
27332+++ linux-2.6.32.48/drivers/ata/pata_serverworks.c 2011-11-15 19:59:43.000000000 -0500
27333@@ -299,7 +299,7 @@ static struct scsi_host_template serverw
27334 ATA_BMDMA_SHT(DRV_NAME),
27335 };
27336
27337-static struct ata_port_operations serverworks_osb4_port_ops = {
27338+static const struct ata_port_operations serverworks_osb4_port_ops = {
27339 .inherits = &ata_bmdma_port_ops,
27340 .cable_detect = serverworks_cable_detect,
27341 .mode_filter = serverworks_osb4_filter,
27342@@ -307,7 +307,7 @@ static struct ata_port_operations server
27343 .set_dmamode = serverworks_set_dmamode,
27344 };
27345
27346-static struct ata_port_operations serverworks_csb_port_ops = {
27347+static const struct ata_port_operations serverworks_csb_port_ops = {
27348 .inherits = &serverworks_osb4_port_ops,
27349 .mode_filter = serverworks_csb_filter,
27350 };
27351diff -urNp linux-2.6.32.48/drivers/ata/pata_sil680.c linux-2.6.32.48/drivers/ata/pata_sil680.c
27352--- linux-2.6.32.48/drivers/ata/pata_sil680.c 2011-11-08 19:02:43.000000000 -0500
27353+++ linux-2.6.32.48/drivers/ata/pata_sil680.c 2011-11-15 19:59:43.000000000 -0500
27354@@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
27355 ATA_BMDMA_SHT(DRV_NAME),
27356 };
27357
27358-static struct ata_port_operations sil680_port_ops = {
27359+static const struct ata_port_operations sil680_port_ops = {
27360 .inherits = &ata_bmdma32_port_ops,
27361 .cable_detect = sil680_cable_detect,
27362 .set_piomode = sil680_set_piomode,
27363diff -urNp linux-2.6.32.48/drivers/ata/pata_sis.c linux-2.6.32.48/drivers/ata/pata_sis.c
27364--- linux-2.6.32.48/drivers/ata/pata_sis.c 2011-11-08 19:02:43.000000000 -0500
27365+++ linux-2.6.32.48/drivers/ata/pata_sis.c 2011-11-15 19:59:43.000000000 -0500
27366@@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
27367 ATA_BMDMA_SHT(DRV_NAME),
27368 };
27369
27370-static struct ata_port_operations sis_133_for_sata_ops = {
27371+static const struct ata_port_operations sis_133_for_sata_ops = {
27372 .inherits = &ata_bmdma_port_ops,
27373 .set_piomode = sis_133_set_piomode,
27374 .set_dmamode = sis_133_set_dmamode,
27375 .cable_detect = sis_133_cable_detect,
27376 };
27377
27378-static struct ata_port_operations sis_base_ops = {
27379+static const struct ata_port_operations sis_base_ops = {
27380 .inherits = &ata_bmdma_port_ops,
27381 .prereset = sis_pre_reset,
27382 };
27383
27384-static struct ata_port_operations sis_133_ops = {
27385+static const struct ata_port_operations sis_133_ops = {
27386 .inherits = &sis_base_ops,
27387 .set_piomode = sis_133_set_piomode,
27388 .set_dmamode = sis_133_set_dmamode,
27389 .cable_detect = sis_133_cable_detect,
27390 };
27391
27392-static struct ata_port_operations sis_133_early_ops = {
27393+static const struct ata_port_operations sis_133_early_ops = {
27394 .inherits = &sis_base_ops,
27395 .set_piomode = sis_100_set_piomode,
27396 .set_dmamode = sis_133_early_set_dmamode,
27397 .cable_detect = sis_66_cable_detect,
27398 };
27399
27400-static struct ata_port_operations sis_100_ops = {
27401+static const struct ata_port_operations sis_100_ops = {
27402 .inherits = &sis_base_ops,
27403 .set_piomode = sis_100_set_piomode,
27404 .set_dmamode = sis_100_set_dmamode,
27405 .cable_detect = sis_66_cable_detect,
27406 };
27407
27408-static struct ata_port_operations sis_66_ops = {
27409+static const struct ata_port_operations sis_66_ops = {
27410 .inherits = &sis_base_ops,
27411 .set_piomode = sis_old_set_piomode,
27412 .set_dmamode = sis_66_set_dmamode,
27413 .cable_detect = sis_66_cable_detect,
27414 };
27415
27416-static struct ata_port_operations sis_old_ops = {
27417+static const struct ata_port_operations sis_old_ops = {
27418 .inherits = &sis_base_ops,
27419 .set_piomode = sis_old_set_piomode,
27420 .set_dmamode = sis_old_set_dmamode,
27421diff -urNp linux-2.6.32.48/drivers/ata/pata_sl82c105.c linux-2.6.32.48/drivers/ata/pata_sl82c105.c
27422--- linux-2.6.32.48/drivers/ata/pata_sl82c105.c 2011-11-08 19:02:43.000000000 -0500
27423+++ linux-2.6.32.48/drivers/ata/pata_sl82c105.c 2011-11-15 19:59:43.000000000 -0500
27424@@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
27425 ATA_BMDMA_SHT(DRV_NAME),
27426 };
27427
27428-static struct ata_port_operations sl82c105_port_ops = {
27429+static const struct ata_port_operations sl82c105_port_ops = {
27430 .inherits = &ata_bmdma_port_ops,
27431 .qc_defer = sl82c105_qc_defer,
27432 .bmdma_start = sl82c105_bmdma_start,
27433diff -urNp linux-2.6.32.48/drivers/ata/pata_triflex.c linux-2.6.32.48/drivers/ata/pata_triflex.c
27434--- linux-2.6.32.48/drivers/ata/pata_triflex.c 2011-11-08 19:02:43.000000000 -0500
27435+++ linux-2.6.32.48/drivers/ata/pata_triflex.c 2011-11-15 19:59:43.000000000 -0500
27436@@ -178,7 +178,7 @@ static struct scsi_host_template triflex
27437 ATA_BMDMA_SHT(DRV_NAME),
27438 };
27439
27440-static struct ata_port_operations triflex_port_ops = {
27441+static const struct ata_port_operations triflex_port_ops = {
27442 .inherits = &ata_bmdma_port_ops,
27443 .bmdma_start = triflex_bmdma_start,
27444 .bmdma_stop = triflex_bmdma_stop,
27445diff -urNp linux-2.6.32.48/drivers/ata/pata_via.c linux-2.6.32.48/drivers/ata/pata_via.c
27446--- linux-2.6.32.48/drivers/ata/pata_via.c 2011-11-08 19:02:43.000000000 -0500
27447+++ linux-2.6.32.48/drivers/ata/pata_via.c 2011-11-15 19:59:43.000000000 -0500
27448@@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
27449 ATA_BMDMA_SHT(DRV_NAME),
27450 };
27451
27452-static struct ata_port_operations via_port_ops = {
27453+static const struct ata_port_operations via_port_ops = {
27454 .inherits = &ata_bmdma_port_ops,
27455 .cable_detect = via_cable_detect,
27456 .set_piomode = via_set_piomode,
27457@@ -429,7 +429,7 @@ static struct ata_port_operations via_po
27458 .port_start = via_port_start,
27459 };
27460
27461-static struct ata_port_operations via_port_ops_noirq = {
27462+static const struct ata_port_operations via_port_ops_noirq = {
27463 .inherits = &via_port_ops,
27464 .sff_data_xfer = ata_sff_data_xfer_noirq,
27465 };
27466diff -urNp linux-2.6.32.48/drivers/ata/pata_winbond.c linux-2.6.32.48/drivers/ata/pata_winbond.c
27467--- linux-2.6.32.48/drivers/ata/pata_winbond.c 2011-11-08 19:02:43.000000000 -0500
27468+++ linux-2.6.32.48/drivers/ata/pata_winbond.c 2011-11-15 19:59:43.000000000 -0500
27469@@ -125,7 +125,7 @@ static struct scsi_host_template winbond
27470 ATA_PIO_SHT(DRV_NAME),
27471 };
27472
27473-static struct ata_port_operations winbond_port_ops = {
27474+static const struct ata_port_operations winbond_port_ops = {
27475 .inherits = &ata_sff_port_ops,
27476 .sff_data_xfer = winbond_data_xfer,
27477 .cable_detect = ata_cable_40wire,
27478diff -urNp linux-2.6.32.48/drivers/ata/pdc_adma.c linux-2.6.32.48/drivers/ata/pdc_adma.c
27479--- linux-2.6.32.48/drivers/ata/pdc_adma.c 2011-11-08 19:02:43.000000000 -0500
27480+++ linux-2.6.32.48/drivers/ata/pdc_adma.c 2011-11-15 19:59:43.000000000 -0500
27481@@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
27482 .dma_boundary = ADMA_DMA_BOUNDARY,
27483 };
27484
27485-static struct ata_port_operations adma_ata_ops = {
27486+static const struct ata_port_operations adma_ata_ops = {
27487 .inherits = &ata_sff_port_ops,
27488
27489 .lost_interrupt = ATA_OP_NULL,
27490diff -urNp linux-2.6.32.48/drivers/ata/sata_fsl.c linux-2.6.32.48/drivers/ata/sata_fsl.c
27491--- linux-2.6.32.48/drivers/ata/sata_fsl.c 2011-11-08 19:02:43.000000000 -0500
27492+++ linux-2.6.32.48/drivers/ata/sata_fsl.c 2011-11-15 19:59:43.000000000 -0500
27493@@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
27494 .dma_boundary = ATA_DMA_BOUNDARY,
27495 };
27496
27497-static struct ata_port_operations sata_fsl_ops = {
27498+static const struct ata_port_operations sata_fsl_ops = {
27499 .inherits = &sata_pmp_port_ops,
27500
27501 .qc_defer = ata_std_qc_defer,
27502diff -urNp linux-2.6.32.48/drivers/ata/sata_inic162x.c linux-2.6.32.48/drivers/ata/sata_inic162x.c
27503--- linux-2.6.32.48/drivers/ata/sata_inic162x.c 2011-11-08 19:02:43.000000000 -0500
27504+++ linux-2.6.32.48/drivers/ata/sata_inic162x.c 2011-11-15 19:59:43.000000000 -0500
27505@@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
27506 return 0;
27507 }
27508
27509-static struct ata_port_operations inic_port_ops = {
27510+static const struct ata_port_operations inic_port_ops = {
27511 .inherits = &sata_port_ops,
27512
27513 .check_atapi_dma = inic_check_atapi_dma,
27514diff -urNp linux-2.6.32.48/drivers/ata/sata_mv.c linux-2.6.32.48/drivers/ata/sata_mv.c
27515--- linux-2.6.32.48/drivers/ata/sata_mv.c 2011-11-08 19:02:43.000000000 -0500
27516+++ linux-2.6.32.48/drivers/ata/sata_mv.c 2011-11-15 19:59:43.000000000 -0500
27517@@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
27518 .dma_boundary = MV_DMA_BOUNDARY,
27519 };
27520
27521-static struct ata_port_operations mv5_ops = {
27522+static const struct ata_port_operations mv5_ops = {
27523 .inherits = &ata_sff_port_ops,
27524
27525 .lost_interrupt = ATA_OP_NULL,
27526@@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
27527 .port_stop = mv_port_stop,
27528 };
27529
27530-static struct ata_port_operations mv6_ops = {
27531+static const struct ata_port_operations mv6_ops = {
27532 .inherits = &mv5_ops,
27533 .dev_config = mv6_dev_config,
27534 .scr_read = mv_scr_read,
27535@@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
27536 .bmdma_status = mv_bmdma_status,
27537 };
27538
27539-static struct ata_port_operations mv_iie_ops = {
27540+static const struct ata_port_operations mv_iie_ops = {
27541 .inherits = &mv6_ops,
27542 .dev_config = ATA_OP_NULL,
27543 .qc_prep = mv_qc_prep_iie,
27544diff -urNp linux-2.6.32.48/drivers/ata/sata_nv.c linux-2.6.32.48/drivers/ata/sata_nv.c
27545--- linux-2.6.32.48/drivers/ata/sata_nv.c 2011-11-08 19:02:43.000000000 -0500
27546+++ linux-2.6.32.48/drivers/ata/sata_nv.c 2011-11-15 19:59:43.000000000 -0500
27547@@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
27548 * cases. Define nv_hardreset() which only kicks in for post-boot
27549 * probing and use it for all variants.
27550 */
27551-static struct ata_port_operations nv_generic_ops = {
27552+static const struct ata_port_operations nv_generic_ops = {
27553 .inherits = &ata_bmdma_port_ops,
27554 .lost_interrupt = ATA_OP_NULL,
27555 .scr_read = nv_scr_read,
27556@@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
27557 .hardreset = nv_hardreset,
27558 };
27559
27560-static struct ata_port_operations nv_nf2_ops = {
27561+static const struct ata_port_operations nv_nf2_ops = {
27562 .inherits = &nv_generic_ops,
27563 .freeze = nv_nf2_freeze,
27564 .thaw = nv_nf2_thaw,
27565 };
27566
27567-static struct ata_port_operations nv_ck804_ops = {
27568+static const struct ata_port_operations nv_ck804_ops = {
27569 .inherits = &nv_generic_ops,
27570 .freeze = nv_ck804_freeze,
27571 .thaw = nv_ck804_thaw,
27572 .host_stop = nv_ck804_host_stop,
27573 };
27574
27575-static struct ata_port_operations nv_adma_ops = {
27576+static const struct ata_port_operations nv_adma_ops = {
27577 .inherits = &nv_ck804_ops,
27578
27579 .check_atapi_dma = nv_adma_check_atapi_dma,
27580@@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
27581 .host_stop = nv_adma_host_stop,
27582 };
27583
27584-static struct ata_port_operations nv_swncq_ops = {
27585+static const struct ata_port_operations nv_swncq_ops = {
27586 .inherits = &nv_generic_ops,
27587
27588 .qc_defer = ata_std_qc_defer,
27589diff -urNp linux-2.6.32.48/drivers/ata/sata_promise.c linux-2.6.32.48/drivers/ata/sata_promise.c
27590--- linux-2.6.32.48/drivers/ata/sata_promise.c 2011-11-08 19:02:43.000000000 -0500
27591+++ linux-2.6.32.48/drivers/ata/sata_promise.c 2011-11-15 19:59:43.000000000 -0500
27592@@ -195,7 +195,7 @@ static const struct ata_port_operations
27593 .error_handler = pdc_error_handler,
27594 };
27595
27596-static struct ata_port_operations pdc_sata_ops = {
27597+static const struct ata_port_operations pdc_sata_ops = {
27598 .inherits = &pdc_common_ops,
27599 .cable_detect = pdc_sata_cable_detect,
27600 .freeze = pdc_sata_freeze,
27601@@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
27602
27603 /* First-generation chips need a more restrictive ->check_atapi_dma op,
27604 and ->freeze/thaw that ignore the hotplug controls. */
27605-static struct ata_port_operations pdc_old_sata_ops = {
27606+static const struct ata_port_operations pdc_old_sata_ops = {
27607 .inherits = &pdc_sata_ops,
27608 .freeze = pdc_freeze,
27609 .thaw = pdc_thaw,
27610 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
27611 };
27612
27613-static struct ata_port_operations pdc_pata_ops = {
27614+static const struct ata_port_operations pdc_pata_ops = {
27615 .inherits = &pdc_common_ops,
27616 .cable_detect = pdc_pata_cable_detect,
27617 .freeze = pdc_freeze,
27618diff -urNp linux-2.6.32.48/drivers/ata/sata_qstor.c linux-2.6.32.48/drivers/ata/sata_qstor.c
27619--- linux-2.6.32.48/drivers/ata/sata_qstor.c 2011-11-08 19:02:43.000000000 -0500
27620+++ linux-2.6.32.48/drivers/ata/sata_qstor.c 2011-11-15 19:59:43.000000000 -0500
27621@@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
27622 .dma_boundary = QS_DMA_BOUNDARY,
27623 };
27624
27625-static struct ata_port_operations qs_ata_ops = {
27626+static const struct ata_port_operations qs_ata_ops = {
27627 .inherits = &ata_sff_port_ops,
27628
27629 .check_atapi_dma = qs_check_atapi_dma,
27630diff -urNp linux-2.6.32.48/drivers/ata/sata_sil24.c linux-2.6.32.48/drivers/ata/sata_sil24.c
27631--- linux-2.6.32.48/drivers/ata/sata_sil24.c 2011-11-08 19:02:43.000000000 -0500
27632+++ linux-2.6.32.48/drivers/ata/sata_sil24.c 2011-11-15 19:59:43.000000000 -0500
27633@@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
27634 .dma_boundary = ATA_DMA_BOUNDARY,
27635 };
27636
27637-static struct ata_port_operations sil24_ops = {
27638+static const struct ata_port_operations sil24_ops = {
27639 .inherits = &sata_pmp_port_ops,
27640
27641 .qc_defer = sil24_qc_defer,
27642diff -urNp linux-2.6.32.48/drivers/ata/sata_sil.c linux-2.6.32.48/drivers/ata/sata_sil.c
27643--- linux-2.6.32.48/drivers/ata/sata_sil.c 2011-11-08 19:02:43.000000000 -0500
27644+++ linux-2.6.32.48/drivers/ata/sata_sil.c 2011-11-15 19:59:43.000000000 -0500
27645@@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
27646 .sg_tablesize = ATA_MAX_PRD
27647 };
27648
27649-static struct ata_port_operations sil_ops = {
27650+static const struct ata_port_operations sil_ops = {
27651 .inherits = &ata_bmdma32_port_ops,
27652 .dev_config = sil_dev_config,
27653 .set_mode = sil_set_mode,
27654diff -urNp linux-2.6.32.48/drivers/ata/sata_sis.c linux-2.6.32.48/drivers/ata/sata_sis.c
27655--- linux-2.6.32.48/drivers/ata/sata_sis.c 2011-11-08 19:02:43.000000000 -0500
27656+++ linux-2.6.32.48/drivers/ata/sata_sis.c 2011-11-15 19:59:43.000000000 -0500
27657@@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
27658 ATA_BMDMA_SHT(DRV_NAME),
27659 };
27660
27661-static struct ata_port_operations sis_ops = {
27662+static const struct ata_port_operations sis_ops = {
27663 .inherits = &ata_bmdma_port_ops,
27664 .scr_read = sis_scr_read,
27665 .scr_write = sis_scr_write,
27666diff -urNp linux-2.6.32.48/drivers/ata/sata_svw.c linux-2.6.32.48/drivers/ata/sata_svw.c
27667--- linux-2.6.32.48/drivers/ata/sata_svw.c 2011-11-08 19:02:43.000000000 -0500
27668+++ linux-2.6.32.48/drivers/ata/sata_svw.c 2011-11-15 19:59:43.000000000 -0500
27669@@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
27670 };
27671
27672
27673-static struct ata_port_operations k2_sata_ops = {
27674+static const struct ata_port_operations k2_sata_ops = {
27675 .inherits = &ata_bmdma_port_ops,
27676 .sff_tf_load = k2_sata_tf_load,
27677 .sff_tf_read = k2_sata_tf_read,
27678diff -urNp linux-2.6.32.48/drivers/ata/sata_sx4.c linux-2.6.32.48/drivers/ata/sata_sx4.c
27679--- linux-2.6.32.48/drivers/ata/sata_sx4.c 2011-11-08 19:02:43.000000000 -0500
27680+++ linux-2.6.32.48/drivers/ata/sata_sx4.c 2011-11-15 19:59:43.000000000 -0500
27681@@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
27682 };
27683
27684 /* TODO: inherit from base port_ops after converting to new EH */
27685-static struct ata_port_operations pdc_20621_ops = {
27686+static const struct ata_port_operations pdc_20621_ops = {
27687 .inherits = &ata_sff_port_ops,
27688
27689 .check_atapi_dma = pdc_check_atapi_dma,
27690diff -urNp linux-2.6.32.48/drivers/ata/sata_uli.c linux-2.6.32.48/drivers/ata/sata_uli.c
27691--- linux-2.6.32.48/drivers/ata/sata_uli.c 2011-11-08 19:02:43.000000000 -0500
27692+++ linux-2.6.32.48/drivers/ata/sata_uli.c 2011-11-15 19:59:43.000000000 -0500
27693@@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
27694 ATA_BMDMA_SHT(DRV_NAME),
27695 };
27696
27697-static struct ata_port_operations uli_ops = {
27698+static const struct ata_port_operations uli_ops = {
27699 .inherits = &ata_bmdma_port_ops,
27700 .scr_read = uli_scr_read,
27701 .scr_write = uli_scr_write,
27702diff -urNp linux-2.6.32.48/drivers/ata/sata_via.c linux-2.6.32.48/drivers/ata/sata_via.c
27703--- linux-2.6.32.48/drivers/ata/sata_via.c 2011-11-08 19:02:43.000000000 -0500
27704+++ linux-2.6.32.48/drivers/ata/sata_via.c 2011-11-15 19:59:43.000000000 -0500
27705@@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
27706 ATA_BMDMA_SHT(DRV_NAME),
27707 };
27708
27709-static struct ata_port_operations svia_base_ops = {
27710+static const struct ata_port_operations svia_base_ops = {
27711 .inherits = &ata_bmdma_port_ops,
27712 .sff_tf_load = svia_tf_load,
27713 };
27714
27715-static struct ata_port_operations vt6420_sata_ops = {
27716+static const struct ata_port_operations vt6420_sata_ops = {
27717 .inherits = &svia_base_ops,
27718 .freeze = svia_noop_freeze,
27719 .prereset = vt6420_prereset,
27720 .bmdma_start = vt6420_bmdma_start,
27721 };
27722
27723-static struct ata_port_operations vt6421_pata_ops = {
27724+static const struct ata_port_operations vt6421_pata_ops = {
27725 .inherits = &svia_base_ops,
27726 .cable_detect = vt6421_pata_cable_detect,
27727 .set_piomode = vt6421_set_pio_mode,
27728 .set_dmamode = vt6421_set_dma_mode,
27729 };
27730
27731-static struct ata_port_operations vt6421_sata_ops = {
27732+static const struct ata_port_operations vt6421_sata_ops = {
27733 .inherits = &svia_base_ops,
27734 .scr_read = svia_scr_read,
27735 .scr_write = svia_scr_write,
27736 };
27737
27738-static struct ata_port_operations vt8251_ops = {
27739+static const struct ata_port_operations vt8251_ops = {
27740 .inherits = &svia_base_ops,
27741 .hardreset = sata_std_hardreset,
27742 .scr_read = vt8251_scr_read,
27743diff -urNp linux-2.6.32.48/drivers/ata/sata_vsc.c linux-2.6.32.48/drivers/ata/sata_vsc.c
27744--- linux-2.6.32.48/drivers/ata/sata_vsc.c 2011-11-08 19:02:43.000000000 -0500
27745+++ linux-2.6.32.48/drivers/ata/sata_vsc.c 2011-11-15 19:59:43.000000000 -0500
27746@@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
27747 };
27748
27749
27750-static struct ata_port_operations vsc_sata_ops = {
27751+static const struct ata_port_operations vsc_sata_ops = {
27752 .inherits = &ata_bmdma_port_ops,
27753 /* The IRQ handling is not quite standard SFF behaviour so we
27754 cannot use the default lost interrupt handler */
27755diff -urNp linux-2.6.32.48/drivers/atm/adummy.c linux-2.6.32.48/drivers/atm/adummy.c
27756--- linux-2.6.32.48/drivers/atm/adummy.c 2011-11-08 19:02:43.000000000 -0500
27757+++ linux-2.6.32.48/drivers/atm/adummy.c 2011-11-15 19:59:43.000000000 -0500
27758@@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
27759 vcc->pop(vcc, skb);
27760 else
27761 dev_kfree_skb_any(skb);
27762- atomic_inc(&vcc->stats->tx);
27763+ atomic_inc_unchecked(&vcc->stats->tx);
27764
27765 return 0;
27766 }
27767diff -urNp linux-2.6.32.48/drivers/atm/ambassador.c linux-2.6.32.48/drivers/atm/ambassador.c
27768--- linux-2.6.32.48/drivers/atm/ambassador.c 2011-11-08 19:02:43.000000000 -0500
27769+++ linux-2.6.32.48/drivers/atm/ambassador.c 2011-11-15 19:59:43.000000000 -0500
27770@@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
27771 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
27772
27773 // VC layer stats
27774- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27775+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27776
27777 // free the descriptor
27778 kfree (tx_descr);
27779@@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
27780 dump_skb ("<<<", vc, skb);
27781
27782 // VC layer stats
27783- atomic_inc(&atm_vcc->stats->rx);
27784+ atomic_inc_unchecked(&atm_vcc->stats->rx);
27785 __net_timestamp(skb);
27786 // end of our responsability
27787 atm_vcc->push (atm_vcc, skb);
27788@@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
27789 } else {
27790 PRINTK (KERN_INFO, "dropped over-size frame");
27791 // should we count this?
27792- atomic_inc(&atm_vcc->stats->rx_drop);
27793+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27794 }
27795
27796 } else {
27797@@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
27798 }
27799
27800 if (check_area (skb->data, skb->len)) {
27801- atomic_inc(&atm_vcc->stats->tx_err);
27802+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
27803 return -ENOMEM; // ?
27804 }
27805
27806diff -urNp linux-2.6.32.48/drivers/atm/atmtcp.c linux-2.6.32.48/drivers/atm/atmtcp.c
27807--- linux-2.6.32.48/drivers/atm/atmtcp.c 2011-11-08 19:02:43.000000000 -0500
27808+++ linux-2.6.32.48/drivers/atm/atmtcp.c 2011-11-15 19:59:43.000000000 -0500
27809@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
27810 if (vcc->pop) vcc->pop(vcc,skb);
27811 else dev_kfree_skb(skb);
27812 if (dev_data) return 0;
27813- atomic_inc(&vcc->stats->tx_err);
27814+ atomic_inc_unchecked(&vcc->stats->tx_err);
27815 return -ENOLINK;
27816 }
27817 size = skb->len+sizeof(struct atmtcp_hdr);
27818@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
27819 if (!new_skb) {
27820 if (vcc->pop) vcc->pop(vcc,skb);
27821 else dev_kfree_skb(skb);
27822- atomic_inc(&vcc->stats->tx_err);
27823+ atomic_inc_unchecked(&vcc->stats->tx_err);
27824 return -ENOBUFS;
27825 }
27826 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
27827@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
27828 if (vcc->pop) vcc->pop(vcc,skb);
27829 else dev_kfree_skb(skb);
27830 out_vcc->push(out_vcc,new_skb);
27831- atomic_inc(&vcc->stats->tx);
27832- atomic_inc(&out_vcc->stats->rx);
27833+ atomic_inc_unchecked(&vcc->stats->tx);
27834+ atomic_inc_unchecked(&out_vcc->stats->rx);
27835 return 0;
27836 }
27837
27838@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
27839 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
27840 read_unlock(&vcc_sklist_lock);
27841 if (!out_vcc) {
27842- atomic_inc(&vcc->stats->tx_err);
27843+ atomic_inc_unchecked(&vcc->stats->tx_err);
27844 goto done;
27845 }
27846 skb_pull(skb,sizeof(struct atmtcp_hdr));
27847@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
27848 __net_timestamp(new_skb);
27849 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
27850 out_vcc->push(out_vcc,new_skb);
27851- atomic_inc(&vcc->stats->tx);
27852- atomic_inc(&out_vcc->stats->rx);
27853+ atomic_inc_unchecked(&vcc->stats->tx);
27854+ atomic_inc_unchecked(&out_vcc->stats->rx);
27855 done:
27856 if (vcc->pop) vcc->pop(vcc,skb);
27857 else dev_kfree_skb(skb);
27858diff -urNp linux-2.6.32.48/drivers/atm/eni.c linux-2.6.32.48/drivers/atm/eni.c
27859--- linux-2.6.32.48/drivers/atm/eni.c 2011-11-08 19:02:43.000000000 -0500
27860+++ linux-2.6.32.48/drivers/atm/eni.c 2011-11-18 18:01:52.000000000 -0500
27861@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
27862 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
27863 vcc->dev->number);
27864 length = 0;
27865- atomic_inc(&vcc->stats->rx_err);
27866+ atomic_inc_unchecked(&vcc->stats->rx_err);
27867 }
27868 else {
27869 length = ATM_CELL_SIZE-1; /* no HEC */
27870@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27871 size);
27872 }
27873 eff = length = 0;
27874- atomic_inc(&vcc->stats->rx_err);
27875+ atomic_inc_unchecked(&vcc->stats->rx_err);
27876 }
27877 else {
27878 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
27879@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
27880 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
27881 vcc->dev->number,vcc->vci,length,size << 2,descr);
27882 length = eff = 0;
27883- atomic_inc(&vcc->stats->rx_err);
27884+ atomic_inc_unchecked(&vcc->stats->rx_err);
27885 }
27886 }
27887 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
27888@@ -770,7 +770,7 @@ rx_dequeued++;
27889 vcc->push(vcc,skb);
27890 pushed++;
27891 }
27892- atomic_inc(&vcc->stats->rx);
27893+ atomic_inc_unchecked(&vcc->stats->rx);
27894 }
27895 wake_up(&eni_dev->rx_wait);
27896 }
27897@@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
27898 PCI_DMA_TODEVICE);
27899 if (vcc->pop) vcc->pop(vcc,skb);
27900 else dev_kfree_skb_irq(skb);
27901- atomic_inc(&vcc->stats->tx);
27902+ atomic_inc_unchecked(&vcc->stats->tx);
27903 wake_up(&eni_dev->tx_wait);
27904 dma_complete++;
27905 }
27906@@ -1570,7 +1570,7 @@ tx_complete++;
27907 /*--------------------------------- entries ---------------------------------*/
27908
27909
27910-static const char *media_name[] __devinitdata = {
27911+static const char *media_name[] __devinitconst = {
27912 "MMF", "SMF", "MMF", "03?", /* 0- 3 */
27913 "UTP", "05?", "06?", "07?", /* 4- 7 */
27914 "TAXI","09?", "10?", "11?", /* 8-11 */
27915diff -urNp linux-2.6.32.48/drivers/atm/firestream.c linux-2.6.32.48/drivers/atm/firestream.c
27916--- linux-2.6.32.48/drivers/atm/firestream.c 2011-11-08 19:02:43.000000000 -0500
27917+++ linux-2.6.32.48/drivers/atm/firestream.c 2011-11-15 19:59:43.000000000 -0500
27918@@ -748,7 +748,7 @@ static void process_txdone_queue (struct
27919 }
27920 }
27921
27922- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
27923+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
27924
27925 fs_dprintk (FS_DEBUG_TXMEM, "i");
27926 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
27927@@ -815,7 +815,7 @@ static void process_incoming (struct fs_
27928 #endif
27929 skb_put (skb, qe->p1 & 0xffff);
27930 ATM_SKB(skb)->vcc = atm_vcc;
27931- atomic_inc(&atm_vcc->stats->rx);
27932+ atomic_inc_unchecked(&atm_vcc->stats->rx);
27933 __net_timestamp(skb);
27934 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
27935 atm_vcc->push (atm_vcc, skb);
27936@@ -836,12 +836,12 @@ static void process_incoming (struct fs_
27937 kfree (pe);
27938 }
27939 if (atm_vcc)
27940- atomic_inc(&atm_vcc->stats->rx_drop);
27941+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27942 break;
27943 case 0x1f: /* Reassembly abort: no buffers. */
27944 /* Silently increment error counter. */
27945 if (atm_vcc)
27946- atomic_inc(&atm_vcc->stats->rx_drop);
27947+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
27948 break;
27949 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
27950 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
27951diff -urNp linux-2.6.32.48/drivers/atm/fore200e.c linux-2.6.32.48/drivers/atm/fore200e.c
27952--- linux-2.6.32.48/drivers/atm/fore200e.c 2011-11-08 19:02:43.000000000 -0500
27953+++ linux-2.6.32.48/drivers/atm/fore200e.c 2011-11-15 19:59:43.000000000 -0500
27954@@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
27955 #endif
27956 /* check error condition */
27957 if (*entry->status & STATUS_ERROR)
27958- atomic_inc(&vcc->stats->tx_err);
27959+ atomic_inc_unchecked(&vcc->stats->tx_err);
27960 else
27961- atomic_inc(&vcc->stats->tx);
27962+ atomic_inc_unchecked(&vcc->stats->tx);
27963 }
27964 }
27965
27966@@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
27967 if (skb == NULL) {
27968 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
27969
27970- atomic_inc(&vcc->stats->rx_drop);
27971+ atomic_inc_unchecked(&vcc->stats->rx_drop);
27972 return -ENOMEM;
27973 }
27974
27975@@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
27976
27977 dev_kfree_skb_any(skb);
27978
27979- atomic_inc(&vcc->stats->rx_drop);
27980+ atomic_inc_unchecked(&vcc->stats->rx_drop);
27981 return -ENOMEM;
27982 }
27983
27984 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27985
27986 vcc->push(vcc, skb);
27987- atomic_inc(&vcc->stats->rx);
27988+ atomic_inc_unchecked(&vcc->stats->rx);
27989
27990 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
27991
27992@@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
27993 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
27994 fore200e->atm_dev->number,
27995 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
27996- atomic_inc(&vcc->stats->rx_err);
27997+ atomic_inc_unchecked(&vcc->stats->rx_err);
27998 }
27999 }
28000
28001@@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
28002 goto retry_here;
28003 }
28004
28005- atomic_inc(&vcc->stats->tx_err);
28006+ atomic_inc_unchecked(&vcc->stats->tx_err);
28007
28008 fore200e->tx_sat++;
28009 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
28010diff -urNp linux-2.6.32.48/drivers/atm/he.c linux-2.6.32.48/drivers/atm/he.c
28011--- linux-2.6.32.48/drivers/atm/he.c 2011-11-08 19:02:43.000000000 -0500
28012+++ linux-2.6.32.48/drivers/atm/he.c 2011-11-15 19:59:43.000000000 -0500
28013@@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28014
28015 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
28016 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
28017- atomic_inc(&vcc->stats->rx_drop);
28018+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28019 goto return_host_buffers;
28020 }
28021
28022@@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28023 RBRQ_LEN_ERR(he_dev->rbrq_head)
28024 ? "LEN_ERR" : "",
28025 vcc->vpi, vcc->vci);
28026- atomic_inc(&vcc->stats->rx_err);
28027+ atomic_inc_unchecked(&vcc->stats->rx_err);
28028 goto return_host_buffers;
28029 }
28030
28031@@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
28032 vcc->push(vcc, skb);
28033 spin_lock(&he_dev->global_lock);
28034
28035- atomic_inc(&vcc->stats->rx);
28036+ atomic_inc_unchecked(&vcc->stats->rx);
28037
28038 return_host_buffers:
28039 ++pdus_assembled;
28040@@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
28041 tpd->vcc->pop(tpd->vcc, tpd->skb);
28042 else
28043 dev_kfree_skb_any(tpd->skb);
28044- atomic_inc(&tpd->vcc->stats->tx_err);
28045+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
28046 }
28047 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
28048 return;
28049@@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28050 vcc->pop(vcc, skb);
28051 else
28052 dev_kfree_skb_any(skb);
28053- atomic_inc(&vcc->stats->tx_err);
28054+ atomic_inc_unchecked(&vcc->stats->tx_err);
28055 return -EINVAL;
28056 }
28057
28058@@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28059 vcc->pop(vcc, skb);
28060 else
28061 dev_kfree_skb_any(skb);
28062- atomic_inc(&vcc->stats->tx_err);
28063+ atomic_inc_unchecked(&vcc->stats->tx_err);
28064 return -EINVAL;
28065 }
28066 #endif
28067@@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28068 vcc->pop(vcc, skb);
28069 else
28070 dev_kfree_skb_any(skb);
28071- atomic_inc(&vcc->stats->tx_err);
28072+ atomic_inc_unchecked(&vcc->stats->tx_err);
28073 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28074 return -ENOMEM;
28075 }
28076@@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28077 vcc->pop(vcc, skb);
28078 else
28079 dev_kfree_skb_any(skb);
28080- atomic_inc(&vcc->stats->tx_err);
28081+ atomic_inc_unchecked(&vcc->stats->tx_err);
28082 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28083 return -ENOMEM;
28084 }
28085@@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
28086 __enqueue_tpd(he_dev, tpd, cid);
28087 spin_unlock_irqrestore(&he_dev->global_lock, flags);
28088
28089- atomic_inc(&vcc->stats->tx);
28090+ atomic_inc_unchecked(&vcc->stats->tx);
28091
28092 return 0;
28093 }
28094diff -urNp linux-2.6.32.48/drivers/atm/horizon.c linux-2.6.32.48/drivers/atm/horizon.c
28095--- linux-2.6.32.48/drivers/atm/horizon.c 2011-11-08 19:02:43.000000000 -0500
28096+++ linux-2.6.32.48/drivers/atm/horizon.c 2011-11-15 19:59:43.000000000 -0500
28097@@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
28098 {
28099 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
28100 // VC layer stats
28101- atomic_inc(&vcc->stats->rx);
28102+ atomic_inc_unchecked(&vcc->stats->rx);
28103 __net_timestamp(skb);
28104 // end of our responsability
28105 vcc->push (vcc, skb);
28106@@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
28107 dev->tx_iovec = NULL;
28108
28109 // VC layer stats
28110- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
28111+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
28112
28113 // free the skb
28114 hrz_kfree_skb (skb);
28115diff -urNp linux-2.6.32.48/drivers/atm/idt77252.c linux-2.6.32.48/drivers/atm/idt77252.c
28116--- linux-2.6.32.48/drivers/atm/idt77252.c 2011-11-08 19:02:43.000000000 -0500
28117+++ linux-2.6.32.48/drivers/atm/idt77252.c 2011-11-15 19:59:43.000000000 -0500
28118@@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
28119 else
28120 dev_kfree_skb(skb);
28121
28122- atomic_inc(&vcc->stats->tx);
28123+ atomic_inc_unchecked(&vcc->stats->tx);
28124 }
28125
28126 atomic_dec(&scq->used);
28127@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
28128 if ((sb = dev_alloc_skb(64)) == NULL) {
28129 printk("%s: Can't allocate buffers for aal0.\n",
28130 card->name);
28131- atomic_add(i, &vcc->stats->rx_drop);
28132+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
28133 break;
28134 }
28135 if (!atm_charge(vcc, sb->truesize)) {
28136 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
28137 card->name);
28138- atomic_add(i - 1, &vcc->stats->rx_drop);
28139+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
28140 dev_kfree_skb(sb);
28141 break;
28142 }
28143@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
28144 ATM_SKB(sb)->vcc = vcc;
28145 __net_timestamp(sb);
28146 vcc->push(vcc, sb);
28147- atomic_inc(&vcc->stats->rx);
28148+ atomic_inc_unchecked(&vcc->stats->rx);
28149
28150 cell += ATM_CELL_PAYLOAD;
28151 }
28152@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
28153 "(CDC: %08x)\n",
28154 card->name, len, rpp->len, readl(SAR_REG_CDC));
28155 recycle_rx_pool_skb(card, rpp);
28156- atomic_inc(&vcc->stats->rx_err);
28157+ atomic_inc_unchecked(&vcc->stats->rx_err);
28158 return;
28159 }
28160 if (stat & SAR_RSQE_CRC) {
28161 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
28162 recycle_rx_pool_skb(card, rpp);
28163- atomic_inc(&vcc->stats->rx_err);
28164+ atomic_inc_unchecked(&vcc->stats->rx_err);
28165 return;
28166 }
28167 if (skb_queue_len(&rpp->queue) > 1) {
28168@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
28169 RXPRINTK("%s: Can't alloc RX skb.\n",
28170 card->name);
28171 recycle_rx_pool_skb(card, rpp);
28172- atomic_inc(&vcc->stats->rx_err);
28173+ atomic_inc_unchecked(&vcc->stats->rx_err);
28174 return;
28175 }
28176 if (!atm_charge(vcc, skb->truesize)) {
28177@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
28178 __net_timestamp(skb);
28179
28180 vcc->push(vcc, skb);
28181- atomic_inc(&vcc->stats->rx);
28182+ atomic_inc_unchecked(&vcc->stats->rx);
28183
28184 return;
28185 }
28186@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
28187 __net_timestamp(skb);
28188
28189 vcc->push(vcc, skb);
28190- atomic_inc(&vcc->stats->rx);
28191+ atomic_inc_unchecked(&vcc->stats->rx);
28192
28193 if (skb->truesize > SAR_FB_SIZE_3)
28194 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
28195@@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
28196 if (vcc->qos.aal != ATM_AAL0) {
28197 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
28198 card->name, vpi, vci);
28199- atomic_inc(&vcc->stats->rx_drop);
28200+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28201 goto drop;
28202 }
28203
28204 if ((sb = dev_alloc_skb(64)) == NULL) {
28205 printk("%s: Can't allocate buffers for AAL0.\n",
28206 card->name);
28207- atomic_inc(&vcc->stats->rx_err);
28208+ atomic_inc_unchecked(&vcc->stats->rx_err);
28209 goto drop;
28210 }
28211
28212@@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
28213 ATM_SKB(sb)->vcc = vcc;
28214 __net_timestamp(sb);
28215 vcc->push(vcc, sb);
28216- atomic_inc(&vcc->stats->rx);
28217+ atomic_inc_unchecked(&vcc->stats->rx);
28218
28219 drop:
28220 skb_pull(queue, 64);
28221@@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28222
28223 if (vc == NULL) {
28224 printk("%s: NULL connection in send().\n", card->name);
28225- atomic_inc(&vcc->stats->tx_err);
28226+ atomic_inc_unchecked(&vcc->stats->tx_err);
28227 dev_kfree_skb(skb);
28228 return -EINVAL;
28229 }
28230 if (!test_bit(VCF_TX, &vc->flags)) {
28231 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
28232- atomic_inc(&vcc->stats->tx_err);
28233+ atomic_inc_unchecked(&vcc->stats->tx_err);
28234 dev_kfree_skb(skb);
28235 return -EINVAL;
28236 }
28237@@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28238 break;
28239 default:
28240 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
28241- atomic_inc(&vcc->stats->tx_err);
28242+ atomic_inc_unchecked(&vcc->stats->tx_err);
28243 dev_kfree_skb(skb);
28244 return -EINVAL;
28245 }
28246
28247 if (skb_shinfo(skb)->nr_frags != 0) {
28248 printk("%s: No scatter-gather yet.\n", card->name);
28249- atomic_inc(&vcc->stats->tx_err);
28250+ atomic_inc_unchecked(&vcc->stats->tx_err);
28251 dev_kfree_skb(skb);
28252 return -EINVAL;
28253 }
28254@@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
28255
28256 err = queue_skb(card, vc, skb, oam);
28257 if (err) {
28258- atomic_inc(&vcc->stats->tx_err);
28259+ atomic_inc_unchecked(&vcc->stats->tx_err);
28260 dev_kfree_skb(skb);
28261 return err;
28262 }
28263@@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
28264 skb = dev_alloc_skb(64);
28265 if (!skb) {
28266 printk("%s: Out of memory in send_oam().\n", card->name);
28267- atomic_inc(&vcc->stats->tx_err);
28268+ atomic_inc_unchecked(&vcc->stats->tx_err);
28269 return -ENOMEM;
28270 }
28271 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
28272diff -urNp linux-2.6.32.48/drivers/atm/iphase.c linux-2.6.32.48/drivers/atm/iphase.c
28273--- linux-2.6.32.48/drivers/atm/iphase.c 2011-11-08 19:02:43.000000000 -0500
28274+++ linux-2.6.32.48/drivers/atm/iphase.c 2011-11-15 19:59:43.000000000 -0500
28275@@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
28276 status = (u_short) (buf_desc_ptr->desc_mode);
28277 if (status & (RX_CER | RX_PTE | RX_OFL))
28278 {
28279- atomic_inc(&vcc->stats->rx_err);
28280+ atomic_inc_unchecked(&vcc->stats->rx_err);
28281 IF_ERR(printk("IA: bad packet, dropping it");)
28282 if (status & RX_CER) {
28283 IF_ERR(printk(" cause: packet CRC error\n");)
28284@@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
28285 len = dma_addr - buf_addr;
28286 if (len > iadev->rx_buf_sz) {
28287 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
28288- atomic_inc(&vcc->stats->rx_err);
28289+ atomic_inc_unchecked(&vcc->stats->rx_err);
28290 goto out_free_desc;
28291 }
28292
28293@@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
28294 ia_vcc = INPH_IA_VCC(vcc);
28295 if (ia_vcc == NULL)
28296 {
28297- atomic_inc(&vcc->stats->rx_err);
28298+ atomic_inc_unchecked(&vcc->stats->rx_err);
28299 dev_kfree_skb_any(skb);
28300 atm_return(vcc, atm_guess_pdu2truesize(len));
28301 goto INCR_DLE;
28302@@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
28303 if ((length > iadev->rx_buf_sz) || (length >
28304 (skb->len - sizeof(struct cpcs_trailer))))
28305 {
28306- atomic_inc(&vcc->stats->rx_err);
28307+ atomic_inc_unchecked(&vcc->stats->rx_err);
28308 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
28309 length, skb->len);)
28310 dev_kfree_skb_any(skb);
28311@@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
28312
28313 IF_RX(printk("rx_dle_intr: skb push");)
28314 vcc->push(vcc,skb);
28315- atomic_inc(&vcc->stats->rx);
28316+ atomic_inc_unchecked(&vcc->stats->rx);
28317 iadev->rx_pkt_cnt++;
28318 }
28319 INCR_DLE:
28320@@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
28321 {
28322 struct k_sonet_stats *stats;
28323 stats = &PRIV(_ia_dev[board])->sonet_stats;
28324- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
28325- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
28326- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
28327- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
28328- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
28329- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
28330- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
28331- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
28332- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
28333+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
28334+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
28335+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
28336+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
28337+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
28338+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
28339+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
28340+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
28341+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
28342 }
28343 ia_cmds.status = 0;
28344 break;
28345@@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
28346 if ((desc == 0) || (desc > iadev->num_tx_desc))
28347 {
28348 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
28349- atomic_inc(&vcc->stats->tx);
28350+ atomic_inc_unchecked(&vcc->stats->tx);
28351 if (vcc->pop)
28352 vcc->pop(vcc, skb);
28353 else
28354@@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
28355 ATM_DESC(skb) = vcc->vci;
28356 skb_queue_tail(&iadev->tx_dma_q, skb);
28357
28358- atomic_inc(&vcc->stats->tx);
28359+ atomic_inc_unchecked(&vcc->stats->tx);
28360 iadev->tx_pkt_cnt++;
28361 /* Increment transaction counter */
28362 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
28363
28364 #if 0
28365 /* add flow control logic */
28366- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
28367+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
28368 if (iavcc->vc_desc_cnt > 10) {
28369 vcc->tx_quota = vcc->tx_quota * 3 / 4;
28370 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
28371diff -urNp linux-2.6.32.48/drivers/atm/lanai.c linux-2.6.32.48/drivers/atm/lanai.c
28372--- linux-2.6.32.48/drivers/atm/lanai.c 2011-11-08 19:02:43.000000000 -0500
28373+++ linux-2.6.32.48/drivers/atm/lanai.c 2011-11-15 19:59:43.000000000 -0500
28374@@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
28375 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
28376 lanai_endtx(lanai, lvcc);
28377 lanai_free_skb(lvcc->tx.atmvcc, skb);
28378- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
28379+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
28380 }
28381
28382 /* Try to fill the buffer - don't call unless there is backlog */
28383@@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
28384 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
28385 __net_timestamp(skb);
28386 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
28387- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
28388+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
28389 out:
28390 lvcc->rx.buf.ptr = end;
28391 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
28392@@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
28393 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
28394 "vcc %d\n", lanai->number, (unsigned int) s, vci);
28395 lanai->stats.service_rxnotaal5++;
28396- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28397+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28398 return 0;
28399 }
28400 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
28401@@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
28402 int bytes;
28403 read_unlock(&vcc_sklist_lock);
28404 DPRINTK("got trashed rx pdu on vci %d\n", vci);
28405- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28406+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28407 lvcc->stats.x.aal5.service_trash++;
28408 bytes = (SERVICE_GET_END(s) * 16) -
28409 (((unsigned long) lvcc->rx.buf.ptr) -
28410@@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
28411 }
28412 if (s & SERVICE_STREAM) {
28413 read_unlock(&vcc_sklist_lock);
28414- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28415+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28416 lvcc->stats.x.aal5.service_stream++;
28417 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
28418 "PDU on VCI %d!\n", lanai->number, vci);
28419@@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
28420 return 0;
28421 }
28422 DPRINTK("got rx crc error on vci %d\n", vci);
28423- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
28424+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
28425 lvcc->stats.x.aal5.service_rxcrc++;
28426 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
28427 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
28428diff -urNp linux-2.6.32.48/drivers/atm/nicstar.c linux-2.6.32.48/drivers/atm/nicstar.c
28429--- linux-2.6.32.48/drivers/atm/nicstar.c 2011-11-08 19:02:43.000000000 -0500
28430+++ linux-2.6.32.48/drivers/atm/nicstar.c 2011-11-15 19:59:43.000000000 -0500
28431@@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
28432 if ((vc = (vc_map *) vcc->dev_data) == NULL)
28433 {
28434 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
28435- atomic_inc(&vcc->stats->tx_err);
28436+ atomic_inc_unchecked(&vcc->stats->tx_err);
28437 dev_kfree_skb_any(skb);
28438 return -EINVAL;
28439 }
28440@@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
28441 if (!vc->tx)
28442 {
28443 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
28444- atomic_inc(&vcc->stats->tx_err);
28445+ atomic_inc_unchecked(&vcc->stats->tx_err);
28446 dev_kfree_skb_any(skb);
28447 return -EINVAL;
28448 }
28449@@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
28450 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
28451 {
28452 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
28453- atomic_inc(&vcc->stats->tx_err);
28454+ atomic_inc_unchecked(&vcc->stats->tx_err);
28455 dev_kfree_skb_any(skb);
28456 return -EINVAL;
28457 }
28458@@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
28459 if (skb_shinfo(skb)->nr_frags != 0)
28460 {
28461 printk("nicstar%d: No scatter-gather yet.\n", card->index);
28462- atomic_inc(&vcc->stats->tx_err);
28463+ atomic_inc_unchecked(&vcc->stats->tx_err);
28464 dev_kfree_skb_any(skb);
28465 return -EINVAL;
28466 }
28467@@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
28468
28469 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
28470 {
28471- atomic_inc(&vcc->stats->tx_err);
28472+ atomic_inc_unchecked(&vcc->stats->tx_err);
28473 dev_kfree_skb_any(skb);
28474 return -EIO;
28475 }
28476- atomic_inc(&vcc->stats->tx);
28477+ atomic_inc_unchecked(&vcc->stats->tx);
28478
28479 return 0;
28480 }
28481@@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
28482 {
28483 printk("nicstar%d: Can't allocate buffers for aal0.\n",
28484 card->index);
28485- atomic_add(i,&vcc->stats->rx_drop);
28486+ atomic_add_unchecked(i,&vcc->stats->rx_drop);
28487 break;
28488 }
28489 if (!atm_charge(vcc, sb->truesize))
28490 {
28491 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
28492 card->index);
28493- atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28494+ atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
28495 dev_kfree_skb_any(sb);
28496 break;
28497 }
28498@@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
28499 ATM_SKB(sb)->vcc = vcc;
28500 __net_timestamp(sb);
28501 vcc->push(vcc, sb);
28502- atomic_inc(&vcc->stats->rx);
28503+ atomic_inc_unchecked(&vcc->stats->rx);
28504 cell += ATM_CELL_PAYLOAD;
28505 }
28506
28507@@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
28508 if (iovb == NULL)
28509 {
28510 printk("nicstar%d: Out of iovec buffers.\n", card->index);
28511- atomic_inc(&vcc->stats->rx_drop);
28512+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28513 recycle_rx_buf(card, skb);
28514 return;
28515 }
28516@@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
28517 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
28518 {
28519 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
28520- atomic_inc(&vcc->stats->rx_err);
28521+ atomic_inc_unchecked(&vcc->stats->rx_err);
28522 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
28523 NS_SKB(iovb)->iovcnt = 0;
28524 iovb->len = 0;
28525@@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
28526 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
28527 card->index);
28528 which_list(card, skb);
28529- atomic_inc(&vcc->stats->rx_err);
28530+ atomic_inc_unchecked(&vcc->stats->rx_err);
28531 recycle_rx_buf(card, skb);
28532 vc->rx_iov = NULL;
28533 recycle_iov_buf(card, iovb);
28534@@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
28535 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
28536 card->index);
28537 which_list(card, skb);
28538- atomic_inc(&vcc->stats->rx_err);
28539+ atomic_inc_unchecked(&vcc->stats->rx_err);
28540 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28541 NS_SKB(iovb)->iovcnt);
28542 vc->rx_iov = NULL;
28543@@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
28544 printk(" - PDU size mismatch.\n");
28545 else
28546 printk(".\n");
28547- atomic_inc(&vcc->stats->rx_err);
28548+ atomic_inc_unchecked(&vcc->stats->rx_err);
28549 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28550 NS_SKB(iovb)->iovcnt);
28551 vc->rx_iov = NULL;
28552@@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
28553 if (!atm_charge(vcc, skb->truesize))
28554 {
28555 push_rxbufs(card, skb);
28556- atomic_inc(&vcc->stats->rx_drop);
28557+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28558 }
28559 else
28560 {
28561@@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
28562 ATM_SKB(skb)->vcc = vcc;
28563 __net_timestamp(skb);
28564 vcc->push(vcc, skb);
28565- atomic_inc(&vcc->stats->rx);
28566+ atomic_inc_unchecked(&vcc->stats->rx);
28567 }
28568 }
28569 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
28570@@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
28571 if (!atm_charge(vcc, sb->truesize))
28572 {
28573 push_rxbufs(card, sb);
28574- atomic_inc(&vcc->stats->rx_drop);
28575+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28576 }
28577 else
28578 {
28579@@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
28580 ATM_SKB(sb)->vcc = vcc;
28581 __net_timestamp(sb);
28582 vcc->push(vcc, sb);
28583- atomic_inc(&vcc->stats->rx);
28584+ atomic_inc_unchecked(&vcc->stats->rx);
28585 }
28586
28587 push_rxbufs(card, skb);
28588@@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
28589 if (!atm_charge(vcc, skb->truesize))
28590 {
28591 push_rxbufs(card, skb);
28592- atomic_inc(&vcc->stats->rx_drop);
28593+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28594 }
28595 else
28596 {
28597@@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
28598 ATM_SKB(skb)->vcc = vcc;
28599 __net_timestamp(skb);
28600 vcc->push(vcc, skb);
28601- atomic_inc(&vcc->stats->rx);
28602+ atomic_inc_unchecked(&vcc->stats->rx);
28603 }
28604
28605 push_rxbufs(card, sb);
28606@@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
28607 if (hb == NULL)
28608 {
28609 printk("nicstar%d: Out of huge buffers.\n", card->index);
28610- atomic_inc(&vcc->stats->rx_drop);
28611+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28612 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
28613 NS_SKB(iovb)->iovcnt);
28614 vc->rx_iov = NULL;
28615@@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
28616 }
28617 else
28618 dev_kfree_skb_any(hb);
28619- atomic_inc(&vcc->stats->rx_drop);
28620+ atomic_inc_unchecked(&vcc->stats->rx_drop);
28621 }
28622 else
28623 {
28624@@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
28625 #endif /* NS_USE_DESTRUCTORS */
28626 __net_timestamp(hb);
28627 vcc->push(vcc, hb);
28628- atomic_inc(&vcc->stats->rx);
28629+ atomic_inc_unchecked(&vcc->stats->rx);
28630 }
28631 }
28632
28633diff -urNp linux-2.6.32.48/drivers/atm/solos-pci.c linux-2.6.32.48/drivers/atm/solos-pci.c
28634--- linux-2.6.32.48/drivers/atm/solos-pci.c 2011-11-08 19:02:43.000000000 -0500
28635+++ linux-2.6.32.48/drivers/atm/solos-pci.c 2011-11-15 19:59:43.000000000 -0500
28636@@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
28637 }
28638 atm_charge(vcc, skb->truesize);
28639 vcc->push(vcc, skb);
28640- atomic_inc(&vcc->stats->rx);
28641+ atomic_inc_unchecked(&vcc->stats->rx);
28642 break;
28643
28644 case PKT_STATUS:
28645@@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
28646 char msg[500];
28647 char item[10];
28648
28649+ pax_track_stack();
28650+
28651 len = buf->len;
28652 for (i = 0; i < len; i++){
28653 if(i % 8 == 0)
28654@@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
28655 vcc = SKB_CB(oldskb)->vcc;
28656
28657 if (vcc) {
28658- atomic_inc(&vcc->stats->tx);
28659+ atomic_inc_unchecked(&vcc->stats->tx);
28660 solos_pop(vcc, oldskb);
28661 } else
28662 dev_kfree_skb_irq(oldskb);
28663diff -urNp linux-2.6.32.48/drivers/atm/suni.c linux-2.6.32.48/drivers/atm/suni.c
28664--- linux-2.6.32.48/drivers/atm/suni.c 2011-11-08 19:02:43.000000000 -0500
28665+++ linux-2.6.32.48/drivers/atm/suni.c 2011-11-15 19:59:43.000000000 -0500
28666@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
28667
28668
28669 #define ADD_LIMITED(s,v) \
28670- atomic_add((v),&stats->s); \
28671- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
28672+ atomic_add_unchecked((v),&stats->s); \
28673+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
28674
28675
28676 static void suni_hz(unsigned long from_timer)
28677diff -urNp linux-2.6.32.48/drivers/atm/uPD98402.c linux-2.6.32.48/drivers/atm/uPD98402.c
28678--- linux-2.6.32.48/drivers/atm/uPD98402.c 2011-11-08 19:02:43.000000000 -0500
28679+++ linux-2.6.32.48/drivers/atm/uPD98402.c 2011-11-15 19:59:43.000000000 -0500
28680@@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
28681 struct sonet_stats tmp;
28682 int error = 0;
28683
28684- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28685+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
28686 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
28687 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
28688 if (zero && !error) {
28689@@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
28690
28691
28692 #define ADD_LIMITED(s,v) \
28693- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
28694- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
28695- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28696+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
28697+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
28698+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
28699
28700
28701 static void stat_event(struct atm_dev *dev)
28702@@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
28703 if (reason & uPD98402_INT_PFM) stat_event(dev);
28704 if (reason & uPD98402_INT_PCO) {
28705 (void) GET(PCOCR); /* clear interrupt cause */
28706- atomic_add(GET(HECCT),
28707+ atomic_add_unchecked(GET(HECCT),
28708 &PRIV(dev)->sonet_stats.uncorr_hcs);
28709 }
28710 if ((reason & uPD98402_INT_RFO) &&
28711@@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
28712 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
28713 uPD98402_INT_LOS),PIMR); /* enable them */
28714 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
28715- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28716- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
28717- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
28718+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
28719+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
28720+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
28721 return 0;
28722 }
28723
28724diff -urNp linux-2.6.32.48/drivers/atm/zatm.c linux-2.6.32.48/drivers/atm/zatm.c
28725--- linux-2.6.32.48/drivers/atm/zatm.c 2011-11-08 19:02:43.000000000 -0500
28726+++ linux-2.6.32.48/drivers/atm/zatm.c 2011-11-15 19:59:43.000000000 -0500
28727@@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28728 }
28729 if (!size) {
28730 dev_kfree_skb_irq(skb);
28731- if (vcc) atomic_inc(&vcc->stats->rx_err);
28732+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
28733 continue;
28734 }
28735 if (!atm_charge(vcc,skb->truesize)) {
28736@@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
28737 skb->len = size;
28738 ATM_SKB(skb)->vcc = vcc;
28739 vcc->push(vcc,skb);
28740- atomic_inc(&vcc->stats->rx);
28741+ atomic_inc_unchecked(&vcc->stats->rx);
28742 }
28743 zout(pos & 0xffff,MTA(mbx));
28744 #if 0 /* probably a stupid idea */
28745@@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
28746 skb_queue_head(&zatm_vcc->backlog,skb);
28747 break;
28748 }
28749- atomic_inc(&vcc->stats->tx);
28750+ atomic_inc_unchecked(&vcc->stats->tx);
28751 wake_up(&zatm_vcc->tx_wait);
28752 }
28753
28754diff -urNp linux-2.6.32.48/drivers/base/bus.c linux-2.6.32.48/drivers/base/bus.c
28755--- linux-2.6.32.48/drivers/base/bus.c 2011-11-08 19:02:43.000000000 -0500
28756+++ linux-2.6.32.48/drivers/base/bus.c 2011-11-15 19:59:43.000000000 -0500
28757@@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
28758 return ret;
28759 }
28760
28761-static struct sysfs_ops driver_sysfs_ops = {
28762+static const struct sysfs_ops driver_sysfs_ops = {
28763 .show = drv_attr_show,
28764 .store = drv_attr_store,
28765 };
28766@@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
28767 return ret;
28768 }
28769
28770-static struct sysfs_ops bus_sysfs_ops = {
28771+static const struct sysfs_ops bus_sysfs_ops = {
28772 .show = bus_attr_show,
28773 .store = bus_attr_store,
28774 };
28775@@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
28776 return 0;
28777 }
28778
28779-static struct kset_uevent_ops bus_uevent_ops = {
28780+static const struct kset_uevent_ops bus_uevent_ops = {
28781 .filter = bus_uevent_filter,
28782 };
28783
28784diff -urNp linux-2.6.32.48/drivers/base/class.c linux-2.6.32.48/drivers/base/class.c
28785--- linux-2.6.32.48/drivers/base/class.c 2011-11-08 19:02:43.000000000 -0500
28786+++ linux-2.6.32.48/drivers/base/class.c 2011-11-15 19:59:43.000000000 -0500
28787@@ -63,7 +63,7 @@ static void class_release(struct kobject
28788 kfree(cp);
28789 }
28790
28791-static struct sysfs_ops class_sysfs_ops = {
28792+static const struct sysfs_ops class_sysfs_ops = {
28793 .show = class_attr_show,
28794 .store = class_attr_store,
28795 };
28796diff -urNp linux-2.6.32.48/drivers/base/core.c linux-2.6.32.48/drivers/base/core.c
28797--- linux-2.6.32.48/drivers/base/core.c 2011-11-08 19:02:43.000000000 -0500
28798+++ linux-2.6.32.48/drivers/base/core.c 2011-11-15 19:59:43.000000000 -0500
28799@@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
28800 return ret;
28801 }
28802
28803-static struct sysfs_ops dev_sysfs_ops = {
28804+static const struct sysfs_ops dev_sysfs_ops = {
28805 .show = dev_attr_show,
28806 .store = dev_attr_store,
28807 };
28808@@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
28809 return retval;
28810 }
28811
28812-static struct kset_uevent_ops device_uevent_ops = {
28813+static const struct kset_uevent_ops device_uevent_ops = {
28814 .filter = dev_uevent_filter,
28815 .name = dev_uevent_name,
28816 .uevent = dev_uevent,
28817diff -urNp linux-2.6.32.48/drivers/base/memory.c linux-2.6.32.48/drivers/base/memory.c
28818--- linux-2.6.32.48/drivers/base/memory.c 2011-11-08 19:02:43.000000000 -0500
28819+++ linux-2.6.32.48/drivers/base/memory.c 2011-11-15 19:59:43.000000000 -0500
28820@@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
28821 return retval;
28822 }
28823
28824-static struct kset_uevent_ops memory_uevent_ops = {
28825+static const struct kset_uevent_ops memory_uevent_ops = {
28826 .name = memory_uevent_name,
28827 .uevent = memory_uevent,
28828 };
28829diff -urNp linux-2.6.32.48/drivers/base/sys.c linux-2.6.32.48/drivers/base/sys.c
28830--- linux-2.6.32.48/drivers/base/sys.c 2011-11-08 19:02:43.000000000 -0500
28831+++ linux-2.6.32.48/drivers/base/sys.c 2011-11-15 19:59:43.000000000 -0500
28832@@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
28833 return -EIO;
28834 }
28835
28836-static struct sysfs_ops sysfs_ops = {
28837+static const struct sysfs_ops sysfs_ops = {
28838 .show = sysdev_show,
28839 .store = sysdev_store,
28840 };
28841@@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
28842 return -EIO;
28843 }
28844
28845-static struct sysfs_ops sysfs_class_ops = {
28846+static const struct sysfs_ops sysfs_class_ops = {
28847 .show = sysdev_class_show,
28848 .store = sysdev_class_store,
28849 };
28850diff -urNp linux-2.6.32.48/drivers/block/cciss.c linux-2.6.32.48/drivers/block/cciss.c
28851--- linux-2.6.32.48/drivers/block/cciss.c 2011-11-08 19:02:43.000000000 -0500
28852+++ linux-2.6.32.48/drivers/block/cciss.c 2011-11-15 19:59:43.000000000 -0500
28853@@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
28854 int err;
28855 u32 cp;
28856
28857+ memset(&arg64, 0, sizeof(arg64));
28858+
28859 err = 0;
28860 err |=
28861 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
28862@@ -2852,7 +2854,7 @@ static unsigned long pollcomplete(int ct
28863 /* Wait (up to 20 seconds) for a command to complete */
28864
28865 for (i = 20 * HZ; i > 0; i--) {
28866- done = hba[ctlr]->access.command_completed(hba[ctlr]);
28867+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
28868 if (done == FIFO_EMPTY)
28869 schedule_timeout_uninterruptible(1);
28870 else
28871@@ -2876,7 +2878,7 @@ static int sendcmd_core(ctlr_info_t *h,
28872 resend_cmd1:
28873
28874 /* Disable interrupt on the board. */
28875- h->access.set_intr_mask(h, CCISS_INTR_OFF);
28876+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
28877
28878 /* Make sure there is room in the command FIFO */
28879 /* Actually it should be completely empty at this time */
28880@@ -2884,13 +2886,13 @@ resend_cmd1:
28881 /* tape side of the driver. */
28882 for (i = 200000; i > 0; i--) {
28883 /* if fifo isn't full go */
28884- if (!(h->access.fifo_full(h)))
28885+ if (!(h->access->fifo_full(h)))
28886 break;
28887 udelay(10);
28888 printk(KERN_WARNING "cciss cciss%d: SendCmd FIFO full,"
28889 " waiting!\n", h->ctlr);
28890 }
28891- h->access.submit_command(h, c); /* Send the cmd */
28892+ h->access->submit_command(h, c); /* Send the cmd */
28893 do {
28894 complete = pollcomplete(h->ctlr);
28895
28896@@ -3023,7 +3025,7 @@ static void start_io(ctlr_info_t *h)
28897 while (!hlist_empty(&h->reqQ)) {
28898 c = hlist_entry(h->reqQ.first, CommandList_struct, list);
28899 /* can't do anything if fifo is full */
28900- if ((h->access.fifo_full(h))) {
28901+ if ((h->access->fifo_full(h))) {
28902 printk(KERN_WARNING "cciss: fifo full\n");
28903 break;
28904 }
28905@@ -3033,7 +3035,7 @@ static void start_io(ctlr_info_t *h)
28906 h->Qdepth--;
28907
28908 /* Tell the controller execute command */
28909- h->access.submit_command(h, c);
28910+ h->access->submit_command(h, c);
28911
28912 /* Put job onto the completed Q */
28913 addQ(&h->cmpQ, c);
28914@@ -3393,17 +3395,17 @@ startio:
28915
28916 static inline unsigned long get_next_completion(ctlr_info_t *h)
28917 {
28918- return h->access.command_completed(h);
28919+ return h->access->command_completed(h);
28920 }
28921
28922 static inline int interrupt_pending(ctlr_info_t *h)
28923 {
28924- return h->access.intr_pending(h);
28925+ return h->access->intr_pending(h);
28926 }
28927
28928 static inline long interrupt_not_for_us(ctlr_info_t *h)
28929 {
28930- return (((h->access.intr_pending(h) == 0) ||
28931+ return (((h->access->intr_pending(h) == 0) ||
28932 (h->interrupts_enabled == 0)));
28933 }
28934
28935@@ -3892,7 +3894,7 @@ static int __devinit cciss_pci_init(ctlr
28936 */
28937 c->max_commands = readl(&(c->cfgtable->CmdsOutMax));
28938 c->product_name = products[prod_index].product_name;
28939- c->access = *(products[prod_index].access);
28940+ c->access = products[prod_index].access;
28941 c->nr_cmds = c->max_commands - 4;
28942 if ((readb(&c->cfgtable->Signature[0]) != 'C') ||
28943 (readb(&c->cfgtable->Signature[1]) != 'I') ||
28944@@ -4291,7 +4293,7 @@ static int __devinit cciss_init_one(stru
28945 }
28946
28947 /* make sure the board interrupts are off */
28948- hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_OFF);
28949+ hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_OFF);
28950 if (request_irq(hba[i]->intr[SIMPLE_MODE_INT], do_cciss_intr,
28951 IRQF_DISABLED | IRQF_SHARED, hba[i]->devname, hba[i])) {
28952 printk(KERN_ERR "cciss: Unable to get irq %d for %s\n",
28953@@ -4341,7 +4343,7 @@ static int __devinit cciss_init_one(stru
28954 cciss_scsi_setup(i);
28955
28956 /* Turn the interrupts on so we can service requests */
28957- hba[i]->access.set_intr_mask(hba[i], CCISS_INTR_ON);
28958+ hba[i]->access->set_intr_mask(hba[i], CCISS_INTR_ON);
28959
28960 /* Get the firmware version */
28961 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
28962diff -urNp linux-2.6.32.48/drivers/block/cciss.h linux-2.6.32.48/drivers/block/cciss.h
28963--- linux-2.6.32.48/drivers/block/cciss.h 2011-11-08 19:02:43.000000000 -0500
28964+++ linux-2.6.32.48/drivers/block/cciss.h 2011-11-15 19:59:43.000000000 -0500
28965@@ -90,7 +90,7 @@ struct ctlr_info
28966 // information about each logical volume
28967 drive_info_struct *drv[CISS_MAX_LUN];
28968
28969- struct access_method access;
28970+ struct access_method *access;
28971
28972 /* queue and queue Info */
28973 struct hlist_head reqQ;
28974diff -urNp linux-2.6.32.48/drivers/block/cpqarray.c linux-2.6.32.48/drivers/block/cpqarray.c
28975--- linux-2.6.32.48/drivers/block/cpqarray.c 2011-11-08 19:02:43.000000000 -0500
28976+++ linux-2.6.32.48/drivers/block/cpqarray.c 2011-11-15 19:59:43.000000000 -0500
28977@@ -402,7 +402,7 @@ static int __init cpqarray_register_ctlr
28978 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
28979 goto Enomem4;
28980 }
28981- hba[i]->access.set_intr_mask(hba[i], 0);
28982+ hba[i]->access->set_intr_mask(hba[i], 0);
28983 if (request_irq(hba[i]->intr, do_ida_intr,
28984 IRQF_DISABLED|IRQF_SHARED, hba[i]->devname, hba[i]))
28985 {
28986@@ -460,7 +460,7 @@ static int __init cpqarray_register_ctlr
28987 add_timer(&hba[i]->timer);
28988
28989 /* Enable IRQ now that spinlock and rate limit timer are set up */
28990- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28991+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
28992
28993 for(j=0; j<NWD; j++) {
28994 struct gendisk *disk = ida_gendisk[i][j];
28995@@ -695,7 +695,7 @@ DBGINFO(
28996 for(i=0; i<NR_PRODUCTS; i++) {
28997 if (board_id == products[i].board_id) {
28998 c->product_name = products[i].product_name;
28999- c->access = *(products[i].access);
29000+ c->access = products[i].access;
29001 break;
29002 }
29003 }
29004@@ -793,7 +793,7 @@ static int __init cpqarray_eisa_detect(v
29005 hba[ctlr]->intr = intr;
29006 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
29007 hba[ctlr]->product_name = products[j].product_name;
29008- hba[ctlr]->access = *(products[j].access);
29009+ hba[ctlr]->access = products[j].access;
29010 hba[ctlr]->ctlr = ctlr;
29011 hba[ctlr]->board_id = board_id;
29012 hba[ctlr]->pci_dev = NULL; /* not PCI */
29013@@ -896,6 +896,8 @@ static void do_ida_request(struct reques
29014 struct scatterlist tmp_sg[SG_MAX];
29015 int i, dir, seg;
29016
29017+ pax_track_stack();
29018+
29019 if (blk_queue_plugged(q))
29020 goto startio;
29021
29022@@ -968,7 +970,7 @@ static void start_io(ctlr_info_t *h)
29023
29024 while((c = h->reqQ) != NULL) {
29025 /* Can't do anything if we're busy */
29026- if (h->access.fifo_full(h) == 0)
29027+ if (h->access->fifo_full(h) == 0)
29028 return;
29029
29030 /* Get the first entry from the request Q */
29031@@ -976,7 +978,7 @@ static void start_io(ctlr_info_t *h)
29032 h->Qdepth--;
29033
29034 /* Tell the controller to do our bidding */
29035- h->access.submit_command(h, c);
29036+ h->access->submit_command(h, c);
29037
29038 /* Get onto the completion Q */
29039 addQ(&h->cmpQ, c);
29040@@ -1038,7 +1040,7 @@ static irqreturn_t do_ida_intr(int irq,
29041 unsigned long flags;
29042 __u32 a,a1;
29043
29044- istat = h->access.intr_pending(h);
29045+ istat = h->access->intr_pending(h);
29046 /* Is this interrupt for us? */
29047 if (istat == 0)
29048 return IRQ_NONE;
29049@@ -1049,7 +1051,7 @@ static irqreturn_t do_ida_intr(int irq,
29050 */
29051 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
29052 if (istat & FIFO_NOT_EMPTY) {
29053- while((a = h->access.command_completed(h))) {
29054+ while((a = h->access->command_completed(h))) {
29055 a1 = a; a &= ~3;
29056 if ((c = h->cmpQ) == NULL)
29057 {
29058@@ -1434,11 +1436,11 @@ static int sendcmd(
29059 /*
29060 * Disable interrupt
29061 */
29062- info_p->access.set_intr_mask(info_p, 0);
29063+ info_p->access->set_intr_mask(info_p, 0);
29064 /* Make sure there is room in the command FIFO */
29065 /* Actually it should be completely empty at this time. */
29066 for (i = 200000; i > 0; i--) {
29067- temp = info_p->access.fifo_full(info_p);
29068+ temp = info_p->access->fifo_full(info_p);
29069 if (temp != 0) {
29070 break;
29071 }
29072@@ -1451,7 +1453,7 @@ DBG(
29073 /*
29074 * Send the cmd
29075 */
29076- info_p->access.submit_command(info_p, c);
29077+ info_p->access->submit_command(info_p, c);
29078 complete = pollcomplete(ctlr);
29079
29080 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
29081@@ -1534,9 +1536,9 @@ static int revalidate_allvol(ctlr_info_t
29082 * we check the new geometry. Then turn interrupts back on when
29083 * we're done.
29084 */
29085- host->access.set_intr_mask(host, 0);
29086+ host->access->set_intr_mask(host, 0);
29087 getgeometry(ctlr);
29088- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
29089+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
29090
29091 for(i=0; i<NWD; i++) {
29092 struct gendisk *disk = ida_gendisk[ctlr][i];
29093@@ -1576,7 +1578,7 @@ static int pollcomplete(int ctlr)
29094 /* Wait (up to 2 seconds) for a command to complete */
29095
29096 for (i = 200000; i > 0; i--) {
29097- done = hba[ctlr]->access.command_completed(hba[ctlr]);
29098+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
29099 if (done == 0) {
29100 udelay(10); /* a short fixed delay */
29101 } else
29102diff -urNp linux-2.6.32.48/drivers/block/cpqarray.h linux-2.6.32.48/drivers/block/cpqarray.h
29103--- linux-2.6.32.48/drivers/block/cpqarray.h 2011-11-08 19:02:43.000000000 -0500
29104+++ linux-2.6.32.48/drivers/block/cpqarray.h 2011-11-15 19:59:43.000000000 -0500
29105@@ -99,7 +99,7 @@ struct ctlr_info {
29106 drv_info_t drv[NWD];
29107 struct proc_dir_entry *proc;
29108
29109- struct access_method access;
29110+ struct access_method *access;
29111
29112 cmdlist_t *reqQ;
29113 cmdlist_t *cmpQ;
29114diff -urNp linux-2.6.32.48/drivers/block/DAC960.c linux-2.6.32.48/drivers/block/DAC960.c
29115--- linux-2.6.32.48/drivers/block/DAC960.c 2011-11-08 19:02:43.000000000 -0500
29116+++ linux-2.6.32.48/drivers/block/DAC960.c 2011-11-15 19:59:43.000000000 -0500
29117@@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
29118 unsigned long flags;
29119 int Channel, TargetID;
29120
29121+ pax_track_stack();
29122+
29123 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
29124 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
29125 sizeof(DAC960_SCSI_Inquiry_T) +
29126diff -urNp linux-2.6.32.48/drivers/block/loop.c linux-2.6.32.48/drivers/block/loop.c
29127--- linux-2.6.32.48/drivers/block/loop.c 2011-11-08 19:02:43.000000000 -0500
29128+++ linux-2.6.32.48/drivers/block/loop.c 2011-11-15 19:59:43.000000000 -0500
29129@@ -282,7 +282,7 @@ static int __do_lo_send_write(struct fil
29130 mm_segment_t old_fs = get_fs();
29131
29132 set_fs(get_ds());
29133- bw = file->f_op->write(file, buf, len, &pos);
29134+ bw = file->f_op->write(file, (const char __force_user *)buf, len, &pos);
29135 set_fs(old_fs);
29136 if (likely(bw == len))
29137 return 0;
29138diff -urNp linux-2.6.32.48/drivers/block/nbd.c linux-2.6.32.48/drivers/block/nbd.c
29139--- linux-2.6.32.48/drivers/block/nbd.c 2011-11-08 19:02:43.000000000 -0500
29140+++ linux-2.6.32.48/drivers/block/nbd.c 2011-11-15 19:59:43.000000000 -0500
29141@@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
29142 struct kvec iov;
29143 sigset_t blocked, oldset;
29144
29145+ pax_track_stack();
29146+
29147 if (unlikely(!sock)) {
29148 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
29149 lo->disk->disk_name, (send ? "send" : "recv"));
29150@@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
29151 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
29152 unsigned int cmd, unsigned long arg)
29153 {
29154+ pax_track_stack();
29155+
29156 switch (cmd) {
29157 case NBD_DISCONNECT: {
29158 struct request sreq;
29159diff -urNp linux-2.6.32.48/drivers/block/pktcdvd.c linux-2.6.32.48/drivers/block/pktcdvd.c
29160--- linux-2.6.32.48/drivers/block/pktcdvd.c 2011-11-08 19:02:43.000000000 -0500
29161+++ linux-2.6.32.48/drivers/block/pktcdvd.c 2011-11-15 19:59:43.000000000 -0500
29162@@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
29163 return len;
29164 }
29165
29166-static struct sysfs_ops kobj_pkt_ops = {
29167+static const struct sysfs_ops kobj_pkt_ops = {
29168 .show = kobj_pkt_show,
29169 .store = kobj_pkt_store
29170 };
29171diff -urNp linux-2.6.32.48/drivers/char/agp/frontend.c linux-2.6.32.48/drivers/char/agp/frontend.c
29172--- linux-2.6.32.48/drivers/char/agp/frontend.c 2011-11-08 19:02:43.000000000 -0500
29173+++ linux-2.6.32.48/drivers/char/agp/frontend.c 2011-11-15 19:59:43.000000000 -0500
29174@@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
29175 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
29176 return -EFAULT;
29177
29178- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
29179+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
29180 return -EFAULT;
29181
29182 client = agp_find_client_by_pid(reserve.pid);
29183diff -urNp linux-2.6.32.48/drivers/char/briq_panel.c linux-2.6.32.48/drivers/char/briq_panel.c
29184--- linux-2.6.32.48/drivers/char/briq_panel.c 2011-11-08 19:02:43.000000000 -0500
29185+++ linux-2.6.32.48/drivers/char/briq_panel.c 2011-11-15 19:59:43.000000000 -0500
29186@@ -10,6 +10,7 @@
29187 #include <linux/types.h>
29188 #include <linux/errno.h>
29189 #include <linux/tty.h>
29190+#include <linux/mutex.h>
29191 #include <linux/timer.h>
29192 #include <linux/kernel.h>
29193 #include <linux/wait.h>
29194@@ -36,6 +37,7 @@ static int vfd_is_open;
29195 static unsigned char vfd[40];
29196 static int vfd_cursor;
29197 static unsigned char ledpb, led;
29198+static DEFINE_MUTEX(vfd_mutex);
29199
29200 static void update_vfd(void)
29201 {
29202@@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
29203 if (!vfd_is_open)
29204 return -EBUSY;
29205
29206+ mutex_lock(&vfd_mutex);
29207 for (;;) {
29208 char c;
29209 if (!indx)
29210 break;
29211- if (get_user(c, buf))
29212+ if (get_user(c, buf)) {
29213+ mutex_unlock(&vfd_mutex);
29214 return -EFAULT;
29215+ }
29216 if (esc) {
29217 set_led(c);
29218 esc = 0;
29219@@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
29220 buf++;
29221 }
29222 update_vfd();
29223+ mutex_unlock(&vfd_mutex);
29224
29225 return len;
29226 }
29227diff -urNp linux-2.6.32.48/drivers/char/genrtc.c linux-2.6.32.48/drivers/char/genrtc.c
29228--- linux-2.6.32.48/drivers/char/genrtc.c 2011-11-08 19:02:43.000000000 -0500
29229+++ linux-2.6.32.48/drivers/char/genrtc.c 2011-11-15 19:59:43.000000000 -0500
29230@@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
29231 switch (cmd) {
29232
29233 case RTC_PLL_GET:
29234+ memset(&pll, 0, sizeof(pll));
29235 if (get_rtc_pll(&pll))
29236 return -EINVAL;
29237 else
29238diff -urNp linux-2.6.32.48/drivers/char/hpet.c linux-2.6.32.48/drivers/char/hpet.c
29239--- linux-2.6.32.48/drivers/char/hpet.c 2011-11-08 19:02:43.000000000 -0500
29240+++ linux-2.6.32.48/drivers/char/hpet.c 2011-11-15 19:59:43.000000000 -0500
29241@@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
29242 return 0;
29243 }
29244
29245-static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
29246+static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
29247
29248 static int
29249 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
29250@@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
29251 }
29252
29253 static int
29254-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
29255+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
29256 {
29257 struct hpet_timer __iomem *timer;
29258 struct hpet __iomem *hpet;
29259@@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
29260 {
29261 struct hpet_info info;
29262
29263+ memset(&info, 0, sizeof(info));
29264+
29265 if (devp->hd_ireqfreq)
29266 info.hi_ireqfreq =
29267 hpet_time_div(hpetp, devp->hd_ireqfreq);
29268- else
29269- info.hi_ireqfreq = 0;
29270 info.hi_flags =
29271 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
29272 info.hi_hpet = hpetp->hp_which;
29273diff -urNp linux-2.6.32.48/drivers/char/hvc_beat.c linux-2.6.32.48/drivers/char/hvc_beat.c
29274--- linux-2.6.32.48/drivers/char/hvc_beat.c 2011-11-08 19:02:43.000000000 -0500
29275+++ linux-2.6.32.48/drivers/char/hvc_beat.c 2011-11-15 19:59:43.000000000 -0500
29276@@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
29277 return cnt;
29278 }
29279
29280-static struct hv_ops hvc_beat_get_put_ops = {
29281+static const struct hv_ops hvc_beat_get_put_ops = {
29282 .get_chars = hvc_beat_get_chars,
29283 .put_chars = hvc_beat_put_chars,
29284 };
29285diff -urNp linux-2.6.32.48/drivers/char/hvc_console.c linux-2.6.32.48/drivers/char/hvc_console.c
29286--- linux-2.6.32.48/drivers/char/hvc_console.c 2011-11-08 19:02:43.000000000 -0500
29287+++ linux-2.6.32.48/drivers/char/hvc_console.c 2011-11-15 19:59:43.000000000 -0500
29288@@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
29289 * console interfaces but can still be used as a tty device. This has to be
29290 * static because kmalloc will not work during early console init.
29291 */
29292-static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29293+static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
29294 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
29295 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
29296
29297@@ -249,7 +249,7 @@ static void destroy_hvc_struct(struct kr
29298 * vty adapters do NOT get an hvc_instantiate() callback since they
29299 * appear after early console init.
29300 */
29301-int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
29302+int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
29303 {
29304 struct hvc_struct *hp;
29305
29306@@ -758,7 +758,7 @@ static const struct tty_operations hvc_o
29307 };
29308
29309 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
29310- struct hv_ops *ops, int outbuf_size)
29311+ const struct hv_ops *ops, int outbuf_size)
29312 {
29313 struct hvc_struct *hp;
29314 int i;
29315diff -urNp linux-2.6.32.48/drivers/char/hvc_console.h linux-2.6.32.48/drivers/char/hvc_console.h
29316--- linux-2.6.32.48/drivers/char/hvc_console.h 2011-11-08 19:02:43.000000000 -0500
29317+++ linux-2.6.32.48/drivers/char/hvc_console.h 2011-11-15 19:59:43.000000000 -0500
29318@@ -55,7 +55,7 @@ struct hvc_struct {
29319 int outbuf_size;
29320 int n_outbuf;
29321 uint32_t vtermno;
29322- struct hv_ops *ops;
29323+ const struct hv_ops *ops;
29324 int irq_requested;
29325 int data;
29326 struct winsize ws;
29327@@ -76,11 +76,11 @@ struct hv_ops {
29328 };
29329
29330 /* Register a vterm and a slot index for use as a console (console_init) */
29331-extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
29332+extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
29333
29334 /* register a vterm for hvc tty operation (module_init or hotplug add) */
29335 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
29336- struct hv_ops *ops, int outbuf_size);
29337+ const struct hv_ops *ops, int outbuf_size);
29338 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
29339 extern int hvc_remove(struct hvc_struct *hp);
29340
29341diff -urNp linux-2.6.32.48/drivers/char/hvc_iseries.c linux-2.6.32.48/drivers/char/hvc_iseries.c
29342--- linux-2.6.32.48/drivers/char/hvc_iseries.c 2011-11-08 19:02:43.000000000 -0500
29343+++ linux-2.6.32.48/drivers/char/hvc_iseries.c 2011-11-15 19:59:43.000000000 -0500
29344@@ -197,7 +197,7 @@ done:
29345 return sent;
29346 }
29347
29348-static struct hv_ops hvc_get_put_ops = {
29349+static const struct hv_ops hvc_get_put_ops = {
29350 .get_chars = get_chars,
29351 .put_chars = put_chars,
29352 .notifier_add = notifier_add_irq,
29353diff -urNp linux-2.6.32.48/drivers/char/hvc_iucv.c linux-2.6.32.48/drivers/char/hvc_iucv.c
29354--- linux-2.6.32.48/drivers/char/hvc_iucv.c 2011-11-08 19:02:43.000000000 -0500
29355+++ linux-2.6.32.48/drivers/char/hvc_iucv.c 2011-11-15 19:59:43.000000000 -0500
29356@@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
29357
29358
29359 /* HVC operations */
29360-static struct hv_ops hvc_iucv_ops = {
29361+static const struct hv_ops hvc_iucv_ops = {
29362 .get_chars = hvc_iucv_get_chars,
29363 .put_chars = hvc_iucv_put_chars,
29364 .notifier_add = hvc_iucv_notifier_add,
29365diff -urNp linux-2.6.32.48/drivers/char/hvc_rtas.c linux-2.6.32.48/drivers/char/hvc_rtas.c
29366--- linux-2.6.32.48/drivers/char/hvc_rtas.c 2011-11-08 19:02:43.000000000 -0500
29367+++ linux-2.6.32.48/drivers/char/hvc_rtas.c 2011-11-15 19:59:43.000000000 -0500
29368@@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
29369 return i;
29370 }
29371
29372-static struct hv_ops hvc_rtas_get_put_ops = {
29373+static const struct hv_ops hvc_rtas_get_put_ops = {
29374 .get_chars = hvc_rtas_read_console,
29375 .put_chars = hvc_rtas_write_console,
29376 };
29377diff -urNp linux-2.6.32.48/drivers/char/hvcs.c linux-2.6.32.48/drivers/char/hvcs.c
29378--- linux-2.6.32.48/drivers/char/hvcs.c 2011-11-08 19:02:43.000000000 -0500
29379+++ linux-2.6.32.48/drivers/char/hvcs.c 2011-11-15 19:59:43.000000000 -0500
29380@@ -82,6 +82,7 @@
29381 #include <asm/hvcserver.h>
29382 #include <asm/uaccess.h>
29383 #include <asm/vio.h>
29384+#include <asm/local.h>
29385
29386 /*
29387 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
29388@@ -269,7 +270,7 @@ struct hvcs_struct {
29389 unsigned int index;
29390
29391 struct tty_struct *tty;
29392- int open_count;
29393+ local_t open_count;
29394
29395 /*
29396 * Used to tell the driver kernel_thread what operations need to take
29397@@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
29398
29399 spin_lock_irqsave(&hvcsd->lock, flags);
29400
29401- if (hvcsd->open_count > 0) {
29402+ if (local_read(&hvcsd->open_count) > 0) {
29403 spin_unlock_irqrestore(&hvcsd->lock, flags);
29404 printk(KERN_INFO "HVCS: vterm state unchanged. "
29405 "The hvcs device node is still in use.\n");
29406@@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
29407 if ((retval = hvcs_partner_connect(hvcsd)))
29408 goto error_release;
29409
29410- hvcsd->open_count = 1;
29411+ local_set(&hvcsd->open_count, 1);
29412 hvcsd->tty = tty;
29413 tty->driver_data = hvcsd;
29414
29415@@ -1169,7 +1170,7 @@ fast_open:
29416
29417 spin_lock_irqsave(&hvcsd->lock, flags);
29418 kref_get(&hvcsd->kref);
29419- hvcsd->open_count++;
29420+ local_inc(&hvcsd->open_count);
29421 hvcsd->todo_mask |= HVCS_SCHED_READ;
29422 spin_unlock_irqrestore(&hvcsd->lock, flags);
29423
29424@@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
29425 hvcsd = tty->driver_data;
29426
29427 spin_lock_irqsave(&hvcsd->lock, flags);
29428- if (--hvcsd->open_count == 0) {
29429+ if (local_dec_and_test(&hvcsd->open_count)) {
29430
29431 vio_disable_interrupts(hvcsd->vdev);
29432
29433@@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
29434 free_irq(irq, hvcsd);
29435 kref_put(&hvcsd->kref, destroy_hvcs_struct);
29436 return;
29437- } else if (hvcsd->open_count < 0) {
29438+ } else if (local_read(&hvcsd->open_count) < 0) {
29439 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
29440 " is missmanaged.\n",
29441- hvcsd->vdev->unit_address, hvcsd->open_count);
29442+ hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
29443 }
29444
29445 spin_unlock_irqrestore(&hvcsd->lock, flags);
29446@@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
29447
29448 spin_lock_irqsave(&hvcsd->lock, flags);
29449 /* Preserve this so that we know how many kref refs to put */
29450- temp_open_count = hvcsd->open_count;
29451+ temp_open_count = local_read(&hvcsd->open_count);
29452
29453 /*
29454 * Don't kref put inside the spinlock because the destruction
29455@@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
29456 hvcsd->tty->driver_data = NULL;
29457 hvcsd->tty = NULL;
29458
29459- hvcsd->open_count = 0;
29460+ local_set(&hvcsd->open_count, 0);
29461
29462 /* This will drop any buffered data on the floor which is OK in a hangup
29463 * scenario. */
29464@@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
29465 * the middle of a write operation? This is a crummy place to do this
29466 * but we want to keep it all in the spinlock.
29467 */
29468- if (hvcsd->open_count <= 0) {
29469+ if (local_read(&hvcsd->open_count) <= 0) {
29470 spin_unlock_irqrestore(&hvcsd->lock, flags);
29471 return -ENODEV;
29472 }
29473@@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
29474 {
29475 struct hvcs_struct *hvcsd = tty->driver_data;
29476
29477- if (!hvcsd || hvcsd->open_count <= 0)
29478+ if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
29479 return 0;
29480
29481 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
29482diff -urNp linux-2.6.32.48/drivers/char/hvc_udbg.c linux-2.6.32.48/drivers/char/hvc_udbg.c
29483--- linux-2.6.32.48/drivers/char/hvc_udbg.c 2011-11-08 19:02:43.000000000 -0500
29484+++ linux-2.6.32.48/drivers/char/hvc_udbg.c 2011-11-15 19:59:43.000000000 -0500
29485@@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
29486 return i;
29487 }
29488
29489-static struct hv_ops hvc_udbg_ops = {
29490+static const struct hv_ops hvc_udbg_ops = {
29491 .get_chars = hvc_udbg_get,
29492 .put_chars = hvc_udbg_put,
29493 };
29494diff -urNp linux-2.6.32.48/drivers/char/hvc_vio.c linux-2.6.32.48/drivers/char/hvc_vio.c
29495--- linux-2.6.32.48/drivers/char/hvc_vio.c 2011-11-08 19:02:43.000000000 -0500
29496+++ linux-2.6.32.48/drivers/char/hvc_vio.c 2011-11-15 19:59:43.000000000 -0500
29497@@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
29498 return got;
29499 }
29500
29501-static struct hv_ops hvc_get_put_ops = {
29502+static const struct hv_ops hvc_get_put_ops = {
29503 .get_chars = filtered_get_chars,
29504 .put_chars = hvc_put_chars,
29505 .notifier_add = notifier_add_irq,
29506diff -urNp linux-2.6.32.48/drivers/char/hvc_xen.c linux-2.6.32.48/drivers/char/hvc_xen.c
29507--- linux-2.6.32.48/drivers/char/hvc_xen.c 2011-11-08 19:02:43.000000000 -0500
29508+++ linux-2.6.32.48/drivers/char/hvc_xen.c 2011-11-15 19:59:43.000000000 -0500
29509@@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
29510 return recv;
29511 }
29512
29513-static struct hv_ops hvc_ops = {
29514+static const struct hv_ops hvc_ops = {
29515 .get_chars = read_console,
29516 .put_chars = write_console,
29517 .notifier_add = notifier_add_irq,
29518diff -urNp linux-2.6.32.48/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.48/drivers/char/ipmi/ipmi_msghandler.c
29519--- linux-2.6.32.48/drivers/char/ipmi/ipmi_msghandler.c 2011-11-08 19:02:43.000000000 -0500
29520+++ linux-2.6.32.48/drivers/char/ipmi/ipmi_msghandler.c 2011-11-15 19:59:43.000000000 -0500
29521@@ -414,7 +414,7 @@ struct ipmi_smi {
29522 struct proc_dir_entry *proc_dir;
29523 char proc_dir_name[10];
29524
29525- atomic_t stats[IPMI_NUM_STATS];
29526+ atomic_unchecked_t stats[IPMI_NUM_STATS];
29527
29528 /*
29529 * run_to_completion duplicate of smb_info, smi_info
29530@@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
29531
29532
29533 #define ipmi_inc_stat(intf, stat) \
29534- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
29535+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
29536 #define ipmi_get_stat(intf, stat) \
29537- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
29538+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
29539
29540 static int is_lan_addr(struct ipmi_addr *addr)
29541 {
29542@@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
29543 INIT_LIST_HEAD(&intf->cmd_rcvrs);
29544 init_waitqueue_head(&intf->waitq);
29545 for (i = 0; i < IPMI_NUM_STATS; i++)
29546- atomic_set(&intf->stats[i], 0);
29547+ atomic_set_unchecked(&intf->stats[i], 0);
29548
29549 intf->proc_dir = NULL;
29550
29551@@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
29552 struct ipmi_smi_msg smi_msg;
29553 struct ipmi_recv_msg recv_msg;
29554
29555+ pax_track_stack();
29556+
29557 si = (struct ipmi_system_interface_addr *) &addr;
29558 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
29559 si->channel = IPMI_BMC_CHANNEL;
29560diff -urNp linux-2.6.32.48/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.48/drivers/char/ipmi/ipmi_si_intf.c
29561--- linux-2.6.32.48/drivers/char/ipmi/ipmi_si_intf.c 2011-11-08 19:02:43.000000000 -0500
29562+++ linux-2.6.32.48/drivers/char/ipmi/ipmi_si_intf.c 2011-11-15 19:59:43.000000000 -0500
29563@@ -277,7 +277,7 @@ struct smi_info {
29564 unsigned char slave_addr;
29565
29566 /* Counters and things for the proc filesystem. */
29567- atomic_t stats[SI_NUM_STATS];
29568+ atomic_unchecked_t stats[SI_NUM_STATS];
29569
29570 struct task_struct *thread;
29571
29572@@ -285,9 +285,9 @@ struct smi_info {
29573 };
29574
29575 #define smi_inc_stat(smi, stat) \
29576- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
29577+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
29578 #define smi_get_stat(smi, stat) \
29579- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
29580+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
29581
29582 #define SI_MAX_PARMS 4
29583
29584@@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
29585 atomic_set(&new_smi->req_events, 0);
29586 new_smi->run_to_completion = 0;
29587 for (i = 0; i < SI_NUM_STATS; i++)
29588- atomic_set(&new_smi->stats[i], 0);
29589+ atomic_set_unchecked(&new_smi->stats[i], 0);
29590
29591 new_smi->interrupt_disabled = 0;
29592 atomic_set(&new_smi->stop_operation, 0);
29593diff -urNp linux-2.6.32.48/drivers/char/istallion.c linux-2.6.32.48/drivers/char/istallion.c
29594--- linux-2.6.32.48/drivers/char/istallion.c 2011-11-08 19:02:43.000000000 -0500
29595+++ linux-2.6.32.48/drivers/char/istallion.c 2011-11-15 19:59:43.000000000 -0500
29596@@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
29597 * re-used for each stats call.
29598 */
29599 static comstats_t stli_comstats;
29600-static combrd_t stli_brdstats;
29601 static struct asystats stli_cdkstats;
29602
29603 /*****************************************************************************/
29604@@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
29605 {
29606 struct stlibrd *brdp;
29607 unsigned int i;
29608+ combrd_t stli_brdstats;
29609
29610 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
29611 return -EFAULT;
29612@@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
29613 struct stliport stli_dummyport;
29614 struct stliport *portp;
29615
29616+ pax_track_stack();
29617+
29618 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
29619 return -EFAULT;
29620 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
29621@@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
29622 struct stlibrd stli_dummybrd;
29623 struct stlibrd *brdp;
29624
29625+ pax_track_stack();
29626+
29627 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
29628 return -EFAULT;
29629 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
29630diff -urNp linux-2.6.32.48/drivers/char/Kconfig linux-2.6.32.48/drivers/char/Kconfig
29631--- linux-2.6.32.48/drivers/char/Kconfig 2011-11-08 19:02:43.000000000 -0500
29632+++ linux-2.6.32.48/drivers/char/Kconfig 2011-11-15 19:59:43.000000000 -0500
29633@@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
29634
29635 config DEVKMEM
29636 bool "/dev/kmem virtual device support"
29637- default y
29638+ default n
29639+ depends on !GRKERNSEC_KMEM
29640 help
29641 Say Y here if you want to support the /dev/kmem device. The
29642 /dev/kmem device is rarely used, but can be used for certain
29643@@ -1114,6 +1115,7 @@ config DEVPORT
29644 bool
29645 depends on !M68K
29646 depends on ISA || PCI
29647+ depends on !GRKERNSEC_KMEM
29648 default y
29649
29650 source "drivers/s390/char/Kconfig"
29651diff -urNp linux-2.6.32.48/drivers/char/keyboard.c linux-2.6.32.48/drivers/char/keyboard.c
29652--- linux-2.6.32.48/drivers/char/keyboard.c 2011-11-08 19:02:43.000000000 -0500
29653+++ linux-2.6.32.48/drivers/char/keyboard.c 2011-11-15 19:59:43.000000000 -0500
29654@@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
29655 kbd->kbdmode == VC_MEDIUMRAW) &&
29656 value != KVAL(K_SAK))
29657 return; /* SAK is allowed even in raw mode */
29658+
29659+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
29660+ {
29661+ void *func = fn_handler[value];
29662+ if (func == fn_show_state || func == fn_show_ptregs ||
29663+ func == fn_show_mem)
29664+ return;
29665+ }
29666+#endif
29667+
29668 fn_handler[value](vc);
29669 }
29670
29671@@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
29672 .evbit = { BIT_MASK(EV_SND) },
29673 },
29674
29675- { }, /* Terminating entry */
29676+ { 0 }, /* Terminating entry */
29677 };
29678
29679 MODULE_DEVICE_TABLE(input, kbd_ids);
29680diff -urNp linux-2.6.32.48/drivers/char/mbcs.c linux-2.6.32.48/drivers/char/mbcs.c
29681--- linux-2.6.32.48/drivers/char/mbcs.c 2011-11-08 19:02:43.000000000 -0500
29682+++ linux-2.6.32.48/drivers/char/mbcs.c 2011-11-18 18:01:55.000000000 -0500
29683@@ -799,7 +799,7 @@ static int mbcs_remove(struct cx_dev *de
29684 return 0;
29685 }
29686
29687-static const struct cx_device_id __devinitdata mbcs_id_table[] = {
29688+static const struct cx_device_id __devinitconst mbcs_id_table[] = {
29689 {
29690 .part_num = MBCS_PART_NUM,
29691 .mfg_num = MBCS_MFG_NUM,
29692diff -urNp linux-2.6.32.48/drivers/char/mem.c linux-2.6.32.48/drivers/char/mem.c
29693--- linux-2.6.32.48/drivers/char/mem.c 2011-11-08 19:02:43.000000000 -0500
29694+++ linux-2.6.32.48/drivers/char/mem.c 2011-11-15 19:59:43.000000000 -0500
29695@@ -18,6 +18,7 @@
29696 #include <linux/raw.h>
29697 #include <linux/tty.h>
29698 #include <linux/capability.h>
29699+#include <linux/security.h>
29700 #include <linux/ptrace.h>
29701 #include <linux/device.h>
29702 #include <linux/highmem.h>
29703@@ -35,6 +36,10 @@
29704 # include <linux/efi.h>
29705 #endif
29706
29707+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29708+extern struct file_operations grsec_fops;
29709+#endif
29710+
29711 static inline unsigned long size_inside_page(unsigned long start,
29712 unsigned long size)
29713 {
29714@@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
29715
29716 while (cursor < to) {
29717 if (!devmem_is_allowed(pfn)) {
29718+#ifdef CONFIG_GRKERNSEC_KMEM
29719+ gr_handle_mem_readwrite(from, to);
29720+#else
29721 printk(KERN_INFO
29722 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
29723 current->comm, from, to);
29724+#endif
29725 return 0;
29726 }
29727 cursor += PAGE_SIZE;
29728@@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
29729 }
29730 return 1;
29731 }
29732+#elif defined(CONFIG_GRKERNSEC_KMEM)
29733+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29734+{
29735+ return 0;
29736+}
29737 #else
29738 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
29739 {
29740@@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
29741 #endif
29742
29743 while (count > 0) {
29744+ char *temp;
29745+
29746 /*
29747 * Handle first page in case it's not aligned
29748 */
29749@@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
29750 if (!ptr)
29751 return -EFAULT;
29752
29753- if (copy_to_user(buf, ptr, sz)) {
29754+#ifdef CONFIG_PAX_USERCOPY
29755+ temp = kmalloc(sz, GFP_KERNEL);
29756+ if (!temp) {
29757+ unxlate_dev_mem_ptr(p, ptr);
29758+ return -ENOMEM;
29759+ }
29760+ memcpy(temp, ptr, sz);
29761+#else
29762+ temp = ptr;
29763+#endif
29764+
29765+ if (copy_to_user(buf, temp, sz)) {
29766+
29767+#ifdef CONFIG_PAX_USERCOPY
29768+ kfree(temp);
29769+#endif
29770+
29771 unxlate_dev_mem_ptr(p, ptr);
29772 return -EFAULT;
29773 }
29774
29775+#ifdef CONFIG_PAX_USERCOPY
29776+ kfree(temp);
29777+#endif
29778+
29779 unxlate_dev_mem_ptr(p, ptr);
29780
29781 buf += sz;
29782@@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
29783 size_t count, loff_t *ppos)
29784 {
29785 unsigned long p = *ppos;
29786- ssize_t low_count, read, sz;
29787+ ssize_t low_count, read, sz, err = 0;
29788 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
29789- int err = 0;
29790
29791 read = 0;
29792 if (p < (unsigned long) high_memory) {
29793@@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
29794 }
29795 #endif
29796 while (low_count > 0) {
29797+ char *temp;
29798+
29799 sz = size_inside_page(p, low_count);
29800
29801 /*
29802@@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
29803 */
29804 kbuf = xlate_dev_kmem_ptr((char *)p);
29805
29806- if (copy_to_user(buf, kbuf, sz))
29807+#ifdef CONFIG_PAX_USERCOPY
29808+ temp = kmalloc(sz, GFP_KERNEL);
29809+ if (!temp)
29810+ return -ENOMEM;
29811+ memcpy(temp, kbuf, sz);
29812+#else
29813+ temp = kbuf;
29814+#endif
29815+
29816+ err = copy_to_user(buf, temp, sz);
29817+
29818+#ifdef CONFIG_PAX_USERCOPY
29819+ kfree(temp);
29820+#endif
29821+
29822+ if (err)
29823 return -EFAULT;
29824 buf += sz;
29825 p += sz;
29826@@ -889,6 +941,9 @@ static const struct memdev {
29827 #ifdef CONFIG_CRASH_DUMP
29828 [12] = { "oldmem", 0, &oldmem_fops, NULL },
29829 #endif
29830+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
29831+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
29832+#endif
29833 };
29834
29835 static int memory_open(struct inode *inode, struct file *filp)
29836diff -urNp linux-2.6.32.48/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.48/drivers/char/pcmcia/ipwireless/tty.c
29837--- linux-2.6.32.48/drivers/char/pcmcia/ipwireless/tty.c 2011-11-08 19:02:43.000000000 -0500
29838+++ linux-2.6.32.48/drivers/char/pcmcia/ipwireless/tty.c 2011-11-15 19:59:43.000000000 -0500
29839@@ -29,6 +29,7 @@
29840 #include <linux/tty_driver.h>
29841 #include <linux/tty_flip.h>
29842 #include <linux/uaccess.h>
29843+#include <asm/local.h>
29844
29845 #include "tty.h"
29846 #include "network.h"
29847@@ -51,7 +52,7 @@ struct ipw_tty {
29848 int tty_type;
29849 struct ipw_network *network;
29850 struct tty_struct *linux_tty;
29851- int open_count;
29852+ local_t open_count;
29853 unsigned int control_lines;
29854 struct mutex ipw_tty_mutex;
29855 int tx_bytes_queued;
29856@@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
29857 mutex_unlock(&tty->ipw_tty_mutex);
29858 return -ENODEV;
29859 }
29860- if (tty->open_count == 0)
29861+ if (local_read(&tty->open_count) == 0)
29862 tty->tx_bytes_queued = 0;
29863
29864- tty->open_count++;
29865+ local_inc(&tty->open_count);
29866
29867 tty->linux_tty = linux_tty;
29868 linux_tty->driver_data = tty;
29869@@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
29870
29871 static void do_ipw_close(struct ipw_tty *tty)
29872 {
29873- tty->open_count--;
29874-
29875- if (tty->open_count == 0) {
29876+ if (local_dec_return(&tty->open_count) == 0) {
29877 struct tty_struct *linux_tty = tty->linux_tty;
29878
29879 if (linux_tty != NULL) {
29880@@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
29881 return;
29882
29883 mutex_lock(&tty->ipw_tty_mutex);
29884- if (tty->open_count == 0) {
29885+ if (local_read(&tty->open_count) == 0) {
29886 mutex_unlock(&tty->ipw_tty_mutex);
29887 return;
29888 }
29889@@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
29890 return;
29891 }
29892
29893- if (!tty->open_count) {
29894+ if (!local_read(&tty->open_count)) {
29895 mutex_unlock(&tty->ipw_tty_mutex);
29896 return;
29897 }
29898@@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
29899 return -ENODEV;
29900
29901 mutex_lock(&tty->ipw_tty_mutex);
29902- if (!tty->open_count) {
29903+ if (!local_read(&tty->open_count)) {
29904 mutex_unlock(&tty->ipw_tty_mutex);
29905 return -EINVAL;
29906 }
29907@@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
29908 if (!tty)
29909 return -ENODEV;
29910
29911- if (!tty->open_count)
29912+ if (!local_read(&tty->open_count))
29913 return -EINVAL;
29914
29915 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
29916@@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
29917 if (!tty)
29918 return 0;
29919
29920- if (!tty->open_count)
29921+ if (!local_read(&tty->open_count))
29922 return 0;
29923
29924 return tty->tx_bytes_queued;
29925@@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
29926 if (!tty)
29927 return -ENODEV;
29928
29929- if (!tty->open_count)
29930+ if (!local_read(&tty->open_count))
29931 return -EINVAL;
29932
29933 return get_control_lines(tty);
29934@@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
29935 if (!tty)
29936 return -ENODEV;
29937
29938- if (!tty->open_count)
29939+ if (!local_read(&tty->open_count))
29940 return -EINVAL;
29941
29942 return set_control_lines(tty, set, clear);
29943@@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
29944 if (!tty)
29945 return -ENODEV;
29946
29947- if (!tty->open_count)
29948+ if (!local_read(&tty->open_count))
29949 return -EINVAL;
29950
29951 /* FIXME: Exactly how is the tty object locked here .. */
29952@@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
29953 against a parallel ioctl etc */
29954 mutex_lock(&ttyj->ipw_tty_mutex);
29955 }
29956- while (ttyj->open_count)
29957+ while (local_read(&ttyj->open_count))
29958 do_ipw_close(ttyj);
29959 ipwireless_disassociate_network_ttys(network,
29960 ttyj->channel_idx);
29961diff -urNp linux-2.6.32.48/drivers/char/pty.c linux-2.6.32.48/drivers/char/pty.c
29962--- linux-2.6.32.48/drivers/char/pty.c 2011-11-08 19:02:43.000000000 -0500
29963+++ linux-2.6.32.48/drivers/char/pty.c 2011-11-15 19:59:43.000000000 -0500
29964@@ -736,8 +736,10 @@ static void __init unix98_pty_init(void)
29965 register_sysctl_table(pty_root_table);
29966
29967 /* Now create the /dev/ptmx special device */
29968+ pax_open_kernel();
29969 tty_default_fops(&ptmx_fops);
29970- ptmx_fops.open = ptmx_open;
29971+ *(void **)&ptmx_fops.open = ptmx_open;
29972+ pax_close_kernel();
29973
29974 cdev_init(&ptmx_cdev, &ptmx_fops);
29975 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
29976diff -urNp linux-2.6.32.48/drivers/char/random.c linux-2.6.32.48/drivers/char/random.c
29977--- linux-2.6.32.48/drivers/char/random.c 2011-11-08 19:02:43.000000000 -0500
29978+++ linux-2.6.32.48/drivers/char/random.c 2011-11-15 19:59:43.000000000 -0500
29979@@ -254,8 +254,13 @@
29980 /*
29981 * Configuration information
29982 */
29983+#ifdef CONFIG_GRKERNSEC_RANDNET
29984+#define INPUT_POOL_WORDS 512
29985+#define OUTPUT_POOL_WORDS 128
29986+#else
29987 #define INPUT_POOL_WORDS 128
29988 #define OUTPUT_POOL_WORDS 32
29989+#endif
29990 #define SEC_XFER_SIZE 512
29991
29992 /*
29993@@ -292,10 +297,17 @@ static struct poolinfo {
29994 int poolwords;
29995 int tap1, tap2, tap3, tap4, tap5;
29996 } poolinfo_table[] = {
29997+#ifdef CONFIG_GRKERNSEC_RANDNET
29998+ /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
29999+ { 512, 411, 308, 208, 104, 1 },
30000+ /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
30001+ { 128, 103, 76, 51, 25, 1 },
30002+#else
30003 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
30004 { 128, 103, 76, 51, 25, 1 },
30005 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
30006 { 32, 26, 20, 14, 7, 1 },
30007+#endif
30008 #if 0
30009 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
30010 { 2048, 1638, 1231, 819, 411, 1 },
30011@@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
30012 #include <linux/sysctl.h>
30013
30014 static int min_read_thresh = 8, min_write_thresh;
30015-static int max_read_thresh = INPUT_POOL_WORDS * 32;
30016+static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
30017 static int max_write_thresh = INPUT_POOL_WORDS * 32;
30018 static char sysctl_bootid[16];
30019
30020diff -urNp linux-2.6.32.48/drivers/char/rocket.c linux-2.6.32.48/drivers/char/rocket.c
30021--- linux-2.6.32.48/drivers/char/rocket.c 2011-11-08 19:02:43.000000000 -0500
30022+++ linux-2.6.32.48/drivers/char/rocket.c 2011-11-15 19:59:43.000000000 -0500
30023@@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
30024 struct rocket_ports tmp;
30025 int board;
30026
30027+ pax_track_stack();
30028+
30029 if (!retports)
30030 return -EFAULT;
30031 memset(&tmp, 0, sizeof (tmp));
30032diff -urNp linux-2.6.32.48/drivers/char/sonypi.c linux-2.6.32.48/drivers/char/sonypi.c
30033--- linux-2.6.32.48/drivers/char/sonypi.c 2011-11-08 19:02:43.000000000 -0500
30034+++ linux-2.6.32.48/drivers/char/sonypi.c 2011-11-15 19:59:43.000000000 -0500
30035@@ -55,6 +55,7 @@
30036 #include <asm/uaccess.h>
30037 #include <asm/io.h>
30038 #include <asm/system.h>
30039+#include <asm/local.h>
30040
30041 #include <linux/sonypi.h>
30042
30043@@ -491,7 +492,7 @@ static struct sonypi_device {
30044 spinlock_t fifo_lock;
30045 wait_queue_head_t fifo_proc_list;
30046 struct fasync_struct *fifo_async;
30047- int open_count;
30048+ local_t open_count;
30049 int model;
30050 struct input_dev *input_jog_dev;
30051 struct input_dev *input_key_dev;
30052@@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
30053 static int sonypi_misc_release(struct inode *inode, struct file *file)
30054 {
30055 mutex_lock(&sonypi_device.lock);
30056- sonypi_device.open_count--;
30057+ local_dec(&sonypi_device.open_count);
30058 mutex_unlock(&sonypi_device.lock);
30059 return 0;
30060 }
30061@@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
30062 lock_kernel();
30063 mutex_lock(&sonypi_device.lock);
30064 /* Flush input queue on first open */
30065- if (!sonypi_device.open_count)
30066+ if (!local_read(&sonypi_device.open_count))
30067 kfifo_reset(sonypi_device.fifo);
30068- sonypi_device.open_count++;
30069+ local_inc(&sonypi_device.open_count);
30070 mutex_unlock(&sonypi_device.lock);
30071 unlock_kernel();
30072 return 0;
30073diff -urNp linux-2.6.32.48/drivers/char/stallion.c linux-2.6.32.48/drivers/char/stallion.c
30074--- linux-2.6.32.48/drivers/char/stallion.c 2011-11-08 19:02:43.000000000 -0500
30075+++ linux-2.6.32.48/drivers/char/stallion.c 2011-11-15 19:59:43.000000000 -0500
30076@@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
30077 struct stlport stl_dummyport;
30078 struct stlport *portp;
30079
30080+ pax_track_stack();
30081+
30082 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
30083 return -EFAULT;
30084 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
30085diff -urNp linux-2.6.32.48/drivers/char/tpm/tpm_bios.c linux-2.6.32.48/drivers/char/tpm/tpm_bios.c
30086--- linux-2.6.32.48/drivers/char/tpm/tpm_bios.c 2011-11-08 19:02:43.000000000 -0500
30087+++ linux-2.6.32.48/drivers/char/tpm/tpm_bios.c 2011-11-15 19:59:43.000000000 -0500
30088@@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
30089 event = addr;
30090
30091 if ((event->event_type == 0 && event->event_size == 0) ||
30092- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
30093+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
30094 return NULL;
30095
30096 return addr;
30097@@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
30098 return NULL;
30099
30100 if ((event->event_type == 0 && event->event_size == 0) ||
30101- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
30102+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
30103 return NULL;
30104
30105 (*pos)++;
30106@@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
30107 int i;
30108
30109 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
30110- seq_putc(m, data[i]);
30111+ if (!seq_putc(m, data[i]))
30112+ return -EFAULT;
30113
30114 return 0;
30115 }
30116@@ -409,8 +410,13 @@ static int read_log(struct tpm_bios_log
30117 log->bios_event_log_end = log->bios_event_log + len;
30118
30119 virt = acpi_os_map_memory(start, len);
30120+ if (!virt) {
30121+ kfree(log->bios_event_log);
30122+ log->bios_event_log = NULL;
30123+ return -EFAULT;
30124+ }
30125
30126- memcpy(log->bios_event_log, virt, len);
30127+ memcpy(log->bios_event_log, (const char __force_kernel *)virt, len);
30128
30129 acpi_os_unmap_memory(virt, len);
30130 return 0;
30131diff -urNp linux-2.6.32.48/drivers/char/tpm/tpm.c linux-2.6.32.48/drivers/char/tpm/tpm.c
30132--- linux-2.6.32.48/drivers/char/tpm/tpm.c 2011-11-08 19:02:43.000000000 -0500
30133+++ linux-2.6.32.48/drivers/char/tpm/tpm.c 2011-11-15 19:59:43.000000000 -0500
30134@@ -405,7 +405,7 @@ static ssize_t tpm_transmit(struct tpm_c
30135 chip->vendor.req_complete_val)
30136 goto out_recv;
30137
30138- if ((status == chip->vendor.req_canceled)) {
30139+ if (status == chip->vendor.req_canceled) {
30140 dev_err(chip->dev, "Operation Canceled\n");
30141 rc = -ECANCELED;
30142 goto out;
30143@@ -824,6 +824,8 @@ ssize_t tpm_show_pubek(struct device *de
30144
30145 struct tpm_chip *chip = dev_get_drvdata(dev);
30146
30147+ pax_track_stack();
30148+
30149 tpm_cmd.header.in = tpm_readpubek_header;
30150 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
30151 "attempting to read the PUBEK");
30152diff -urNp linux-2.6.32.48/drivers/char/tty_io.c linux-2.6.32.48/drivers/char/tty_io.c
30153--- linux-2.6.32.48/drivers/char/tty_io.c 2011-11-08 19:02:43.000000000 -0500
30154+++ linux-2.6.32.48/drivers/char/tty_io.c 2011-11-15 19:59:43.000000000 -0500
30155@@ -1773,6 +1773,7 @@ got_driver:
30156
30157 if (IS_ERR(tty)) {
30158 mutex_unlock(&tty_mutex);
30159+ tty_driver_kref_put(driver);
30160 return PTR_ERR(tty);
30161 }
30162 }
30163@@ -2582,8 +2583,10 @@ long tty_ioctl(struct file *file, unsign
30164 return retval;
30165 }
30166
30167+EXPORT_SYMBOL(tty_ioctl);
30168+
30169 #ifdef CONFIG_COMPAT
30170-static long tty_compat_ioctl(struct file *file, unsigned int cmd,
30171+long tty_compat_ioctl(struct file *file, unsigned int cmd,
30172 unsigned long arg)
30173 {
30174 struct inode *inode = file->f_dentry->d_inode;
30175@@ -2607,6 +2610,8 @@ static long tty_compat_ioctl(struct file
30176
30177 return retval;
30178 }
30179+
30180+EXPORT_SYMBOL(tty_compat_ioctl);
30181 #endif
30182
30183 /*
30184@@ -3052,7 +3057,7 @@ EXPORT_SYMBOL_GPL(get_current_tty);
30185
30186 void tty_default_fops(struct file_operations *fops)
30187 {
30188- *fops = tty_fops;
30189+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
30190 }
30191
30192 /*
30193diff -urNp linux-2.6.32.48/drivers/char/tty_ldisc.c linux-2.6.32.48/drivers/char/tty_ldisc.c
30194--- linux-2.6.32.48/drivers/char/tty_ldisc.c 2011-11-08 19:02:43.000000000 -0500
30195+++ linux-2.6.32.48/drivers/char/tty_ldisc.c 2011-11-15 19:59:43.000000000 -0500
30196@@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
30197 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
30198 struct tty_ldisc_ops *ldo = ld->ops;
30199
30200- ldo->refcount--;
30201+ atomic_dec(&ldo->refcount);
30202 module_put(ldo->owner);
30203 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30204
30205@@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
30206 spin_lock_irqsave(&tty_ldisc_lock, flags);
30207 tty_ldiscs[disc] = new_ldisc;
30208 new_ldisc->num = disc;
30209- new_ldisc->refcount = 0;
30210+ atomic_set(&new_ldisc->refcount, 0);
30211 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30212
30213 return ret;
30214@@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
30215 return -EINVAL;
30216
30217 spin_lock_irqsave(&tty_ldisc_lock, flags);
30218- if (tty_ldiscs[disc]->refcount)
30219+ if (atomic_read(&tty_ldiscs[disc]->refcount))
30220 ret = -EBUSY;
30221 else
30222 tty_ldiscs[disc] = NULL;
30223@@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
30224 if (ldops) {
30225 ret = ERR_PTR(-EAGAIN);
30226 if (try_module_get(ldops->owner)) {
30227- ldops->refcount++;
30228+ atomic_inc(&ldops->refcount);
30229 ret = ldops;
30230 }
30231 }
30232@@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
30233 unsigned long flags;
30234
30235 spin_lock_irqsave(&tty_ldisc_lock, flags);
30236- ldops->refcount--;
30237+ atomic_dec(&ldops->refcount);
30238 module_put(ldops->owner);
30239 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
30240 }
30241diff -urNp linux-2.6.32.48/drivers/char/virtio_console.c linux-2.6.32.48/drivers/char/virtio_console.c
30242--- linux-2.6.32.48/drivers/char/virtio_console.c 2011-11-08 19:02:43.000000000 -0500
30243+++ linux-2.6.32.48/drivers/char/virtio_console.c 2011-11-15 19:59:43.000000000 -0500
30244@@ -133,7 +133,9 @@ static int get_chars(u32 vtermno, char *
30245 * virtqueue, so we let the drivers do some boutique early-output thing. */
30246 int __init virtio_cons_early_init(int (*put_chars)(u32, const char *, int))
30247 {
30248- virtio_cons.put_chars = put_chars;
30249+ pax_open_kernel();
30250+ *(void **)&virtio_cons.put_chars = put_chars;
30251+ pax_close_kernel();
30252 return hvc_instantiate(0, 0, &virtio_cons);
30253 }
30254
30255@@ -213,11 +215,13 @@ static int __devinit virtcons_probe(stru
30256 out_vq = vqs[1];
30257
30258 /* Start using the new console output. */
30259- virtio_cons.get_chars = get_chars;
30260- virtio_cons.put_chars = put_chars;
30261- virtio_cons.notifier_add = notifier_add_vio;
30262- virtio_cons.notifier_del = notifier_del_vio;
30263- virtio_cons.notifier_hangup = notifier_del_vio;
30264+ pax_open_kernel();
30265+ *(void **)&virtio_cons.get_chars = get_chars;
30266+ *(void **)&virtio_cons.put_chars = put_chars;
30267+ *(void **)&virtio_cons.notifier_add = notifier_add_vio;
30268+ *(void **)&virtio_cons.notifier_del = notifier_del_vio;
30269+ *(void **)&virtio_cons.notifier_hangup = notifier_del_vio;
30270+ pax_close_kernel();
30271
30272 /* The first argument of hvc_alloc() is the virtual console number, so
30273 * we use zero. The second argument is the parameter for the
30274diff -urNp linux-2.6.32.48/drivers/char/vt.c linux-2.6.32.48/drivers/char/vt.c
30275--- linux-2.6.32.48/drivers/char/vt.c 2011-11-08 19:02:43.000000000 -0500
30276+++ linux-2.6.32.48/drivers/char/vt.c 2011-11-15 19:59:43.000000000 -0500
30277@@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
30278
30279 static void notify_write(struct vc_data *vc, unsigned int unicode)
30280 {
30281- struct vt_notifier_param param = { .vc = vc, unicode = unicode };
30282+ struct vt_notifier_param param = { .vc = vc, .c = unicode };
30283 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, &param);
30284 }
30285
30286diff -urNp linux-2.6.32.48/drivers/char/vt_ioctl.c linux-2.6.32.48/drivers/char/vt_ioctl.c
30287--- linux-2.6.32.48/drivers/char/vt_ioctl.c 2011-11-08 19:02:43.000000000 -0500
30288+++ linux-2.6.32.48/drivers/char/vt_ioctl.c 2011-11-15 19:59:43.000000000 -0500
30289@@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30290 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
30291 return -EFAULT;
30292
30293- if (!capable(CAP_SYS_TTY_CONFIG))
30294- perm = 0;
30295-
30296 switch (cmd) {
30297 case KDGKBENT:
30298 key_map = key_maps[s];
30299@@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
30300 val = (i ? K_HOLE : K_NOSUCHMAP);
30301 return put_user(val, &user_kbe->kb_value);
30302 case KDSKBENT:
30303+ if (!capable(CAP_SYS_TTY_CONFIG))
30304+ perm = 0;
30305+
30306 if (!perm)
30307 return -EPERM;
30308+
30309 if (!i && v == K_NOSUCHMAP) {
30310 /* deallocate map */
30311 key_map = key_maps[s];
30312@@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30313 int i, j, k;
30314 int ret;
30315
30316- if (!capable(CAP_SYS_TTY_CONFIG))
30317- perm = 0;
30318-
30319 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
30320 if (!kbs) {
30321 ret = -ENOMEM;
30322@@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
30323 kfree(kbs);
30324 return ((p && *p) ? -EOVERFLOW : 0);
30325 case KDSKBSENT:
30326+ if (!capable(CAP_SYS_TTY_CONFIG))
30327+ perm = 0;
30328+
30329 if (!perm) {
30330 ret = -EPERM;
30331 goto reterr;
30332diff -urNp linux-2.6.32.48/drivers/cpufreq/cpufreq.c linux-2.6.32.48/drivers/cpufreq/cpufreq.c
30333--- linux-2.6.32.48/drivers/cpufreq/cpufreq.c 2011-11-08 19:02:43.000000000 -0500
30334+++ linux-2.6.32.48/drivers/cpufreq/cpufreq.c 2011-11-15 19:59:43.000000000 -0500
30335@@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
30336 complete(&policy->kobj_unregister);
30337 }
30338
30339-static struct sysfs_ops sysfs_ops = {
30340+static const struct sysfs_ops sysfs_ops = {
30341 .show = show,
30342 .store = store,
30343 };
30344diff -urNp linux-2.6.32.48/drivers/cpuidle/sysfs.c linux-2.6.32.48/drivers/cpuidle/sysfs.c
30345--- linux-2.6.32.48/drivers/cpuidle/sysfs.c 2011-11-08 19:02:43.000000000 -0500
30346+++ linux-2.6.32.48/drivers/cpuidle/sysfs.c 2011-11-15 19:59:43.000000000 -0500
30347@@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
30348 return ret;
30349 }
30350
30351-static struct sysfs_ops cpuidle_sysfs_ops = {
30352+static const struct sysfs_ops cpuidle_sysfs_ops = {
30353 .show = cpuidle_show,
30354 .store = cpuidle_store,
30355 };
30356@@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
30357 return ret;
30358 }
30359
30360-static struct sysfs_ops cpuidle_state_sysfs_ops = {
30361+static const struct sysfs_ops cpuidle_state_sysfs_ops = {
30362 .show = cpuidle_state_show,
30363 };
30364
30365@@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
30366 .release = cpuidle_state_sysfs_release,
30367 };
30368
30369-static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30370+static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
30371 {
30372 kobject_put(&device->kobjs[i]->kobj);
30373 wait_for_completion(&device->kobjs[i]->kobj_unregister);
30374diff -urNp linux-2.6.32.48/drivers/crypto/hifn_795x.c linux-2.6.32.48/drivers/crypto/hifn_795x.c
30375--- linux-2.6.32.48/drivers/crypto/hifn_795x.c 2011-11-08 19:02:43.000000000 -0500
30376+++ linux-2.6.32.48/drivers/crypto/hifn_795x.c 2011-11-15 19:59:43.000000000 -0500
30377@@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
30378 0xCA, 0x34, 0x2B, 0x2E};
30379 struct scatterlist sg;
30380
30381+ pax_track_stack();
30382+
30383 memset(src, 0, sizeof(src));
30384 memset(ctx.key, 0, sizeof(ctx.key));
30385
30386diff -urNp linux-2.6.32.48/drivers/crypto/padlock-aes.c linux-2.6.32.48/drivers/crypto/padlock-aes.c
30387--- linux-2.6.32.48/drivers/crypto/padlock-aes.c 2011-11-08 19:02:43.000000000 -0500
30388+++ linux-2.6.32.48/drivers/crypto/padlock-aes.c 2011-11-15 19:59:43.000000000 -0500
30389@@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
30390 struct crypto_aes_ctx gen_aes;
30391 int cpu;
30392
30393+ pax_track_stack();
30394+
30395 if (key_len % 8) {
30396 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
30397 return -EINVAL;
30398diff -urNp linux-2.6.32.48/drivers/dma/ioat/dma.c linux-2.6.32.48/drivers/dma/ioat/dma.c
30399--- linux-2.6.32.48/drivers/dma/ioat/dma.c 2011-11-08 19:02:43.000000000 -0500
30400+++ linux-2.6.32.48/drivers/dma/ioat/dma.c 2011-11-15 19:59:43.000000000 -0500
30401@@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
30402 return entry->show(&chan->common, page);
30403 }
30404
30405-struct sysfs_ops ioat_sysfs_ops = {
30406+const struct sysfs_ops ioat_sysfs_ops = {
30407 .show = ioat_attr_show,
30408 };
30409
30410diff -urNp linux-2.6.32.48/drivers/dma/ioat/dma.h linux-2.6.32.48/drivers/dma/ioat/dma.h
30411--- linux-2.6.32.48/drivers/dma/ioat/dma.h 2011-11-08 19:02:43.000000000 -0500
30412+++ linux-2.6.32.48/drivers/dma/ioat/dma.h 2011-11-15 19:59:43.000000000 -0500
30413@@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
30414 unsigned long *phys_complete);
30415 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
30416 void ioat_kobject_del(struct ioatdma_device *device);
30417-extern struct sysfs_ops ioat_sysfs_ops;
30418+extern const struct sysfs_ops ioat_sysfs_ops;
30419 extern struct ioat_sysfs_entry ioat_version_attr;
30420 extern struct ioat_sysfs_entry ioat_cap_attr;
30421 #endif /* IOATDMA_H */
30422diff -urNp linux-2.6.32.48/drivers/dma/ioat/dma_v3.c linux-2.6.32.48/drivers/dma/ioat/dma_v3.c
30423--- linux-2.6.32.48/drivers/dma/ioat/dma_v3.c 2011-11-08 19:02:43.000000000 -0500
30424+++ linux-2.6.32.48/drivers/dma/ioat/dma_v3.c 2011-11-18 18:01:55.000000000 -0500
30425@@ -71,10 +71,10 @@
30426 /* provide a lookup table for setting the source address in the base or
30427 * extended descriptor of an xor or pq descriptor
30428 */
30429-static const u8 xor_idx_to_desc __read_mostly = 0xd0;
30430-static const u8 xor_idx_to_field[] __read_mostly = { 1, 4, 5, 6, 7, 0, 1, 2 };
30431-static const u8 pq_idx_to_desc __read_mostly = 0xf8;
30432-static const u8 pq_idx_to_field[] __read_mostly = { 1, 4, 5, 0, 1, 2, 4, 5 };
30433+static const u8 xor_idx_to_desc = 0xd0;
30434+static const u8 xor_idx_to_field[] = { 1, 4, 5, 6, 7, 0, 1, 2 };
30435+static const u8 pq_idx_to_desc = 0xf8;
30436+static const u8 pq_idx_to_field[] = { 1, 4, 5, 0, 1, 2, 4, 5 };
30437
30438 static dma_addr_t xor_get_src(struct ioat_raw_descriptor *descs[2], int idx)
30439 {
30440diff -urNp linux-2.6.32.48/drivers/edac/amd64_edac.c linux-2.6.32.48/drivers/edac/amd64_edac.c
30441--- linux-2.6.32.48/drivers/edac/amd64_edac.c 2011-11-08 19:02:43.000000000 -0500
30442+++ linux-2.6.32.48/drivers/edac/amd64_edac.c 2011-11-18 18:01:55.000000000 -0500
30443@@ -3099,7 +3099,7 @@ static void __devexit amd64_remove_one_i
30444 * PCI core identifies what devices are on a system during boot, and then
30445 * inquiry this table to see if this driver is for a given device found.
30446 */
30447-static const struct pci_device_id amd64_pci_table[] __devinitdata = {
30448+static const struct pci_device_id amd64_pci_table[] __devinitconst = {
30449 {
30450 .vendor = PCI_VENDOR_ID_AMD,
30451 .device = PCI_DEVICE_ID_AMD_K8_NB_MEMCTL,
30452diff -urNp linux-2.6.32.48/drivers/edac/amd76x_edac.c linux-2.6.32.48/drivers/edac/amd76x_edac.c
30453--- linux-2.6.32.48/drivers/edac/amd76x_edac.c 2011-11-08 19:02:43.000000000 -0500
30454+++ linux-2.6.32.48/drivers/edac/amd76x_edac.c 2011-11-18 18:01:55.000000000 -0500
30455@@ -322,7 +322,7 @@ static void __devexit amd76x_remove_one(
30456 edac_mc_free(mci);
30457 }
30458
30459-static const struct pci_device_id amd76x_pci_tbl[] __devinitdata = {
30460+static const struct pci_device_id amd76x_pci_tbl[] __devinitconst = {
30461 {
30462 PCI_VEND_DEV(AMD, FE_GATE_700C), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30463 AMD762},
30464diff -urNp linux-2.6.32.48/drivers/edac/e752x_edac.c linux-2.6.32.48/drivers/edac/e752x_edac.c
30465--- linux-2.6.32.48/drivers/edac/e752x_edac.c 2011-11-08 19:02:43.000000000 -0500
30466+++ linux-2.6.32.48/drivers/edac/e752x_edac.c 2011-11-18 18:01:55.000000000 -0500
30467@@ -1282,7 +1282,7 @@ static void __devexit e752x_remove_one(s
30468 edac_mc_free(mci);
30469 }
30470
30471-static const struct pci_device_id e752x_pci_tbl[] __devinitdata = {
30472+static const struct pci_device_id e752x_pci_tbl[] __devinitconst = {
30473 {
30474 PCI_VEND_DEV(INTEL, 7520_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30475 E7520},
30476diff -urNp linux-2.6.32.48/drivers/edac/e7xxx_edac.c linux-2.6.32.48/drivers/edac/e7xxx_edac.c
30477--- linux-2.6.32.48/drivers/edac/e7xxx_edac.c 2011-11-08 19:02:43.000000000 -0500
30478+++ linux-2.6.32.48/drivers/edac/e7xxx_edac.c 2011-11-18 18:01:55.000000000 -0500
30479@@ -526,7 +526,7 @@ static void __devexit e7xxx_remove_one(s
30480 edac_mc_free(mci);
30481 }
30482
30483-static const struct pci_device_id e7xxx_pci_tbl[] __devinitdata = {
30484+static const struct pci_device_id e7xxx_pci_tbl[] __devinitconst = {
30485 {
30486 PCI_VEND_DEV(INTEL, 7205_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30487 E7205},
30488diff -urNp linux-2.6.32.48/drivers/edac/edac_device_sysfs.c linux-2.6.32.48/drivers/edac/edac_device_sysfs.c
30489--- linux-2.6.32.48/drivers/edac/edac_device_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30490+++ linux-2.6.32.48/drivers/edac/edac_device_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30491@@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
30492 }
30493
30494 /* edac_dev file operations for an 'ctl_info' */
30495-static struct sysfs_ops device_ctl_info_ops = {
30496+static const struct sysfs_ops device_ctl_info_ops = {
30497 .show = edac_dev_ctl_info_show,
30498 .store = edac_dev_ctl_info_store
30499 };
30500@@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
30501 }
30502
30503 /* edac_dev file operations for an 'instance' */
30504-static struct sysfs_ops device_instance_ops = {
30505+static const struct sysfs_ops device_instance_ops = {
30506 .show = edac_dev_instance_show,
30507 .store = edac_dev_instance_store
30508 };
30509@@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
30510 }
30511
30512 /* edac_dev file operations for a 'block' */
30513-static struct sysfs_ops device_block_ops = {
30514+static const struct sysfs_ops device_block_ops = {
30515 .show = edac_dev_block_show,
30516 .store = edac_dev_block_store
30517 };
30518diff -urNp linux-2.6.32.48/drivers/edac/edac_mc_sysfs.c linux-2.6.32.48/drivers/edac/edac_mc_sysfs.c
30519--- linux-2.6.32.48/drivers/edac/edac_mc_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30520+++ linux-2.6.32.48/drivers/edac/edac_mc_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30521@@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
30522 return -EIO;
30523 }
30524
30525-static struct sysfs_ops csrowfs_ops = {
30526+static const struct sysfs_ops csrowfs_ops = {
30527 .show = csrowdev_show,
30528 .store = csrowdev_store
30529 };
30530@@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
30531 }
30532
30533 /* Intermediate show/store table */
30534-static struct sysfs_ops mci_ops = {
30535+static const struct sysfs_ops mci_ops = {
30536 .show = mcidev_show,
30537 .store = mcidev_store
30538 };
30539diff -urNp linux-2.6.32.48/drivers/edac/edac_pci_sysfs.c linux-2.6.32.48/drivers/edac/edac_pci_sysfs.c
30540--- linux-2.6.32.48/drivers/edac/edac_pci_sysfs.c 2011-11-08 19:02:43.000000000 -0500
30541+++ linux-2.6.32.48/drivers/edac/edac_pci_sysfs.c 2011-11-15 19:59:43.000000000 -0500
30542@@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
30543 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
30544 static int edac_pci_poll_msec = 1000; /* one second workq period */
30545
30546-static atomic_t pci_parity_count = ATOMIC_INIT(0);
30547-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
30548+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
30549+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
30550
30551 static struct kobject *edac_pci_top_main_kobj;
30552 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
30553@@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
30554 }
30555
30556 /* fs_ops table */
30557-static struct sysfs_ops pci_instance_ops = {
30558+static const struct sysfs_ops pci_instance_ops = {
30559 .show = edac_pci_instance_show,
30560 .store = edac_pci_instance_store
30561 };
30562@@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
30563 return -EIO;
30564 }
30565
30566-static struct sysfs_ops edac_pci_sysfs_ops = {
30567+static const struct sysfs_ops edac_pci_sysfs_ops = {
30568 .show = edac_pci_dev_show,
30569 .store = edac_pci_dev_store
30570 };
30571@@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
30572 edac_printk(KERN_CRIT, EDAC_PCI,
30573 "Signaled System Error on %s\n",
30574 pci_name(dev));
30575- atomic_inc(&pci_nonparity_count);
30576+ atomic_inc_unchecked(&pci_nonparity_count);
30577 }
30578
30579 if (status & (PCI_STATUS_PARITY)) {
30580@@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
30581 "Master Data Parity Error on %s\n",
30582 pci_name(dev));
30583
30584- atomic_inc(&pci_parity_count);
30585+ atomic_inc_unchecked(&pci_parity_count);
30586 }
30587
30588 if (status & (PCI_STATUS_DETECTED_PARITY)) {
30589@@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
30590 "Detected Parity Error on %s\n",
30591 pci_name(dev));
30592
30593- atomic_inc(&pci_parity_count);
30594+ atomic_inc_unchecked(&pci_parity_count);
30595 }
30596 }
30597
30598@@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
30599 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
30600 "Signaled System Error on %s\n",
30601 pci_name(dev));
30602- atomic_inc(&pci_nonparity_count);
30603+ atomic_inc_unchecked(&pci_nonparity_count);
30604 }
30605
30606 if (status & (PCI_STATUS_PARITY)) {
30607@@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
30608 "Master Data Parity Error on "
30609 "%s\n", pci_name(dev));
30610
30611- atomic_inc(&pci_parity_count);
30612+ atomic_inc_unchecked(&pci_parity_count);
30613 }
30614
30615 if (status & (PCI_STATUS_DETECTED_PARITY)) {
30616@@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
30617 "Detected Parity Error on %s\n",
30618 pci_name(dev));
30619
30620- atomic_inc(&pci_parity_count);
30621+ atomic_inc_unchecked(&pci_parity_count);
30622 }
30623 }
30624 }
30625@@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
30626 if (!check_pci_errors)
30627 return;
30628
30629- before_count = atomic_read(&pci_parity_count);
30630+ before_count = atomic_read_unchecked(&pci_parity_count);
30631
30632 /* scan all PCI devices looking for a Parity Error on devices and
30633 * bridges.
30634@@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
30635 /* Only if operator has selected panic on PCI Error */
30636 if (edac_pci_get_panic_on_pe()) {
30637 /* If the count is different 'after' from 'before' */
30638- if (before_count != atomic_read(&pci_parity_count))
30639+ if (before_count != atomic_read_unchecked(&pci_parity_count))
30640 panic("EDAC: PCI Parity Error");
30641 }
30642 }
30643diff -urNp linux-2.6.32.48/drivers/edac/i3000_edac.c linux-2.6.32.48/drivers/edac/i3000_edac.c
30644--- linux-2.6.32.48/drivers/edac/i3000_edac.c 2011-11-08 19:02:43.000000000 -0500
30645+++ linux-2.6.32.48/drivers/edac/i3000_edac.c 2011-11-18 18:01:55.000000000 -0500
30646@@ -471,7 +471,7 @@ static void __devexit i3000_remove_one(s
30647 edac_mc_free(mci);
30648 }
30649
30650-static const struct pci_device_id i3000_pci_tbl[] __devinitdata = {
30651+static const struct pci_device_id i3000_pci_tbl[] __devinitconst = {
30652 {
30653 PCI_VEND_DEV(INTEL, 3000_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30654 I3000},
30655diff -urNp linux-2.6.32.48/drivers/edac/i3200_edac.c linux-2.6.32.48/drivers/edac/i3200_edac.c
30656--- linux-2.6.32.48/drivers/edac/i3200_edac.c 2011-11-08 19:02:43.000000000 -0500
30657+++ linux-2.6.32.48/drivers/edac/i3200_edac.c 2011-11-18 18:01:55.000000000 -0500
30658@@ -444,7 +444,7 @@ static void __devexit i3200_remove_one(s
30659 edac_mc_free(mci);
30660 }
30661
30662-static const struct pci_device_id i3200_pci_tbl[] __devinitdata = {
30663+static const struct pci_device_id i3200_pci_tbl[] __devinitconst = {
30664 {
30665 PCI_VEND_DEV(INTEL, 3200_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30666 I3200},
30667diff -urNp linux-2.6.32.48/drivers/edac/i5000_edac.c linux-2.6.32.48/drivers/edac/i5000_edac.c
30668--- linux-2.6.32.48/drivers/edac/i5000_edac.c 2011-11-08 19:02:43.000000000 -0500
30669+++ linux-2.6.32.48/drivers/edac/i5000_edac.c 2011-11-18 18:01:55.000000000 -0500
30670@@ -1516,7 +1516,7 @@ static void __devexit i5000_remove_one(s
30671 *
30672 * The "E500P" device is the first device supported.
30673 */
30674-static const struct pci_device_id i5000_pci_tbl[] __devinitdata = {
30675+static const struct pci_device_id i5000_pci_tbl[] __devinitconst = {
30676 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_I5000_DEV16),
30677 .driver_data = I5000P},
30678
30679diff -urNp linux-2.6.32.48/drivers/edac/i5100_edac.c linux-2.6.32.48/drivers/edac/i5100_edac.c
30680--- linux-2.6.32.48/drivers/edac/i5100_edac.c 2011-11-08 19:02:43.000000000 -0500
30681+++ linux-2.6.32.48/drivers/edac/i5100_edac.c 2011-11-18 18:01:55.000000000 -0500
30682@@ -944,7 +944,7 @@ static void __devexit i5100_remove_one(s
30683 edac_mc_free(mci);
30684 }
30685
30686-static const struct pci_device_id i5100_pci_tbl[] __devinitdata = {
30687+static const struct pci_device_id i5100_pci_tbl[] __devinitconst = {
30688 /* Device 16, Function 0, Channel 0 Memory Map, Error Flag/Mask, ... */
30689 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5100_16) },
30690 { 0, }
30691diff -urNp linux-2.6.32.48/drivers/edac/i5400_edac.c linux-2.6.32.48/drivers/edac/i5400_edac.c
30692--- linux-2.6.32.48/drivers/edac/i5400_edac.c 2011-11-08 19:02:43.000000000 -0500
30693+++ linux-2.6.32.48/drivers/edac/i5400_edac.c 2011-11-18 18:01:55.000000000 -0500
30694@@ -1383,7 +1383,7 @@ static void __devexit i5400_remove_one(s
30695 *
30696 * The "E500P" device is the first device supported.
30697 */
30698-static const struct pci_device_id i5400_pci_tbl[] __devinitdata = {
30699+static const struct pci_device_id i5400_pci_tbl[] __devinitconst = {
30700 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_5400_ERR)},
30701 {0,} /* 0 terminated list. */
30702 };
30703diff -urNp linux-2.6.32.48/drivers/edac/i82443bxgx_edac.c linux-2.6.32.48/drivers/edac/i82443bxgx_edac.c
30704--- linux-2.6.32.48/drivers/edac/i82443bxgx_edac.c 2011-11-08 19:02:43.000000000 -0500
30705+++ linux-2.6.32.48/drivers/edac/i82443bxgx_edac.c 2011-11-18 18:01:55.000000000 -0500
30706@@ -381,7 +381,7 @@ static void __devexit i82443bxgx_edacmc_
30707
30708 EXPORT_SYMBOL_GPL(i82443bxgx_edacmc_remove_one);
30709
30710-static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitdata = {
30711+static const struct pci_device_id i82443bxgx_pci_tbl[] __devinitconst = {
30712 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_0)},
30713 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443BX_2)},
30714 {PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0)},
30715diff -urNp linux-2.6.32.48/drivers/edac/i82860_edac.c linux-2.6.32.48/drivers/edac/i82860_edac.c
30716--- linux-2.6.32.48/drivers/edac/i82860_edac.c 2011-11-08 19:02:43.000000000 -0500
30717+++ linux-2.6.32.48/drivers/edac/i82860_edac.c 2011-11-18 18:01:55.000000000 -0500
30718@@ -271,7 +271,7 @@ static void __devexit i82860_remove_one(
30719 edac_mc_free(mci);
30720 }
30721
30722-static const struct pci_device_id i82860_pci_tbl[] __devinitdata = {
30723+static const struct pci_device_id i82860_pci_tbl[] __devinitconst = {
30724 {
30725 PCI_VEND_DEV(INTEL, 82860_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30726 I82860},
30727diff -urNp linux-2.6.32.48/drivers/edac/i82875p_edac.c linux-2.6.32.48/drivers/edac/i82875p_edac.c
30728--- linux-2.6.32.48/drivers/edac/i82875p_edac.c 2011-11-08 19:02:43.000000000 -0500
30729+++ linux-2.6.32.48/drivers/edac/i82875p_edac.c 2011-11-18 18:01:55.000000000 -0500
30730@@ -512,7 +512,7 @@ static void __devexit i82875p_remove_one
30731 edac_mc_free(mci);
30732 }
30733
30734-static const struct pci_device_id i82875p_pci_tbl[] __devinitdata = {
30735+static const struct pci_device_id i82875p_pci_tbl[] __devinitconst = {
30736 {
30737 PCI_VEND_DEV(INTEL, 82875_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30738 I82875P},
30739diff -urNp linux-2.6.32.48/drivers/edac/i82975x_edac.c linux-2.6.32.48/drivers/edac/i82975x_edac.c
30740--- linux-2.6.32.48/drivers/edac/i82975x_edac.c 2011-11-08 19:02:43.000000000 -0500
30741+++ linux-2.6.32.48/drivers/edac/i82975x_edac.c 2011-11-18 18:01:55.000000000 -0500
30742@@ -586,7 +586,7 @@ static void __devexit i82975x_remove_one
30743 edac_mc_free(mci);
30744 }
30745
30746-static const struct pci_device_id i82975x_pci_tbl[] __devinitdata = {
30747+static const struct pci_device_id i82975x_pci_tbl[] __devinitconst = {
30748 {
30749 PCI_VEND_DEV(INTEL, 82975_0), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30750 I82975X
30751diff -urNp linux-2.6.32.48/drivers/edac/r82600_edac.c linux-2.6.32.48/drivers/edac/r82600_edac.c
30752--- linux-2.6.32.48/drivers/edac/r82600_edac.c 2011-11-08 19:02:43.000000000 -0500
30753+++ linux-2.6.32.48/drivers/edac/r82600_edac.c 2011-11-18 18:01:55.000000000 -0500
30754@@ -374,7 +374,7 @@ static void __devexit r82600_remove_one(
30755 edac_mc_free(mci);
30756 }
30757
30758-static const struct pci_device_id r82600_pci_tbl[] __devinitdata = {
30759+static const struct pci_device_id r82600_pci_tbl[] __devinitconst = {
30760 {
30761 PCI_DEVICE(PCI_VENDOR_ID_RADISYS, R82600_BRIDGE_ID)
30762 },
30763diff -urNp linux-2.6.32.48/drivers/edac/x38_edac.c linux-2.6.32.48/drivers/edac/x38_edac.c
30764--- linux-2.6.32.48/drivers/edac/x38_edac.c 2011-11-08 19:02:43.000000000 -0500
30765+++ linux-2.6.32.48/drivers/edac/x38_edac.c 2011-11-18 18:01:55.000000000 -0500
30766@@ -441,7 +441,7 @@ static void __devexit x38_remove_one(str
30767 edac_mc_free(mci);
30768 }
30769
30770-static const struct pci_device_id x38_pci_tbl[] __devinitdata = {
30771+static const struct pci_device_id x38_pci_tbl[] __devinitconst = {
30772 {
30773 PCI_VEND_DEV(INTEL, X38_HB), PCI_ANY_ID, PCI_ANY_ID, 0, 0,
30774 X38},
30775diff -urNp linux-2.6.32.48/drivers/firewire/core-card.c linux-2.6.32.48/drivers/firewire/core-card.c
30776--- linux-2.6.32.48/drivers/firewire/core-card.c 2011-11-08 19:02:43.000000000 -0500
30777+++ linux-2.6.32.48/drivers/firewire/core-card.c 2011-11-15 19:59:43.000000000 -0500
30778@@ -558,7 +558,7 @@ void fw_card_release(struct kref *kref)
30779
30780 void fw_core_remove_card(struct fw_card *card)
30781 {
30782- struct fw_card_driver dummy_driver = dummy_driver_template;
30783+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
30784
30785 card->driver->update_phy_reg(card, 4,
30786 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
30787diff -urNp linux-2.6.32.48/drivers/firewire/core-cdev.c linux-2.6.32.48/drivers/firewire/core-cdev.c
30788--- linux-2.6.32.48/drivers/firewire/core-cdev.c 2011-11-08 19:02:43.000000000 -0500
30789+++ linux-2.6.32.48/drivers/firewire/core-cdev.c 2011-11-15 19:59:43.000000000 -0500
30790@@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
30791 int ret;
30792
30793 if ((request->channels == 0 && request->bandwidth == 0) ||
30794- request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
30795- request->bandwidth < 0)
30796+ request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
30797 return -EINVAL;
30798
30799 r = kmalloc(sizeof(*r), GFP_KERNEL);
30800diff -urNp linux-2.6.32.48/drivers/firewire/core.h linux-2.6.32.48/drivers/firewire/core.h
30801--- linux-2.6.32.48/drivers/firewire/core.h 2011-11-08 19:02:43.000000000 -0500
30802+++ linux-2.6.32.48/drivers/firewire/core.h 2011-11-15 19:59:43.000000000 -0500
30803@@ -86,6 +86,7 @@ struct fw_card_driver {
30804
30805 int (*stop_iso)(struct fw_iso_context *ctx);
30806 };
30807+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
30808
30809 void fw_card_initialize(struct fw_card *card,
30810 const struct fw_card_driver *driver, struct device *device);
30811diff -urNp linux-2.6.32.48/drivers/firewire/core-transaction.c linux-2.6.32.48/drivers/firewire/core-transaction.c
30812--- linux-2.6.32.48/drivers/firewire/core-transaction.c 2011-11-08 19:02:43.000000000 -0500
30813+++ linux-2.6.32.48/drivers/firewire/core-transaction.c 2011-11-15 19:59:43.000000000 -0500
30814@@ -36,6 +36,7 @@
30815 #include <linux/string.h>
30816 #include <linux/timer.h>
30817 #include <linux/types.h>
30818+#include <linux/sched.h>
30819
30820 #include <asm/byteorder.h>
30821
30822@@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
30823 struct transaction_callback_data d;
30824 struct fw_transaction t;
30825
30826+ pax_track_stack();
30827+
30828 init_completion(&d.done);
30829 d.payload = payload;
30830 fw_send_request(card, &t, tcode, destination_id, generation, speed,
30831diff -urNp linux-2.6.32.48/drivers/firmware/dmi_scan.c linux-2.6.32.48/drivers/firmware/dmi_scan.c
30832--- linux-2.6.32.48/drivers/firmware/dmi_scan.c 2011-11-08 19:02:43.000000000 -0500
30833+++ linux-2.6.32.48/drivers/firmware/dmi_scan.c 2011-11-15 19:59:43.000000000 -0500
30834@@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
30835 }
30836 }
30837 else {
30838- /*
30839- * no iounmap() for that ioremap(); it would be a no-op, but
30840- * it's so early in setup that sucker gets confused into doing
30841- * what it shouldn't if we actually call it.
30842- */
30843 p = dmi_ioremap(0xF0000, 0x10000);
30844 if (p == NULL)
30845 goto error;
30846@@ -667,7 +662,7 @@ int dmi_walk(void (*decode)(const struct
30847 if (buf == NULL)
30848 return -1;
30849
30850- dmi_table(buf, dmi_len, dmi_num, decode, private_data);
30851+ dmi_table((char __force_kernel *)buf, dmi_len, dmi_num, decode, private_data);
30852
30853 iounmap(buf);
30854 return 0;
30855diff -urNp linux-2.6.32.48/drivers/firmware/edd.c linux-2.6.32.48/drivers/firmware/edd.c
30856--- linux-2.6.32.48/drivers/firmware/edd.c 2011-11-08 19:02:43.000000000 -0500
30857+++ linux-2.6.32.48/drivers/firmware/edd.c 2011-11-15 19:59:43.000000000 -0500
30858@@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
30859 return ret;
30860 }
30861
30862-static struct sysfs_ops edd_attr_ops = {
30863+static const struct sysfs_ops edd_attr_ops = {
30864 .show = edd_attr_show,
30865 };
30866
30867diff -urNp linux-2.6.32.48/drivers/firmware/efivars.c linux-2.6.32.48/drivers/firmware/efivars.c
30868--- linux-2.6.32.48/drivers/firmware/efivars.c 2011-11-08 19:02:43.000000000 -0500
30869+++ linux-2.6.32.48/drivers/firmware/efivars.c 2011-11-15 19:59:43.000000000 -0500
30870@@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
30871 return ret;
30872 }
30873
30874-static struct sysfs_ops efivar_attr_ops = {
30875+static const struct sysfs_ops efivar_attr_ops = {
30876 .show = efivar_attr_show,
30877 .store = efivar_attr_store,
30878 };
30879diff -urNp linux-2.6.32.48/drivers/firmware/iscsi_ibft.c linux-2.6.32.48/drivers/firmware/iscsi_ibft.c
30880--- linux-2.6.32.48/drivers/firmware/iscsi_ibft.c 2011-11-08 19:02:43.000000000 -0500
30881+++ linux-2.6.32.48/drivers/firmware/iscsi_ibft.c 2011-11-15 19:59:43.000000000 -0500
30882@@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
30883 return ret;
30884 }
30885
30886-static struct sysfs_ops ibft_attr_ops = {
30887+static const struct sysfs_ops ibft_attr_ops = {
30888 .show = ibft_show_attribute,
30889 };
30890
30891diff -urNp linux-2.6.32.48/drivers/firmware/memmap.c linux-2.6.32.48/drivers/firmware/memmap.c
30892--- linux-2.6.32.48/drivers/firmware/memmap.c 2011-11-08 19:02:43.000000000 -0500
30893+++ linux-2.6.32.48/drivers/firmware/memmap.c 2011-11-15 19:59:43.000000000 -0500
30894@@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
30895 NULL
30896 };
30897
30898-static struct sysfs_ops memmap_attr_ops = {
30899+static const struct sysfs_ops memmap_attr_ops = {
30900 .show = memmap_attr_show,
30901 };
30902
30903diff -urNp linux-2.6.32.48/drivers/gpio/vr41xx_giu.c linux-2.6.32.48/drivers/gpio/vr41xx_giu.c
30904--- linux-2.6.32.48/drivers/gpio/vr41xx_giu.c 2011-11-08 19:02:43.000000000 -0500
30905+++ linux-2.6.32.48/drivers/gpio/vr41xx_giu.c 2011-11-15 19:59:43.000000000 -0500
30906@@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
30907 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
30908 maskl, pendl, maskh, pendh);
30909
30910- atomic_inc(&irq_err_count);
30911+ atomic_inc_unchecked(&irq_err_count);
30912
30913 return -EINVAL;
30914 }
30915diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_crtc.c linux-2.6.32.48/drivers/gpu/drm/drm_crtc.c
30916--- linux-2.6.32.48/drivers/gpu/drm/drm_crtc.c 2011-11-08 19:02:43.000000000 -0500
30917+++ linux-2.6.32.48/drivers/gpu/drm/drm_crtc.c 2011-11-15 19:59:43.000000000 -0500
30918@@ -1323,7 +1323,7 @@ int drm_mode_getconnector(struct drm_dev
30919 */
30920 if ((out_resp->count_modes >= mode_count) && mode_count) {
30921 copied = 0;
30922- mode_ptr = (struct drm_mode_modeinfo *)(unsigned long)out_resp->modes_ptr;
30923+ mode_ptr = (struct drm_mode_modeinfo __user *)(unsigned long)out_resp->modes_ptr;
30924 list_for_each_entry(mode, &connector->modes, head) {
30925 drm_crtc_convert_to_umode(&u_mode, mode);
30926 if (copy_to_user(mode_ptr + copied,
30927@@ -1338,8 +1338,8 @@ int drm_mode_getconnector(struct drm_dev
30928
30929 if ((out_resp->count_props >= props_count) && props_count) {
30930 copied = 0;
30931- prop_ptr = (uint32_t *)(unsigned long)(out_resp->props_ptr);
30932- prop_values = (uint64_t *)(unsigned long)(out_resp->prop_values_ptr);
30933+ prop_ptr = (uint32_t __user *)(unsigned long)(out_resp->props_ptr);
30934+ prop_values = (uint64_t __user *)(unsigned long)(out_resp->prop_values_ptr);
30935 for (i = 0; i < DRM_CONNECTOR_MAX_PROPERTY; i++) {
30936 if (connector->property_ids[i] != 0) {
30937 if (put_user(connector->property_ids[i],
30938@@ -1361,7 +1361,7 @@ int drm_mode_getconnector(struct drm_dev
30939
30940 if ((out_resp->count_encoders >= encoders_count) && encoders_count) {
30941 copied = 0;
30942- encoder_ptr = (uint32_t *)(unsigned long)(out_resp->encoders_ptr);
30943+ encoder_ptr = (uint32_t __user *)(unsigned long)(out_resp->encoders_ptr);
30944 for (i = 0; i < DRM_CONNECTOR_MAX_ENCODER; i++) {
30945 if (connector->encoder_ids[i] != 0) {
30946 if (put_user(connector->encoder_ids[i],
30947@@ -1513,7 +1513,7 @@ int drm_mode_setcrtc(struct drm_device *
30948 }
30949
30950 for (i = 0; i < crtc_req->count_connectors; i++) {
30951- set_connectors_ptr = (uint32_t *)(unsigned long)crtc_req->set_connectors_ptr;
30952+ set_connectors_ptr = (uint32_t __user *)(unsigned long)crtc_req->set_connectors_ptr;
30953 if (get_user(out_id, &set_connectors_ptr[i])) {
30954 ret = -EFAULT;
30955 goto out;
30956@@ -2118,7 +2118,7 @@ int drm_mode_getproperty_ioctl(struct dr
30957 out_resp->flags = property->flags;
30958
30959 if ((out_resp->count_values >= value_count) && value_count) {
30960- values_ptr = (uint64_t *)(unsigned long)out_resp->values_ptr;
30961+ values_ptr = (uint64_t __user *)(unsigned long)out_resp->values_ptr;
30962 for (i = 0; i < value_count; i++) {
30963 if (copy_to_user(values_ptr + i, &property->values[i], sizeof(uint64_t))) {
30964 ret = -EFAULT;
30965@@ -2131,7 +2131,7 @@ int drm_mode_getproperty_ioctl(struct dr
30966 if (property->flags & DRM_MODE_PROP_ENUM) {
30967 if ((out_resp->count_enum_blobs >= enum_count) && enum_count) {
30968 copied = 0;
30969- enum_ptr = (struct drm_mode_property_enum *)(unsigned long)out_resp->enum_blob_ptr;
30970+ enum_ptr = (struct drm_mode_property_enum __user *)(unsigned long)out_resp->enum_blob_ptr;
30971 list_for_each_entry(prop_enum, &property->enum_blob_list, head) {
30972
30973 if (copy_to_user(&enum_ptr[copied].value, &prop_enum->value, sizeof(uint64_t))) {
30974@@ -2154,7 +2154,7 @@ int drm_mode_getproperty_ioctl(struct dr
30975 if ((out_resp->count_enum_blobs >= blob_count) && blob_count) {
30976 copied = 0;
30977 blob_id_ptr = (uint32_t *)(unsigned long)out_resp->enum_blob_ptr;
30978- blob_length_ptr = (uint32_t *)(unsigned long)out_resp->values_ptr;
30979+ blob_length_ptr = (uint32_t __user *)(unsigned long)out_resp->values_ptr;
30980
30981 list_for_each_entry(prop_blob, &property->enum_blob_list, head) {
30982 if (put_user(prop_blob->base.id, blob_id_ptr + copied)) {
30983@@ -2226,7 +2226,7 @@ int drm_mode_getblob_ioctl(struct drm_de
30984 blob = obj_to_blob(obj);
30985
30986 if (out_resp->length == blob->length) {
30987- blob_ptr = (void *)(unsigned long)out_resp->data;
30988+ blob_ptr = (void __user *)(unsigned long)out_resp->data;
30989 if (copy_to_user(blob_ptr, blob->data, blob->length)){
30990 ret = -EFAULT;
30991 goto done;
30992diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.48/drivers/gpu/drm/drm_crtc_helper.c
30993--- linux-2.6.32.48/drivers/gpu/drm/drm_crtc_helper.c 2011-11-08 19:02:43.000000000 -0500
30994+++ linux-2.6.32.48/drivers/gpu/drm/drm_crtc_helper.c 2011-11-15 19:59:43.000000000 -0500
30995@@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
30996 struct drm_crtc *tmp;
30997 int crtc_mask = 1;
30998
30999- WARN(!crtc, "checking null crtc?");
31000+ BUG_ON(!crtc);
31001
31002 dev = crtc->dev;
31003
31004@@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
31005
31006 adjusted_mode = drm_mode_duplicate(dev, mode);
31007
31008+ pax_track_stack();
31009+
31010 crtc->enabled = drm_helper_crtc_in_use(crtc);
31011
31012 if (!crtc->enabled)
31013diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_drv.c linux-2.6.32.48/drivers/gpu/drm/drm_drv.c
31014--- linux-2.6.32.48/drivers/gpu/drm/drm_drv.c 2011-11-08 19:02:43.000000000 -0500
31015+++ linux-2.6.32.48/drivers/gpu/drm/drm_drv.c 2011-11-15 19:59:43.000000000 -0500
31016@@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
31017 char *kdata = NULL;
31018
31019 atomic_inc(&dev->ioctl_count);
31020- atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
31021+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
31022 ++file_priv->ioctl_count;
31023
31024 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
31025diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_fops.c linux-2.6.32.48/drivers/gpu/drm/drm_fops.c
31026--- linux-2.6.32.48/drivers/gpu/drm/drm_fops.c 2011-11-08 19:02:43.000000000 -0500
31027+++ linux-2.6.32.48/drivers/gpu/drm/drm_fops.c 2011-11-15 19:59:43.000000000 -0500
31028@@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
31029 }
31030
31031 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
31032- atomic_set(&dev->counts[i], 0);
31033+ atomic_set_unchecked(&dev->counts[i], 0);
31034
31035 dev->sigdata.lock = NULL;
31036
31037@@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
31038
31039 retcode = drm_open_helper(inode, filp, dev);
31040 if (!retcode) {
31041- atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
31042+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
31043 spin_lock(&dev->count_lock);
31044- if (!dev->open_count++) {
31045+ if (local_inc_return(&dev->open_count) == 1) {
31046 spin_unlock(&dev->count_lock);
31047 retcode = drm_setup(dev);
31048 goto out;
31049@@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
31050
31051 lock_kernel();
31052
31053- DRM_DEBUG("open_count = %d\n", dev->open_count);
31054+ DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
31055
31056 if (dev->driver->preclose)
31057 dev->driver->preclose(dev, file_priv);
31058@@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
31059 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
31060 task_pid_nr(current),
31061 (long)old_encode_dev(file_priv->minor->device),
31062- dev->open_count);
31063+ local_read(&dev->open_count));
31064
31065 /* if the master has gone away we can't do anything with the lock */
31066 if (file_priv->minor->master)
31067@@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
31068 * End inline drm_release
31069 */
31070
31071- atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
31072+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
31073 spin_lock(&dev->count_lock);
31074- if (!--dev->open_count) {
31075+ if (local_dec_and_test(&dev->open_count)) {
31076 if (atomic_read(&dev->ioctl_count)) {
31077 DRM_ERROR("Device busy: %d\n",
31078 atomic_read(&dev->ioctl_count));
31079diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_gem.c linux-2.6.32.48/drivers/gpu/drm/drm_gem.c
31080--- linux-2.6.32.48/drivers/gpu/drm/drm_gem.c 2011-11-08 19:02:43.000000000 -0500
31081+++ linux-2.6.32.48/drivers/gpu/drm/drm_gem.c 2011-11-15 19:59:43.000000000 -0500
31082@@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
31083 spin_lock_init(&dev->object_name_lock);
31084 idr_init(&dev->object_name_idr);
31085 atomic_set(&dev->object_count, 0);
31086- atomic_set(&dev->object_memory, 0);
31087+ atomic_set_unchecked(&dev->object_memory, 0);
31088 atomic_set(&dev->pin_count, 0);
31089- atomic_set(&dev->pin_memory, 0);
31090+ atomic_set_unchecked(&dev->pin_memory, 0);
31091 atomic_set(&dev->gtt_count, 0);
31092- atomic_set(&dev->gtt_memory, 0);
31093+ atomic_set_unchecked(&dev->gtt_memory, 0);
31094
31095 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
31096 if (!mm) {
31097@@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
31098 goto fput;
31099 }
31100 atomic_inc(&dev->object_count);
31101- atomic_add(obj->size, &dev->object_memory);
31102+ atomic_add_unchecked(obj->size, &dev->object_memory);
31103 return obj;
31104 fput:
31105 fput(obj->filp);
31106@@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
31107
31108 fput(obj->filp);
31109 atomic_dec(&dev->object_count);
31110- atomic_sub(obj->size, &dev->object_memory);
31111+ atomic_sub_unchecked(obj->size, &dev->object_memory);
31112 kfree(obj);
31113 }
31114 EXPORT_SYMBOL(drm_gem_object_free);
31115diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_info.c linux-2.6.32.48/drivers/gpu/drm/drm_info.c
31116--- linux-2.6.32.48/drivers/gpu/drm/drm_info.c 2011-11-08 19:02:43.000000000 -0500
31117+++ linux-2.6.32.48/drivers/gpu/drm/drm_info.c 2011-11-15 19:59:43.000000000 -0500
31118@@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
31119 struct drm_local_map *map;
31120 struct drm_map_list *r_list;
31121
31122- /* Hardcoded from _DRM_FRAME_BUFFER,
31123- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
31124- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
31125- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
31126+ static const char * const types[] = {
31127+ [_DRM_FRAME_BUFFER] = "FB",
31128+ [_DRM_REGISTERS] = "REG",
31129+ [_DRM_SHM] = "SHM",
31130+ [_DRM_AGP] = "AGP",
31131+ [_DRM_SCATTER_GATHER] = "SG",
31132+ [_DRM_CONSISTENT] = "PCI",
31133+ [_DRM_GEM] = "GEM" };
31134 const char *type;
31135 int i;
31136
31137@@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
31138 map = r_list->map;
31139 if (!map)
31140 continue;
31141- if (map->type < 0 || map->type > 5)
31142+ if (map->type >= ARRAY_SIZE(types))
31143 type = "??";
31144 else
31145 type = types[map->type];
31146@@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
31147 struct drm_device *dev = node->minor->dev;
31148
31149 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
31150- seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
31151+ seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
31152 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
31153- seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
31154- seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
31155+ seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
31156+ seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
31157 seq_printf(m, "%d gtt total\n", dev->gtt_total);
31158 return 0;
31159 }
31160@@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
31161 mutex_lock(&dev->struct_mutex);
31162 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
31163 atomic_read(&dev->vma_count),
31164+#ifdef CONFIG_GRKERNSEC_HIDESYM
31165+ NULL, 0);
31166+#else
31167 high_memory, (u64)virt_to_phys(high_memory));
31168+#endif
31169
31170 list_for_each_entry(pt, &dev->vmalist, head) {
31171 vma = pt->vma;
31172@@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
31173 continue;
31174 seq_printf(m,
31175 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
31176- pt->pid, vma->vm_start, vma->vm_end,
31177+ pt->pid,
31178+#ifdef CONFIG_GRKERNSEC_HIDESYM
31179+ 0, 0,
31180+#else
31181+ vma->vm_start, vma->vm_end,
31182+#endif
31183 vma->vm_flags & VM_READ ? 'r' : '-',
31184 vma->vm_flags & VM_WRITE ? 'w' : '-',
31185 vma->vm_flags & VM_EXEC ? 'x' : '-',
31186 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
31187 vma->vm_flags & VM_LOCKED ? 'l' : '-',
31188 vma->vm_flags & VM_IO ? 'i' : '-',
31189+#ifdef CONFIG_GRKERNSEC_HIDESYM
31190+ 0);
31191+#else
31192 vma->vm_pgoff);
31193+#endif
31194
31195 #if defined(__i386__)
31196 pgprot = pgprot_val(vma->vm_page_prot);
31197diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_ioc32.c linux-2.6.32.48/drivers/gpu/drm/drm_ioc32.c
31198--- linux-2.6.32.48/drivers/gpu/drm/drm_ioc32.c 2011-11-08 19:02:43.000000000 -0500
31199+++ linux-2.6.32.48/drivers/gpu/drm/drm_ioc32.c 2011-11-15 19:59:43.000000000 -0500
31200@@ -463,7 +463,7 @@ static int compat_drm_infobufs(struct fi
31201 request = compat_alloc_user_space(nbytes);
31202 if (!access_ok(VERIFY_WRITE, request, nbytes))
31203 return -EFAULT;
31204- list = (struct drm_buf_desc *) (request + 1);
31205+ list = (struct drm_buf_desc __user *) (request + 1);
31206
31207 if (__put_user(count, &request->count)
31208 || __put_user(list, &request->list))
31209@@ -525,7 +525,7 @@ static int compat_drm_mapbufs(struct fil
31210 request = compat_alloc_user_space(nbytes);
31211 if (!access_ok(VERIFY_WRITE, request, nbytes))
31212 return -EFAULT;
31213- list = (struct drm_buf_pub *) (request + 1);
31214+ list = (struct drm_buf_pub __user *) (request + 1);
31215
31216 if (__put_user(count, &request->count)
31217 || __put_user(list, &request->list))
31218diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.48/drivers/gpu/drm/drm_ioctl.c
31219--- linux-2.6.32.48/drivers/gpu/drm/drm_ioctl.c 2011-11-08 19:02:43.000000000 -0500
31220+++ linux-2.6.32.48/drivers/gpu/drm/drm_ioctl.c 2011-11-15 19:59:43.000000000 -0500
31221@@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
31222 stats->data[i].value =
31223 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
31224 else
31225- stats->data[i].value = atomic_read(&dev->counts[i]);
31226+ stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
31227 stats->data[i].type = dev->types[i];
31228 }
31229
31230diff -urNp linux-2.6.32.48/drivers/gpu/drm/drm_lock.c linux-2.6.32.48/drivers/gpu/drm/drm_lock.c
31231--- linux-2.6.32.48/drivers/gpu/drm/drm_lock.c 2011-11-08 19:02:43.000000000 -0500
31232+++ linux-2.6.32.48/drivers/gpu/drm/drm_lock.c 2011-11-15 19:59:43.000000000 -0500
31233@@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
31234 if (drm_lock_take(&master->lock, lock->context)) {
31235 master->lock.file_priv = file_priv;
31236 master->lock.lock_time = jiffies;
31237- atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
31238+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
31239 break; /* Got lock */
31240 }
31241
31242@@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
31243 return -EINVAL;
31244 }
31245
31246- atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
31247+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
31248
31249 /* kernel_context_switch isn't used by any of the x86 drm
31250 * modules but is required by the Sparc driver.
31251diff -urNp linux-2.6.32.48/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.48/drivers/gpu/drm/i810/i810_dma.c
31252--- linux-2.6.32.48/drivers/gpu/drm/i810/i810_dma.c 2011-11-08 19:02:43.000000000 -0500
31253+++ linux-2.6.32.48/drivers/gpu/drm/i810/i810_dma.c 2011-11-15 19:59:43.000000000 -0500
31254@@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
31255 dma->buflist[vertex->idx],
31256 vertex->discard, vertex->used);
31257
31258- atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
31259- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
31260+ atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
31261+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
31262 sarea_priv->last_enqueue = dev_priv->counter - 1;
31263 sarea_priv->last_dispatch = (int)hw_status[5];
31264
31265@@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
31266 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
31267 mc->last_render);
31268
31269- atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
31270- atomic_inc(&dev->counts[_DRM_STAT_DMA]);
31271+ atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
31272+ atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
31273 sarea_priv->last_enqueue = dev_priv->counter - 1;
31274 sarea_priv->last_dispatch = (int)hw_status[5];
31275
31276diff -urNp linux-2.6.32.48/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.48/drivers/gpu/drm/i810/i810_drv.h
31277--- linux-2.6.32.48/drivers/gpu/drm/i810/i810_drv.h 2011-11-08 19:02:43.000000000 -0500
31278+++ linux-2.6.32.48/drivers/gpu/drm/i810/i810_drv.h 2011-11-15 19:59:43.000000000 -0500
31279@@ -108,8 +108,8 @@ typedef struct drm_i810_private {
31280 int page_flipping;
31281
31282 wait_queue_head_t irq_queue;
31283- atomic_t irq_received;
31284- atomic_t irq_emitted;
31285+ atomic_unchecked_t irq_received;
31286+ atomic_unchecked_t irq_emitted;
31287
31288 int front_offset;
31289 } drm_i810_private_t;
31290diff -urNp linux-2.6.32.48/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.48/drivers/gpu/drm/i830/i830_drv.h
31291--- linux-2.6.32.48/drivers/gpu/drm/i830/i830_drv.h 2011-11-08 19:02:43.000000000 -0500
31292+++ linux-2.6.32.48/drivers/gpu/drm/i830/i830_drv.h 2011-11-15 19:59:43.000000000 -0500
31293@@ -115,8 +115,8 @@ typedef struct drm_i830_private {
31294 int page_flipping;
31295
31296 wait_queue_head_t irq_queue;
31297- atomic_t irq_received;
31298- atomic_t irq_emitted;
31299+ atomic_unchecked_t irq_received;
31300+ atomic_unchecked_t irq_emitted;
31301
31302 int use_mi_batchbuffer_start;
31303
31304diff -urNp linux-2.6.32.48/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.48/drivers/gpu/drm/i830/i830_irq.c
31305--- linux-2.6.32.48/drivers/gpu/drm/i830/i830_irq.c 2011-11-08 19:02:43.000000000 -0500
31306+++ linux-2.6.32.48/drivers/gpu/drm/i830/i830_irq.c 2011-11-15 19:59:43.000000000 -0500
31307@@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
31308
31309 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
31310
31311- atomic_inc(&dev_priv->irq_received);
31312+ atomic_inc_unchecked(&dev_priv->irq_received);
31313 wake_up_interruptible(&dev_priv->irq_queue);
31314
31315 return IRQ_HANDLED;
31316@@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
31317
31318 DRM_DEBUG("%s\n", __func__);
31319
31320- atomic_inc(&dev_priv->irq_emitted);
31321+ atomic_inc_unchecked(&dev_priv->irq_emitted);
31322
31323 BEGIN_LP_RING(2);
31324 OUT_RING(0);
31325 OUT_RING(GFX_OP_USER_INTERRUPT);
31326 ADVANCE_LP_RING();
31327
31328- return atomic_read(&dev_priv->irq_emitted);
31329+ return atomic_read_unchecked(&dev_priv->irq_emitted);
31330 }
31331
31332 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
31333@@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
31334
31335 DRM_DEBUG("%s\n", __func__);
31336
31337- if (atomic_read(&dev_priv->irq_received) >= irq_nr)
31338+ if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
31339 return 0;
31340
31341 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
31342@@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
31343
31344 for (;;) {
31345 __set_current_state(TASK_INTERRUPTIBLE);
31346- if (atomic_read(&dev_priv->irq_received) >= irq_nr)
31347+ if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
31348 break;
31349 if ((signed)(end - jiffies) <= 0) {
31350 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
31351@@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
31352 I830_WRITE16(I830REG_HWSTAM, 0xffff);
31353 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
31354 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
31355- atomic_set(&dev_priv->irq_received, 0);
31356- atomic_set(&dev_priv->irq_emitted, 0);
31357+ atomic_set_unchecked(&dev_priv->irq_received, 0);
31358+ atomic_set_unchecked(&dev_priv->irq_emitted, 0);
31359 init_waitqueue_head(&dev_priv->irq_queue);
31360 }
31361
31362diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7017.c
31363--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7017.c 2011-11-08 19:02:43.000000000 -0500
31364+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7017.c 2011-11-15 19:59:43.000000000 -0500
31365@@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
31366 }
31367 }
31368
31369-struct intel_dvo_dev_ops ch7017_ops = {
31370+const struct intel_dvo_dev_ops ch7017_ops = {
31371 .init = ch7017_init,
31372 .detect = ch7017_detect,
31373 .mode_valid = ch7017_mode_valid,
31374diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7xxx.c
31375--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-11-08 19:02:43.000000000 -0500
31376+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-11-15 19:59:43.000000000 -0500
31377@@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
31378 }
31379 }
31380
31381-struct intel_dvo_dev_ops ch7xxx_ops = {
31382+const struct intel_dvo_dev_ops ch7xxx_ops = {
31383 .init = ch7xxx_init,
31384 .detect = ch7xxx_detect,
31385 .mode_valid = ch7xxx_mode_valid,
31386diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo.h linux-2.6.32.48/drivers/gpu/drm/i915/dvo.h
31387--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo.h 2011-11-08 19:02:43.000000000 -0500
31388+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo.h 2011-11-15 19:59:43.000000000 -0500
31389@@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
31390 *
31391 * \return singly-linked list of modes or NULL if no modes found.
31392 */
31393- struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
31394+ struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
31395
31396 /**
31397 * Clean up driver-specific bits of the output
31398 */
31399- void (*destroy) (struct intel_dvo_device *dvo);
31400+ void (* const destroy) (struct intel_dvo_device *dvo);
31401
31402 /**
31403 * Debugging hook to dump device registers to log file
31404 */
31405- void (*dump_regs)(struct intel_dvo_device *dvo);
31406+ void (* const dump_regs)(struct intel_dvo_device *dvo);
31407 };
31408
31409-extern struct intel_dvo_dev_ops sil164_ops;
31410-extern struct intel_dvo_dev_ops ch7xxx_ops;
31411-extern struct intel_dvo_dev_ops ivch_ops;
31412-extern struct intel_dvo_dev_ops tfp410_ops;
31413-extern struct intel_dvo_dev_ops ch7017_ops;
31414+extern const struct intel_dvo_dev_ops sil164_ops;
31415+extern const struct intel_dvo_dev_ops ch7xxx_ops;
31416+extern const struct intel_dvo_dev_ops ivch_ops;
31417+extern const struct intel_dvo_dev_ops tfp410_ops;
31418+extern const struct intel_dvo_dev_ops ch7017_ops;
31419
31420 #endif /* _INTEL_DVO_H */
31421diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ivch.c
31422--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ivch.c 2011-11-08 19:02:43.000000000 -0500
31423+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo_ivch.c 2011-11-15 19:59:43.000000000 -0500
31424@@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
31425 }
31426 }
31427
31428-struct intel_dvo_dev_ops ivch_ops= {
31429+const struct intel_dvo_dev_ops ivch_ops= {
31430 .init = ivch_init,
31431 .dpms = ivch_dpms,
31432 .save = ivch_save,
31433diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.48/drivers/gpu/drm/i915/dvo_sil164.c
31434--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo_sil164.c 2011-11-08 19:02:43.000000000 -0500
31435+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo_sil164.c 2011-11-15 19:59:43.000000000 -0500
31436@@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
31437 }
31438 }
31439
31440-struct intel_dvo_dev_ops sil164_ops = {
31441+const struct intel_dvo_dev_ops sil164_ops = {
31442 .init = sil164_init,
31443 .detect = sil164_detect,
31444 .mode_valid = sil164_mode_valid,
31445diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.48/drivers/gpu/drm/i915/dvo_tfp410.c
31446--- linux-2.6.32.48/drivers/gpu/drm/i915/dvo_tfp410.c 2011-11-08 19:02:43.000000000 -0500
31447+++ linux-2.6.32.48/drivers/gpu/drm/i915/dvo_tfp410.c 2011-11-15 19:59:43.000000000 -0500
31448@@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
31449 }
31450 }
31451
31452-struct intel_dvo_dev_ops tfp410_ops = {
31453+const struct intel_dvo_dev_ops tfp410_ops = {
31454 .init = tfp410_init,
31455 .detect = tfp410_detect,
31456 .mode_valid = tfp410_mode_valid,
31457diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.48/drivers/gpu/drm/i915/i915_debugfs.c
31458--- linux-2.6.32.48/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-08 19:02:43.000000000 -0500
31459+++ linux-2.6.32.48/drivers/gpu/drm/i915/i915_debugfs.c 2011-11-15 19:59:43.000000000 -0500
31460@@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
31461 I915_READ(GTIMR));
31462 }
31463 seq_printf(m, "Interrupts received: %d\n",
31464- atomic_read(&dev_priv->irq_received));
31465+ atomic_read_unchecked(&dev_priv->irq_received));
31466 if (dev_priv->hw_status_page != NULL) {
31467 seq_printf(m, "Current sequence: %d\n",
31468 i915_get_gem_seqno(dev));
31469diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.c
31470--- linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.c 2011-11-08 19:02:43.000000000 -0500
31471+++ linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.c 2011-11-15 19:59:43.000000000 -0500
31472@@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
31473 return i915_resume(dev);
31474 }
31475
31476-static struct vm_operations_struct i915_gem_vm_ops = {
31477+static const struct vm_operations_struct i915_gem_vm_ops = {
31478 .fault = i915_gem_fault,
31479 .open = drm_gem_vm_open,
31480 .close = drm_gem_vm_close,
31481diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.h
31482--- linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.h 2011-11-08 19:02:43.000000000 -0500
31483+++ linux-2.6.32.48/drivers/gpu/drm/i915/i915_drv.h 2011-11-15 19:59:43.000000000 -0500
31484@@ -168,7 +168,7 @@ struct drm_i915_display_funcs {
31485 /* display clock increase/decrease */
31486 /* pll clock increase/decrease */
31487 /* clock gating init */
31488-};
31489+} __no_const;
31490
31491 typedef struct drm_i915_private {
31492 struct drm_device *dev;
31493@@ -197,7 +197,7 @@ typedef struct drm_i915_private {
31494 int page_flipping;
31495
31496 wait_queue_head_t irq_queue;
31497- atomic_t irq_received;
31498+ atomic_unchecked_t irq_received;
31499 /** Protects user_irq_refcount and irq_mask_reg */
31500 spinlock_t user_irq_lock;
31501 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
31502diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.48/drivers/gpu/drm/i915/i915_gem.c
31503--- linux-2.6.32.48/drivers/gpu/drm/i915/i915_gem.c 2011-11-08 19:02:43.000000000 -0500
31504+++ linux-2.6.32.48/drivers/gpu/drm/i915/i915_gem.c 2011-11-15 19:59:43.000000000 -0500
31505@@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
31506
31507 args->aper_size = dev->gtt_total;
31508 args->aper_available_size = (args->aper_size -
31509- atomic_read(&dev->pin_memory));
31510+ atomic_read_unchecked(&dev->pin_memory));
31511
31512 return 0;
31513 }
31514@@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
31515 return -EINVAL;
31516 }
31517
31518+ if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
31519+ drm_gem_object_unreference(obj);
31520+ return -EFAULT;
31521+ }
31522+
31523 if (i915_gem_object_needs_bit17_swizzle(obj)) {
31524 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
31525 } else {
31526@@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
31527 return -EINVAL;
31528 }
31529
31530+ if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
31531+ drm_gem_object_unreference(obj);
31532+ return -EFAULT;
31533+ }
31534+
31535 /* We can only do the GTT pwrite on untiled buffers, as otherwise
31536 * it would end up going through the fenced access, and we'll get
31537 * different detiling behavior between reading and writing.
31538@@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
31539
31540 if (obj_priv->gtt_space) {
31541 atomic_dec(&dev->gtt_count);
31542- atomic_sub(obj->size, &dev->gtt_memory);
31543+ atomic_sub_unchecked(obj->size, &dev->gtt_memory);
31544
31545 drm_mm_put_block(obj_priv->gtt_space);
31546 obj_priv->gtt_space = NULL;
31547@@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
31548 goto search_free;
31549 }
31550 atomic_inc(&dev->gtt_count);
31551- atomic_add(obj->size, &dev->gtt_memory);
31552+ atomic_add_unchecked(obj->size, &dev->gtt_memory);
31553
31554 /* Assert that the object is not currently in any GPU domain. As it
31555 * wasn't in the GTT, there shouldn't be any way it could have been in
31556@@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
31557 "%d/%d gtt bytes\n",
31558 atomic_read(&dev->object_count),
31559 atomic_read(&dev->pin_count),
31560- atomic_read(&dev->object_memory),
31561- atomic_read(&dev->pin_memory),
31562- atomic_read(&dev->gtt_memory),
31563+ atomic_read_unchecked(&dev->object_memory),
31564+ atomic_read_unchecked(&dev->pin_memory),
31565+ atomic_read_unchecked(&dev->gtt_memory),
31566 dev->gtt_total);
31567 }
31568 goto err;
31569@@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
31570 */
31571 if (obj_priv->pin_count == 1) {
31572 atomic_inc(&dev->pin_count);
31573- atomic_add(obj->size, &dev->pin_memory);
31574+ atomic_add_unchecked(obj->size, &dev->pin_memory);
31575 if (!obj_priv->active &&
31576 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
31577 !list_empty(&obj_priv->list))
31578@@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
31579 list_move_tail(&obj_priv->list,
31580 &dev_priv->mm.inactive_list);
31581 atomic_dec(&dev->pin_count);
31582- atomic_sub(obj->size, &dev->pin_memory);
31583+ atomic_sub_unchecked(obj->size, &dev->pin_memory);
31584 }
31585 i915_verify_inactive(dev, __FILE__, __LINE__);
31586 }
31587diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.48/drivers/gpu/drm/i915/i915_irq.c
31588--- linux-2.6.32.48/drivers/gpu/drm/i915/i915_irq.c 2011-11-08 19:02:43.000000000 -0500
31589+++ linux-2.6.32.48/drivers/gpu/drm/i915/i915_irq.c 2011-11-15 19:59:43.000000000 -0500
31590@@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
31591 int irq_received;
31592 int ret = IRQ_NONE;
31593
31594- atomic_inc(&dev_priv->irq_received);
31595+ atomic_inc_unchecked(&dev_priv->irq_received);
31596
31597 if (IS_IGDNG(dev))
31598 return igdng_irq_handler(dev);
31599@@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
31600 {
31601 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
31602
31603- atomic_set(&dev_priv->irq_received, 0);
31604+ atomic_set_unchecked(&dev_priv->irq_received, 0);
31605
31606 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
31607 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
31608diff -urNp linux-2.6.32.48/drivers/gpu/drm/i915/intel_sdvo.c linux-2.6.32.48/drivers/gpu/drm/i915/intel_sdvo.c
31609--- linux-2.6.32.48/drivers/gpu/drm/i915/intel_sdvo.c 2011-11-08 19:02:43.000000000 -0500
31610+++ linux-2.6.32.48/drivers/gpu/drm/i915/intel_sdvo.c 2011-11-15 19:59:43.000000000 -0500
31611@@ -2795,7 +2795,9 @@ bool intel_sdvo_init(struct drm_device *
31612 sdvo_priv->slave_addr = intel_sdvo_get_slave_addr(dev, output_device);
31613
31614 /* Save the bit-banging i2c functionality for use by the DDC wrapper */
31615- intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31616+ pax_open_kernel();
31617+ *(void **)&intel_sdvo_i2c_bit_algo.functionality = intel_output->i2c_bus->algo->functionality;
31618+ pax_close_kernel();
31619
31620 /* Read the regs to test if we can talk to the device */
31621 for (i = 0; i < 0x40; i++) {
31622diff -urNp linux-2.6.32.48/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.48/drivers/gpu/drm/mga/mga_drv.h
31623--- linux-2.6.32.48/drivers/gpu/drm/mga/mga_drv.h 2011-11-08 19:02:43.000000000 -0500
31624+++ linux-2.6.32.48/drivers/gpu/drm/mga/mga_drv.h 2011-11-15 19:59:43.000000000 -0500
31625@@ -120,9 +120,9 @@ typedef struct drm_mga_private {
31626 u32 clear_cmd;
31627 u32 maccess;
31628
31629- atomic_t vbl_received; /**< Number of vblanks received. */
31630+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
31631 wait_queue_head_t fence_queue;
31632- atomic_t last_fence_retired;
31633+ atomic_unchecked_t last_fence_retired;
31634 u32 next_fence_to_post;
31635
31636 unsigned int fb_cpp;
31637diff -urNp linux-2.6.32.48/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.48/drivers/gpu/drm/mga/mga_irq.c
31638--- linux-2.6.32.48/drivers/gpu/drm/mga/mga_irq.c 2011-11-08 19:02:43.000000000 -0500
31639+++ linux-2.6.32.48/drivers/gpu/drm/mga/mga_irq.c 2011-11-15 19:59:43.000000000 -0500
31640@@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
31641 if (crtc != 0)
31642 return 0;
31643
31644- return atomic_read(&dev_priv->vbl_received);
31645+ return atomic_read_unchecked(&dev_priv->vbl_received);
31646 }
31647
31648
31649@@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31650 /* VBLANK interrupt */
31651 if (status & MGA_VLINEPEN) {
31652 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
31653- atomic_inc(&dev_priv->vbl_received);
31654+ atomic_inc_unchecked(&dev_priv->vbl_received);
31655 drm_handle_vblank(dev, 0);
31656 handled = 1;
31657 }
31658@@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
31659 MGA_WRITE(MGA_PRIMEND, prim_end);
31660 }
31661
31662- atomic_inc(&dev_priv->last_fence_retired);
31663+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
31664 DRM_WAKEUP(&dev_priv->fence_queue);
31665 handled = 1;
31666 }
31667@@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
31668 * using fences.
31669 */
31670 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
31671- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
31672+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
31673 - *sequence) <= (1 << 23)));
31674
31675 *sequence = cur_fence;
31676diff -urNp linux-2.6.32.48/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.48/drivers/gpu/drm/r128/r128_cce.c
31677--- linux-2.6.32.48/drivers/gpu/drm/r128/r128_cce.c 2011-11-08 19:02:43.000000000 -0500
31678+++ linux-2.6.32.48/drivers/gpu/drm/r128/r128_cce.c 2011-11-15 19:59:43.000000000 -0500
31679@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
31680
31681 /* GH: Simple idle check.
31682 */
31683- atomic_set(&dev_priv->idle_count, 0);
31684+ atomic_set_unchecked(&dev_priv->idle_count, 0);
31685
31686 /* We don't support anything other than bus-mastering ring mode,
31687 * but the ring can be in either AGP or PCI space for the ring
31688diff -urNp linux-2.6.32.48/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.48/drivers/gpu/drm/r128/r128_drv.h
31689--- linux-2.6.32.48/drivers/gpu/drm/r128/r128_drv.h 2011-11-08 19:02:43.000000000 -0500
31690+++ linux-2.6.32.48/drivers/gpu/drm/r128/r128_drv.h 2011-11-15 19:59:43.000000000 -0500
31691@@ -90,14 +90,14 @@ typedef struct drm_r128_private {
31692 int is_pci;
31693 unsigned long cce_buffers_offset;
31694
31695- atomic_t idle_count;
31696+ atomic_unchecked_t idle_count;
31697
31698 int page_flipping;
31699 int current_page;
31700 u32 crtc_offset;
31701 u32 crtc_offset_cntl;
31702
31703- atomic_t vbl_received;
31704+ atomic_unchecked_t vbl_received;
31705
31706 u32 color_fmt;
31707 unsigned int front_offset;
31708diff -urNp linux-2.6.32.48/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.48/drivers/gpu/drm/r128/r128_irq.c
31709--- linux-2.6.32.48/drivers/gpu/drm/r128/r128_irq.c 2011-11-08 19:02:43.000000000 -0500
31710+++ linux-2.6.32.48/drivers/gpu/drm/r128/r128_irq.c 2011-11-15 19:59:43.000000000 -0500
31711@@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
31712 if (crtc != 0)
31713 return 0;
31714
31715- return atomic_read(&dev_priv->vbl_received);
31716+ return atomic_read_unchecked(&dev_priv->vbl_received);
31717 }
31718
31719 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
31720@@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
31721 /* VBLANK interrupt */
31722 if (status & R128_CRTC_VBLANK_INT) {
31723 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
31724- atomic_inc(&dev_priv->vbl_received);
31725+ atomic_inc_unchecked(&dev_priv->vbl_received);
31726 drm_handle_vblank(dev, 0);
31727 return IRQ_HANDLED;
31728 }
31729diff -urNp linux-2.6.32.48/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.48/drivers/gpu/drm/r128/r128_state.c
31730--- linux-2.6.32.48/drivers/gpu/drm/r128/r128_state.c 2011-11-08 19:02:43.000000000 -0500
31731+++ linux-2.6.32.48/drivers/gpu/drm/r128/r128_state.c 2011-11-15 19:59:43.000000000 -0500
31732@@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
31733
31734 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
31735 {
31736- if (atomic_read(&dev_priv->idle_count) == 0) {
31737+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
31738 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
31739 } else {
31740- atomic_set(&dev_priv->idle_count, 0);
31741+ atomic_set_unchecked(&dev_priv->idle_count, 0);
31742 }
31743 }
31744
31745diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/atom.c linux-2.6.32.48/drivers/gpu/drm/radeon/atom.c
31746--- linux-2.6.32.48/drivers/gpu/drm/radeon/atom.c 2011-11-08 19:02:43.000000000 -0500
31747+++ linux-2.6.32.48/drivers/gpu/drm/radeon/atom.c 2011-11-15 19:59:43.000000000 -0500
31748@@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
31749 char name[512];
31750 int i;
31751
31752+ pax_track_stack();
31753+
31754 ctx->card = card;
31755 ctx->bios = bios;
31756
31757diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.48/drivers/gpu/drm/radeon/mkregtable.c
31758--- linux-2.6.32.48/drivers/gpu/drm/radeon/mkregtable.c 2011-11-08 19:02:43.000000000 -0500
31759+++ linux-2.6.32.48/drivers/gpu/drm/radeon/mkregtable.c 2011-11-15 19:59:43.000000000 -0500
31760@@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
31761 regex_t mask_rex;
31762 regmatch_t match[4];
31763 char buf[1024];
31764- size_t end;
31765+ long end;
31766 int len;
31767 int done = 0;
31768 int r;
31769 unsigned o;
31770 struct offset *offset;
31771 char last_reg_s[10];
31772- int last_reg;
31773+ unsigned long last_reg;
31774
31775 if (regcomp
31776 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
31777diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_atombios.c
31778--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-08 19:02:43.000000000 -0500
31779+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_atombios.c 2011-11-15 19:59:43.000000000 -0500
31780@@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
31781 bool linkb;
31782 struct radeon_i2c_bus_rec ddc_bus;
31783
31784+ pax_track_stack();
31785+
31786 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31787
31788 if (data_offset == 0)
31789@@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
31790 }
31791 }
31792
31793-struct bios_connector {
31794+static struct bios_connector {
31795 bool valid;
31796 uint16_t line_mux;
31797 uint16_t devices;
31798 int connector_type;
31799 struct radeon_i2c_bus_rec ddc_bus;
31800-};
31801+} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31802
31803 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
31804 drm_device
31805@@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
31806 uint8_t dac;
31807 union atom_supported_devices *supported_devices;
31808 int i, j;
31809- struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
31810
31811 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
31812
31813diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_display.c
31814--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_display.c 2011-11-08 19:02:43.000000000 -0500
31815+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_display.c 2011-11-15 19:59:43.000000000 -0500
31816@@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
31817
31818 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
31819 error = freq - current_freq;
31820- error = error < 0 ? 0xffffffff : error;
31821+ error = (int32_t)error < 0 ? 0xffffffff : error;
31822 } else
31823 error = abs(current_freq - freq);
31824 vco_diff = abs(vco - best_vco);
31825diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_drv.h
31826--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-08 19:02:43.000000000 -0500
31827+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_drv.h 2011-11-15 19:59:43.000000000 -0500
31828@@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
31829
31830 /* SW interrupt */
31831 wait_queue_head_t swi_queue;
31832- atomic_t swi_emitted;
31833+ atomic_unchecked_t swi_emitted;
31834 int vblank_crtc;
31835 uint32_t irq_enable_reg;
31836 uint32_t r500_disp_irq_reg;
31837diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_fence.c
31838--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-08 19:02:43.000000000 -0500
31839+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_fence.c 2011-11-15 19:59:43.000000000 -0500
31840@@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
31841 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
31842 return 0;
31843 }
31844- fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
31845+ fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
31846 if (!rdev->cp.ready) {
31847 /* FIXME: cp is not running assume everythings is done right
31848 * away
31849@@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
31850 return r;
31851 }
31852 WREG32(rdev->fence_drv.scratch_reg, 0);
31853- atomic_set(&rdev->fence_drv.seq, 0);
31854+ atomic_set_unchecked(&rdev->fence_drv.seq, 0);
31855 INIT_LIST_HEAD(&rdev->fence_drv.created);
31856 INIT_LIST_HEAD(&rdev->fence_drv.emited);
31857 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
31858diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.48/drivers/gpu/drm/radeon/radeon.h
31859--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon.h 2011-11-08 19:02:43.000000000 -0500
31860+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon.h 2011-11-15 19:59:43.000000000 -0500
31861@@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
31862 */
31863 struct radeon_fence_driver {
31864 uint32_t scratch_reg;
31865- atomic_t seq;
31866+ atomic_unchecked_t seq;
31867 uint32_t last_seq;
31868 unsigned long count_timeout;
31869 wait_queue_head_t queue;
31870@@ -640,7 +640,7 @@ struct radeon_asic {
31871 uint32_t offset, uint32_t obj_size);
31872 int (*clear_surface_reg)(struct radeon_device *rdev, int reg);
31873 void (*bandwidth_update)(struct radeon_device *rdev);
31874-};
31875+} __no_const;
31876
31877 /*
31878 * Asic structures
31879diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ioc32.c
31880--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-08 19:02:43.000000000 -0500
31881+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-11-15 19:59:43.000000000 -0500
31882@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
31883 request = compat_alloc_user_space(sizeof(*request));
31884 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
31885 || __put_user(req32.param, &request->param)
31886- || __put_user((void __user *)(unsigned long)req32.value,
31887+ || __put_user((unsigned long)req32.value,
31888 &request->value))
31889 return -EFAULT;
31890
31891diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_irq.c
31892--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-08 19:02:43.000000000 -0500
31893+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_irq.c 2011-11-15 19:59:43.000000000 -0500
31894@@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
31895 unsigned int ret;
31896 RING_LOCALS;
31897
31898- atomic_inc(&dev_priv->swi_emitted);
31899- ret = atomic_read(&dev_priv->swi_emitted);
31900+ atomic_inc_unchecked(&dev_priv->swi_emitted);
31901+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
31902
31903 BEGIN_RING(4);
31904 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
31905@@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
31906 drm_radeon_private_t *dev_priv =
31907 (drm_radeon_private_t *) dev->dev_private;
31908
31909- atomic_set(&dev_priv->swi_emitted, 0);
31910+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
31911 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
31912
31913 dev->max_vblank_count = 0x001fffff;
31914diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_state.c
31915--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_state.c 2011-11-08 19:02:43.000000000 -0500
31916+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_state.c 2011-11-15 19:59:43.000000000 -0500
31917@@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
31918 {
31919 drm_radeon_private_t *dev_priv = dev->dev_private;
31920 drm_radeon_getparam_t *param = data;
31921- int value;
31922+ int value = 0;
31923
31924 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
31925
31926diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ttm.c
31927--- linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-08 19:02:43.000000000 -0500
31928+++ linux-2.6.32.48/drivers/gpu/drm/radeon/radeon_ttm.c 2011-11-15 19:59:43.000000000 -0500
31929@@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
31930 DRM_INFO("radeon: ttm finalized\n");
31931 }
31932
31933-static struct vm_operations_struct radeon_ttm_vm_ops;
31934-static const struct vm_operations_struct *ttm_vm_ops = NULL;
31935-
31936-static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
31937-{
31938- struct ttm_buffer_object *bo;
31939- int r;
31940-
31941- bo = (struct ttm_buffer_object *)vma->vm_private_data;
31942- if (bo == NULL) {
31943- return VM_FAULT_NOPAGE;
31944- }
31945- r = ttm_vm_ops->fault(vma, vmf);
31946- return r;
31947-}
31948-
31949 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
31950 {
31951 struct drm_file *file_priv;
31952 struct radeon_device *rdev;
31953- int r;
31954
31955 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
31956 return drm_mmap(filp, vma);
31957@@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
31958
31959 file_priv = (struct drm_file *)filp->private_data;
31960 rdev = file_priv->minor->dev->dev_private;
31961- if (rdev == NULL) {
31962+ if (!rdev)
31963 return -EINVAL;
31964- }
31965- r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31966- if (unlikely(r != 0)) {
31967- return r;
31968- }
31969- if (unlikely(ttm_vm_ops == NULL)) {
31970- ttm_vm_ops = vma->vm_ops;
31971- radeon_ttm_vm_ops = *ttm_vm_ops;
31972- radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
31973- }
31974- vma->vm_ops = &radeon_ttm_vm_ops;
31975- return 0;
31976+ return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
31977 }
31978
31979
31980diff -urNp linux-2.6.32.48/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.48/drivers/gpu/drm/radeon/rs690.c
31981--- linux-2.6.32.48/drivers/gpu/drm/radeon/rs690.c 2011-11-08 19:02:43.000000000 -0500
31982+++ linux-2.6.32.48/drivers/gpu/drm/radeon/rs690.c 2011-11-15 19:59:43.000000000 -0500
31983@@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
31984 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
31985 rdev->pm.sideport_bandwidth.full)
31986 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
31987- read_delay_latency.full = rfixed_const(370 * 800 * 1000);
31988+ read_delay_latency.full = rfixed_const(800 * 1000);
31989 read_delay_latency.full = rfixed_div(read_delay_latency,
31990 rdev->pm.igp_sideport_mclk);
31991+ a.full = rfixed_const(370);
31992+ read_delay_latency.full = rfixed_mul(read_delay_latency, a);
31993 } else {
31994 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
31995 rdev->pm.k8_bandwidth.full)
31996diff -urNp linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo.c
31997--- linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo.c 2011-11-08 19:02:43.000000000 -0500
31998+++ linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo.c 2011-11-15 19:59:43.000000000 -0500
31999@@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
32000 NULL
32001 };
32002
32003-static struct sysfs_ops ttm_bo_global_ops = {
32004+static const struct sysfs_ops ttm_bo_global_ops = {
32005 .show = &ttm_bo_global_show
32006 };
32007
32008diff -urNp linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo_vm.c
32009--- linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-11-08 19:02:43.000000000 -0500
32010+++ linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-11-15 19:59:43.000000000 -0500
32011@@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
32012 {
32013 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
32014 vma->vm_private_data;
32015- struct ttm_bo_device *bdev = bo->bdev;
32016+ struct ttm_bo_device *bdev;
32017 unsigned long bus_base;
32018 unsigned long bus_offset;
32019 unsigned long bus_size;
32020@@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
32021 unsigned long address = (unsigned long)vmf->virtual_address;
32022 int retval = VM_FAULT_NOPAGE;
32023
32024+ if (!bo)
32025+ return VM_FAULT_NOPAGE;
32026+ bdev = bo->bdev;
32027+
32028 /*
32029 * Work around locking order reversal in fault / nopfn
32030 * between mmap_sem and bo_reserve: Perform a trylock operation
32031diff -urNp linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_global.c
32032--- linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_global.c 2011-11-08 19:02:43.000000000 -0500
32033+++ linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_global.c 2011-11-15 19:59:43.000000000 -0500
32034@@ -36,7 +36,7 @@
32035 struct ttm_global_item {
32036 struct mutex mutex;
32037 void *object;
32038- int refcount;
32039+ atomic_t refcount;
32040 };
32041
32042 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
32043@@ -49,7 +49,7 @@ void ttm_global_init(void)
32044 struct ttm_global_item *item = &glob[i];
32045 mutex_init(&item->mutex);
32046 item->object = NULL;
32047- item->refcount = 0;
32048+ atomic_set(&item->refcount, 0);
32049 }
32050 }
32051
32052@@ -59,7 +59,7 @@ void ttm_global_release(void)
32053 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
32054 struct ttm_global_item *item = &glob[i];
32055 BUG_ON(item->object != NULL);
32056- BUG_ON(item->refcount != 0);
32057+ BUG_ON(atomic_read(&item->refcount) != 0);
32058 }
32059 }
32060
32061@@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
32062 void *object;
32063
32064 mutex_lock(&item->mutex);
32065- if (item->refcount == 0) {
32066+ if (atomic_read(&item->refcount) == 0) {
32067 item->object = kzalloc(ref->size, GFP_KERNEL);
32068 if (unlikely(item->object == NULL)) {
32069 ret = -ENOMEM;
32070@@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
32071 goto out_err;
32072
32073 }
32074- ++item->refcount;
32075+ atomic_inc(&item->refcount);
32076 ref->object = item->object;
32077 object = item->object;
32078 mutex_unlock(&item->mutex);
32079@@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
32080 struct ttm_global_item *item = &glob[ref->global_type];
32081
32082 mutex_lock(&item->mutex);
32083- BUG_ON(item->refcount == 0);
32084+ BUG_ON(atomic_read(&item->refcount) == 0);
32085 BUG_ON(ref->object != item->object);
32086- if (--item->refcount == 0) {
32087+ if (atomic_dec_and_test(&item->refcount)) {
32088 ref->release(ref);
32089 item->object = NULL;
32090 }
32091diff -urNp linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_memory.c
32092--- linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_memory.c 2011-11-08 19:02:43.000000000 -0500
32093+++ linux-2.6.32.48/drivers/gpu/drm/ttm/ttm_memory.c 2011-11-15 19:59:43.000000000 -0500
32094@@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
32095 NULL
32096 };
32097
32098-static struct sysfs_ops ttm_mem_zone_ops = {
32099+static const struct sysfs_ops ttm_mem_zone_ops = {
32100 .show = &ttm_mem_zone_show,
32101 .store = &ttm_mem_zone_store
32102 };
32103diff -urNp linux-2.6.32.48/drivers/gpu/drm/via/via_drv.h linux-2.6.32.48/drivers/gpu/drm/via/via_drv.h
32104--- linux-2.6.32.48/drivers/gpu/drm/via/via_drv.h 2011-11-08 19:02:43.000000000 -0500
32105+++ linux-2.6.32.48/drivers/gpu/drm/via/via_drv.h 2011-11-15 19:59:43.000000000 -0500
32106@@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
32107 typedef uint32_t maskarray_t[5];
32108
32109 typedef struct drm_via_irq {
32110- atomic_t irq_received;
32111+ atomic_unchecked_t irq_received;
32112 uint32_t pending_mask;
32113 uint32_t enable_mask;
32114 wait_queue_head_t irq_queue;
32115@@ -75,7 +75,7 @@ typedef struct drm_via_private {
32116 struct timeval last_vblank;
32117 int last_vblank_valid;
32118 unsigned usec_per_vblank;
32119- atomic_t vbl_received;
32120+ atomic_unchecked_t vbl_received;
32121 drm_via_state_t hc_state;
32122 char pci_buf[VIA_PCI_BUF_SIZE];
32123 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
32124diff -urNp linux-2.6.32.48/drivers/gpu/drm/via/via_irq.c linux-2.6.32.48/drivers/gpu/drm/via/via_irq.c
32125--- linux-2.6.32.48/drivers/gpu/drm/via/via_irq.c 2011-11-08 19:02:43.000000000 -0500
32126+++ linux-2.6.32.48/drivers/gpu/drm/via/via_irq.c 2011-11-15 19:59:43.000000000 -0500
32127@@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
32128 if (crtc != 0)
32129 return 0;
32130
32131- return atomic_read(&dev_priv->vbl_received);
32132+ return atomic_read_unchecked(&dev_priv->vbl_received);
32133 }
32134
32135 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
32136@@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
32137
32138 status = VIA_READ(VIA_REG_INTERRUPT);
32139 if (status & VIA_IRQ_VBLANK_PENDING) {
32140- atomic_inc(&dev_priv->vbl_received);
32141- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
32142+ atomic_inc_unchecked(&dev_priv->vbl_received);
32143+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
32144 do_gettimeofday(&cur_vblank);
32145 if (dev_priv->last_vblank_valid) {
32146 dev_priv->usec_per_vblank =
32147@@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
32148 dev_priv->last_vblank = cur_vblank;
32149 dev_priv->last_vblank_valid = 1;
32150 }
32151- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
32152+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
32153 DRM_DEBUG("US per vblank is: %u\n",
32154 dev_priv->usec_per_vblank);
32155 }
32156@@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
32157
32158 for (i = 0; i < dev_priv->num_irqs; ++i) {
32159 if (status & cur_irq->pending_mask) {
32160- atomic_inc(&cur_irq->irq_received);
32161+ atomic_inc_unchecked(&cur_irq->irq_received);
32162 DRM_WAKEUP(&cur_irq->irq_queue);
32163 handled = 1;
32164 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
32165@@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
32166 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
32167 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
32168 masks[irq][4]));
32169- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
32170+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
32171 } else {
32172 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
32173 (((cur_irq_sequence =
32174- atomic_read(&cur_irq->irq_received)) -
32175+ atomic_read_unchecked(&cur_irq->irq_received)) -
32176 *sequence) <= (1 << 23)));
32177 }
32178 *sequence = cur_irq_sequence;
32179@@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
32180 }
32181
32182 for (i = 0; i < dev_priv->num_irqs; ++i) {
32183- atomic_set(&cur_irq->irq_received, 0);
32184+ atomic_set_unchecked(&cur_irq->irq_received, 0);
32185 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
32186 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
32187 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
32188@@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
32189 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
32190 case VIA_IRQ_RELATIVE:
32191 irqwait->request.sequence +=
32192- atomic_read(&cur_irq->irq_received);
32193+ atomic_read_unchecked(&cur_irq->irq_received);
32194 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
32195 case VIA_IRQ_ABSOLUTE:
32196 break;
32197diff -urNp linux-2.6.32.48/drivers/hid/hid-core.c linux-2.6.32.48/drivers/hid/hid-core.c
32198--- linux-2.6.32.48/drivers/hid/hid-core.c 2011-11-08 19:02:43.000000000 -0500
32199+++ linux-2.6.32.48/drivers/hid/hid-core.c 2011-11-15 19:59:43.000000000 -0500
32200@@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
32201
32202 int hid_add_device(struct hid_device *hdev)
32203 {
32204- static atomic_t id = ATOMIC_INIT(0);
32205+ static atomic_unchecked_t id = ATOMIC_INIT(0);
32206 int ret;
32207
32208 if (WARN_ON(hdev->status & HID_STAT_ADDED))
32209@@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
32210 /* XXX hack, any other cleaner solution after the driver core
32211 * is converted to allow more than 20 bytes as the device name? */
32212 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
32213- hdev->vendor, hdev->product, atomic_inc_return(&id));
32214+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
32215
32216 ret = device_add(&hdev->dev);
32217 if (!ret)
32218diff -urNp linux-2.6.32.48/drivers/hid/usbhid/hiddev.c linux-2.6.32.48/drivers/hid/usbhid/hiddev.c
32219--- linux-2.6.32.48/drivers/hid/usbhid/hiddev.c 2011-11-08 19:02:43.000000000 -0500
32220+++ linux-2.6.32.48/drivers/hid/usbhid/hiddev.c 2011-11-15 19:59:43.000000000 -0500
32221@@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
32222 return put_user(HID_VERSION, (int __user *)arg);
32223
32224 case HIDIOCAPPLICATION:
32225- if (arg < 0 || arg >= hid->maxapplication)
32226+ if (arg >= hid->maxapplication)
32227 return -EINVAL;
32228
32229 for (i = 0; i < hid->maxcollection; i++)
32230diff -urNp linux-2.6.32.48/drivers/hwmon/lis3lv02d.c linux-2.6.32.48/drivers/hwmon/lis3lv02d.c
32231--- linux-2.6.32.48/drivers/hwmon/lis3lv02d.c 2011-11-08 19:02:43.000000000 -0500
32232+++ linux-2.6.32.48/drivers/hwmon/lis3lv02d.c 2011-11-15 19:59:43.000000000 -0500
32233@@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
32234 * the lid is closed. This leads to interrupts as soon as a little move
32235 * is done.
32236 */
32237- atomic_inc(&lis3_dev.count);
32238+ atomic_inc_unchecked(&lis3_dev.count);
32239
32240 wake_up_interruptible(&lis3_dev.misc_wait);
32241 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
32242@@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
32243 if (test_and_set_bit(0, &lis3_dev.misc_opened))
32244 return -EBUSY; /* already open */
32245
32246- atomic_set(&lis3_dev.count, 0);
32247+ atomic_set_unchecked(&lis3_dev.count, 0);
32248
32249 /*
32250 * The sensor can generate interrupts for free-fall and direction
32251@@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
32252 add_wait_queue(&lis3_dev.misc_wait, &wait);
32253 while (true) {
32254 set_current_state(TASK_INTERRUPTIBLE);
32255- data = atomic_xchg(&lis3_dev.count, 0);
32256+ data = atomic_xchg_unchecked(&lis3_dev.count, 0);
32257 if (data)
32258 break;
32259
32260@@ -244,7 +244,7 @@ out:
32261 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
32262 {
32263 poll_wait(file, &lis3_dev.misc_wait, wait);
32264- if (atomic_read(&lis3_dev.count))
32265+ if (atomic_read_unchecked(&lis3_dev.count))
32266 return POLLIN | POLLRDNORM;
32267 return 0;
32268 }
32269diff -urNp linux-2.6.32.48/drivers/hwmon/lis3lv02d.h linux-2.6.32.48/drivers/hwmon/lis3lv02d.h
32270--- linux-2.6.32.48/drivers/hwmon/lis3lv02d.h 2011-11-08 19:02:43.000000000 -0500
32271+++ linux-2.6.32.48/drivers/hwmon/lis3lv02d.h 2011-11-15 19:59:43.000000000 -0500
32272@@ -201,7 +201,7 @@ struct lis3lv02d {
32273
32274 struct input_polled_dev *idev; /* input device */
32275 struct platform_device *pdev; /* platform device */
32276- atomic_t count; /* interrupt count after last read */
32277+ atomic_unchecked_t count; /* interrupt count after last read */
32278 int xcalib; /* calibrated null value for x */
32279 int ycalib; /* calibrated null value for y */
32280 int zcalib; /* calibrated null value for z */
32281diff -urNp linux-2.6.32.48/drivers/hwmon/sht15.c linux-2.6.32.48/drivers/hwmon/sht15.c
32282--- linux-2.6.32.48/drivers/hwmon/sht15.c 2011-11-08 19:02:43.000000000 -0500
32283+++ linux-2.6.32.48/drivers/hwmon/sht15.c 2011-11-15 19:59:43.000000000 -0500
32284@@ -112,7 +112,7 @@ struct sht15_data {
32285 int supply_uV;
32286 int supply_uV_valid;
32287 struct work_struct update_supply_work;
32288- atomic_t interrupt_handled;
32289+ atomic_unchecked_t interrupt_handled;
32290 };
32291
32292 /**
32293@@ -245,13 +245,13 @@ static inline int sht15_update_single_va
32294 return ret;
32295
32296 gpio_direction_input(data->pdata->gpio_data);
32297- atomic_set(&data->interrupt_handled, 0);
32298+ atomic_set_unchecked(&data->interrupt_handled, 0);
32299
32300 enable_irq(gpio_to_irq(data->pdata->gpio_data));
32301 if (gpio_get_value(data->pdata->gpio_data) == 0) {
32302 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
32303 /* Only relevant if the interrupt hasn't occured. */
32304- if (!atomic_read(&data->interrupt_handled))
32305+ if (!atomic_read_unchecked(&data->interrupt_handled))
32306 schedule_work(&data->read_work);
32307 }
32308 ret = wait_event_timeout(data->wait_queue,
32309@@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
32310 struct sht15_data *data = d;
32311 /* First disable the interrupt */
32312 disable_irq_nosync(irq);
32313- atomic_inc(&data->interrupt_handled);
32314+ atomic_inc_unchecked(&data->interrupt_handled);
32315 /* Then schedule a reading work struct */
32316 if (data->flag != SHT15_READING_NOTHING)
32317 schedule_work(&data->read_work);
32318@@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
32319 here as could have gone low in meantime so verify
32320 it hasn't!
32321 */
32322- atomic_set(&data->interrupt_handled, 0);
32323+ atomic_set_unchecked(&data->interrupt_handled, 0);
32324 enable_irq(gpio_to_irq(data->pdata->gpio_data));
32325 /* If still not occured or another handler has been scheduled */
32326 if (gpio_get_value(data->pdata->gpio_data)
32327- || atomic_read(&data->interrupt_handled))
32328+ || atomic_read_unchecked(&data->interrupt_handled))
32329 return;
32330 }
32331 /* Read the data back from the device */
32332diff -urNp linux-2.6.32.48/drivers/hwmon/w83791d.c linux-2.6.32.48/drivers/hwmon/w83791d.c
32333--- linux-2.6.32.48/drivers/hwmon/w83791d.c 2011-11-08 19:02:43.000000000 -0500
32334+++ linux-2.6.32.48/drivers/hwmon/w83791d.c 2011-11-15 19:59:43.000000000 -0500
32335@@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
32336 struct i2c_board_info *info);
32337 static int w83791d_remove(struct i2c_client *client);
32338
32339-static int w83791d_read(struct i2c_client *client, u8 register);
32340-static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
32341+static int w83791d_read(struct i2c_client *client, u8 reg);
32342+static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
32343 static struct w83791d_data *w83791d_update_device(struct device *dev);
32344
32345 #ifdef DEBUG
32346diff -urNp linux-2.6.32.48/drivers/i2c/busses/i2c-amd756-s4882.c linux-2.6.32.48/drivers/i2c/busses/i2c-amd756-s4882.c
32347--- linux-2.6.32.48/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-08 19:02:43.000000000 -0500
32348+++ linux-2.6.32.48/drivers/i2c/busses/i2c-amd756-s4882.c 2011-11-15 19:59:43.000000000 -0500
32349@@ -43,7 +43,7 @@
32350 extern struct i2c_adapter amd756_smbus;
32351
32352 static struct i2c_adapter *s4882_adapter;
32353-static struct i2c_algorithm *s4882_algo;
32354+static i2c_algorithm_no_const *s4882_algo;
32355
32356 /* Wrapper access functions for multiplexed SMBus */
32357 static DEFINE_MUTEX(amd756_lock);
32358diff -urNp linux-2.6.32.48/drivers/i2c/busses/i2c-nforce2-s4985.c linux-2.6.32.48/drivers/i2c/busses/i2c-nforce2-s4985.c
32359--- linux-2.6.32.48/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-08 19:02:43.000000000 -0500
32360+++ linux-2.6.32.48/drivers/i2c/busses/i2c-nforce2-s4985.c 2011-11-15 19:59:43.000000000 -0500
32361@@ -41,7 +41,7 @@
32362 extern struct i2c_adapter *nforce2_smbus;
32363
32364 static struct i2c_adapter *s4985_adapter;
32365-static struct i2c_algorithm *s4985_algo;
32366+static i2c_algorithm_no_const *s4985_algo;
32367
32368 /* Wrapper access functions for multiplexed SMBus */
32369 static DEFINE_MUTEX(nforce2_lock);
32370diff -urNp linux-2.6.32.48/drivers/ide/aec62xx.c linux-2.6.32.48/drivers/ide/aec62xx.c
32371--- linux-2.6.32.48/drivers/ide/aec62xx.c 2011-11-08 19:02:43.000000000 -0500
32372+++ linux-2.6.32.48/drivers/ide/aec62xx.c 2011-11-18 18:01:55.000000000 -0500
32373@@ -180,7 +180,7 @@ static const struct ide_port_ops atp86x_
32374 .cable_detect = atp86x_cable_detect,
32375 };
32376
32377-static const struct ide_port_info aec62xx_chipsets[] __devinitdata = {
32378+static const struct ide_port_info aec62xx_chipsets[] __devinitconst = {
32379 { /* 0: AEC6210 */
32380 .name = DRV_NAME,
32381 .init_chipset = init_chipset_aec62xx,
32382diff -urNp linux-2.6.32.48/drivers/ide/alim15x3.c linux-2.6.32.48/drivers/ide/alim15x3.c
32383--- linux-2.6.32.48/drivers/ide/alim15x3.c 2011-11-08 19:02:43.000000000 -0500
32384+++ linux-2.6.32.48/drivers/ide/alim15x3.c 2011-11-18 18:01:55.000000000 -0500
32385@@ -509,7 +509,7 @@ static const struct ide_dma_ops ali_dma_
32386 .dma_sff_read_status = ide_dma_sff_read_status,
32387 };
32388
32389-static const struct ide_port_info ali15x3_chipset __devinitdata = {
32390+static const struct ide_port_info ali15x3_chipset __devinitconst = {
32391 .name = DRV_NAME,
32392 .init_chipset = init_chipset_ali15x3,
32393 .init_hwif = init_hwif_ali15x3,
32394diff -urNp linux-2.6.32.48/drivers/ide/amd74xx.c linux-2.6.32.48/drivers/ide/amd74xx.c
32395--- linux-2.6.32.48/drivers/ide/amd74xx.c 2011-11-08 19:02:43.000000000 -0500
32396+++ linux-2.6.32.48/drivers/ide/amd74xx.c 2011-11-18 18:01:55.000000000 -0500
32397@@ -221,7 +221,7 @@ static const struct ide_port_ops amd_por
32398 .udma_mask = udma, \
32399 }
32400
32401-static const struct ide_port_info amd74xx_chipsets[] __devinitdata = {
32402+static const struct ide_port_info amd74xx_chipsets[] __devinitconst = {
32403 /* 0: AMD7401 */ DECLARE_AMD_DEV(0x00, ATA_UDMA2),
32404 /* 1: AMD7409 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA4),
32405 /* 2: AMD7411/7441 */ DECLARE_AMD_DEV(ATA_SWDMA2, ATA_UDMA5),
32406diff -urNp linux-2.6.32.48/drivers/ide/atiixp.c linux-2.6.32.48/drivers/ide/atiixp.c
32407--- linux-2.6.32.48/drivers/ide/atiixp.c 2011-11-08 19:02:43.000000000 -0500
32408+++ linux-2.6.32.48/drivers/ide/atiixp.c 2011-11-18 18:01:55.000000000 -0500
32409@@ -137,7 +137,7 @@ static const struct ide_port_ops atiixp_
32410 .cable_detect = atiixp_cable_detect,
32411 };
32412
32413-static const struct ide_port_info atiixp_pci_info[] __devinitdata = {
32414+static const struct ide_port_info atiixp_pci_info[] __devinitconst = {
32415 { /* 0: IXP200/300/400/700 */
32416 .name = DRV_NAME,
32417 .enablebits = {{0x48,0x01,0x00}, {0x48,0x08,0x00}},
32418diff -urNp linux-2.6.32.48/drivers/ide/cmd64x.c linux-2.6.32.48/drivers/ide/cmd64x.c
32419--- linux-2.6.32.48/drivers/ide/cmd64x.c 2011-11-08 19:02:43.000000000 -0500
32420+++ linux-2.6.32.48/drivers/ide/cmd64x.c 2011-11-18 18:01:55.000000000 -0500
32421@@ -372,7 +372,7 @@ static const struct ide_dma_ops cmd646_r
32422 .dma_sff_read_status = ide_dma_sff_read_status,
32423 };
32424
32425-static const struct ide_port_info cmd64x_chipsets[] __devinitdata = {
32426+static const struct ide_port_info cmd64x_chipsets[] __devinitconst = {
32427 { /* 0: CMD643 */
32428 .name = DRV_NAME,
32429 .init_chipset = init_chipset_cmd64x,
32430diff -urNp linux-2.6.32.48/drivers/ide/cs5520.c linux-2.6.32.48/drivers/ide/cs5520.c
32431--- linux-2.6.32.48/drivers/ide/cs5520.c 2011-11-08 19:02:43.000000000 -0500
32432+++ linux-2.6.32.48/drivers/ide/cs5520.c 2011-11-18 18:01:55.000000000 -0500
32433@@ -93,7 +93,7 @@ static const struct ide_port_ops cs5520_
32434 .set_dma_mode = cs5520_set_dma_mode,
32435 };
32436
32437-static const struct ide_port_info cyrix_chipset __devinitdata = {
32438+static const struct ide_port_info cyrix_chipset __devinitconst = {
32439 .name = DRV_NAME,
32440 .enablebits = { { 0x60, 0x01, 0x01 }, { 0x60, 0x02, 0x02 } },
32441 .port_ops = &cs5520_port_ops,
32442diff -urNp linux-2.6.32.48/drivers/ide/cs5530.c linux-2.6.32.48/drivers/ide/cs5530.c
32443--- linux-2.6.32.48/drivers/ide/cs5530.c 2011-11-08 19:02:43.000000000 -0500
32444+++ linux-2.6.32.48/drivers/ide/cs5530.c 2011-11-18 18:01:55.000000000 -0500
32445@@ -244,7 +244,7 @@ static const struct ide_port_ops cs5530_
32446 .udma_filter = cs5530_udma_filter,
32447 };
32448
32449-static const struct ide_port_info cs5530_chipset __devinitdata = {
32450+static const struct ide_port_info cs5530_chipset __devinitconst = {
32451 .name = DRV_NAME,
32452 .init_chipset = init_chipset_cs5530,
32453 .init_hwif = init_hwif_cs5530,
32454diff -urNp linux-2.6.32.48/drivers/ide/cs5535.c linux-2.6.32.48/drivers/ide/cs5535.c
32455--- linux-2.6.32.48/drivers/ide/cs5535.c 2011-11-08 19:02:43.000000000 -0500
32456+++ linux-2.6.32.48/drivers/ide/cs5535.c 2011-11-18 18:01:55.000000000 -0500
32457@@ -170,7 +170,7 @@ static const struct ide_port_ops cs5535_
32458 .cable_detect = cs5535_cable_detect,
32459 };
32460
32461-static const struct ide_port_info cs5535_chipset __devinitdata = {
32462+static const struct ide_port_info cs5535_chipset __devinitconst = {
32463 .name = DRV_NAME,
32464 .port_ops = &cs5535_port_ops,
32465 .host_flags = IDE_HFLAG_SINGLE | IDE_HFLAG_POST_SET_MODE,
32466diff -urNp linux-2.6.32.48/drivers/ide/cy82c693.c linux-2.6.32.48/drivers/ide/cy82c693.c
32467--- linux-2.6.32.48/drivers/ide/cy82c693.c 2011-11-08 19:02:43.000000000 -0500
32468+++ linux-2.6.32.48/drivers/ide/cy82c693.c 2011-11-18 18:01:55.000000000 -0500
32469@@ -288,7 +288,7 @@ static const struct ide_port_ops cy82c69
32470 .set_dma_mode = cy82c693_set_dma_mode,
32471 };
32472
32473-static const struct ide_port_info cy82c693_chipset __devinitdata = {
32474+static const struct ide_port_info cy82c693_chipset __devinitconst = {
32475 .name = DRV_NAME,
32476 .init_iops = init_iops_cy82c693,
32477 .port_ops = &cy82c693_port_ops,
32478diff -urNp linux-2.6.32.48/drivers/ide/hpt366.c linux-2.6.32.48/drivers/ide/hpt366.c
32479--- linux-2.6.32.48/drivers/ide/hpt366.c 2011-11-08 19:02:43.000000000 -0500
32480+++ linux-2.6.32.48/drivers/ide/hpt366.c 2011-11-18 18:01:55.000000000 -0500
32481@@ -507,7 +507,7 @@ static struct hpt_timings hpt37x_timings
32482 }
32483 };
32484
32485-static const struct hpt_info hpt36x __devinitdata = {
32486+static const struct hpt_info hpt36x __devinitconst = {
32487 .chip_name = "HPT36x",
32488 .chip_type = HPT36x,
32489 .udma_mask = HPT366_ALLOW_ATA66_3 ? (HPT366_ALLOW_ATA66_4 ? ATA_UDMA4 : ATA_UDMA3) : ATA_UDMA2,
32490@@ -515,7 +515,7 @@ static const struct hpt_info hpt36x __de
32491 .timings = &hpt36x_timings
32492 };
32493
32494-static const struct hpt_info hpt370 __devinitdata = {
32495+static const struct hpt_info hpt370 __devinitconst = {
32496 .chip_name = "HPT370",
32497 .chip_type = HPT370,
32498 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
32499@@ -523,7 +523,7 @@ static const struct hpt_info hpt370 __de
32500 .timings = &hpt37x_timings
32501 };
32502
32503-static const struct hpt_info hpt370a __devinitdata = {
32504+static const struct hpt_info hpt370a __devinitconst = {
32505 .chip_name = "HPT370A",
32506 .chip_type = HPT370A,
32507 .udma_mask = HPT370_ALLOW_ATA100_5 ? ATA_UDMA5 : ATA_UDMA4,
32508@@ -531,7 +531,7 @@ static const struct hpt_info hpt370a __d
32509 .timings = &hpt37x_timings
32510 };
32511
32512-static const struct hpt_info hpt374 __devinitdata = {
32513+static const struct hpt_info hpt374 __devinitconst = {
32514 .chip_name = "HPT374",
32515 .chip_type = HPT374,
32516 .udma_mask = ATA_UDMA5,
32517@@ -539,7 +539,7 @@ static const struct hpt_info hpt374 __de
32518 .timings = &hpt37x_timings
32519 };
32520
32521-static const struct hpt_info hpt372 __devinitdata = {
32522+static const struct hpt_info hpt372 __devinitconst = {
32523 .chip_name = "HPT372",
32524 .chip_type = HPT372,
32525 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32526@@ -547,7 +547,7 @@ static const struct hpt_info hpt372 __de
32527 .timings = &hpt37x_timings
32528 };
32529
32530-static const struct hpt_info hpt372a __devinitdata = {
32531+static const struct hpt_info hpt372a __devinitconst = {
32532 .chip_name = "HPT372A",
32533 .chip_type = HPT372A,
32534 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32535@@ -555,7 +555,7 @@ static const struct hpt_info hpt372a __d
32536 .timings = &hpt37x_timings
32537 };
32538
32539-static const struct hpt_info hpt302 __devinitdata = {
32540+static const struct hpt_info hpt302 __devinitconst = {
32541 .chip_name = "HPT302",
32542 .chip_type = HPT302,
32543 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32544@@ -563,7 +563,7 @@ static const struct hpt_info hpt302 __de
32545 .timings = &hpt37x_timings
32546 };
32547
32548-static const struct hpt_info hpt371 __devinitdata = {
32549+static const struct hpt_info hpt371 __devinitconst = {
32550 .chip_name = "HPT371",
32551 .chip_type = HPT371,
32552 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32553@@ -571,7 +571,7 @@ static const struct hpt_info hpt371 __de
32554 .timings = &hpt37x_timings
32555 };
32556
32557-static const struct hpt_info hpt372n __devinitdata = {
32558+static const struct hpt_info hpt372n __devinitconst = {
32559 .chip_name = "HPT372N",
32560 .chip_type = HPT372N,
32561 .udma_mask = HPT372_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32562@@ -579,7 +579,7 @@ static const struct hpt_info hpt372n __d
32563 .timings = &hpt37x_timings
32564 };
32565
32566-static const struct hpt_info hpt302n __devinitdata = {
32567+static const struct hpt_info hpt302n __devinitconst = {
32568 .chip_name = "HPT302N",
32569 .chip_type = HPT302N,
32570 .udma_mask = HPT302_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32571@@ -587,7 +587,7 @@ static const struct hpt_info hpt302n __d
32572 .timings = &hpt37x_timings
32573 };
32574
32575-static const struct hpt_info hpt371n __devinitdata = {
32576+static const struct hpt_info hpt371n __devinitconst = {
32577 .chip_name = "HPT371N",
32578 .chip_type = HPT371N,
32579 .udma_mask = HPT371_ALLOW_ATA133_6 ? ATA_UDMA6 : ATA_UDMA5,
32580@@ -1422,7 +1422,7 @@ static const struct ide_dma_ops hpt36x_d
32581 .dma_sff_read_status = ide_dma_sff_read_status,
32582 };
32583
32584-static const struct ide_port_info hpt366_chipsets[] __devinitdata = {
32585+static const struct ide_port_info hpt366_chipsets[] __devinitconst = {
32586 { /* 0: HPT36x */
32587 .name = DRV_NAME,
32588 .init_chipset = init_chipset_hpt366,
32589diff -urNp linux-2.6.32.48/drivers/ide/ide-cd.c linux-2.6.32.48/drivers/ide/ide-cd.c
32590--- linux-2.6.32.48/drivers/ide/ide-cd.c 2011-11-08 19:02:43.000000000 -0500
32591+++ linux-2.6.32.48/drivers/ide/ide-cd.c 2011-11-15 19:59:43.000000000 -0500
32592@@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
32593 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
32594 if ((unsigned long)buf & alignment
32595 || blk_rq_bytes(rq) & q->dma_pad_mask
32596- || object_is_on_stack(buf))
32597+ || object_starts_on_stack(buf))
32598 drive->dma = 0;
32599 }
32600 }
32601diff -urNp linux-2.6.32.48/drivers/ide/ide-floppy.c linux-2.6.32.48/drivers/ide/ide-floppy.c
32602--- linux-2.6.32.48/drivers/ide/ide-floppy.c 2011-11-08 19:02:43.000000000 -0500
32603+++ linux-2.6.32.48/drivers/ide/ide-floppy.c 2011-11-15 19:59:43.000000000 -0500
32604@@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
32605 u8 pc_buf[256], header_len, desc_cnt;
32606 int i, rc = 1, blocks, length;
32607
32608+ pax_track_stack();
32609+
32610 ide_debug_log(IDE_DBG_FUNC, "enter");
32611
32612 drive->bios_cyl = 0;
32613diff -urNp linux-2.6.32.48/drivers/ide/ide-pci-generic.c linux-2.6.32.48/drivers/ide/ide-pci-generic.c
32614--- linux-2.6.32.48/drivers/ide/ide-pci-generic.c 2011-11-08 19:02:43.000000000 -0500
32615+++ linux-2.6.32.48/drivers/ide/ide-pci-generic.c 2011-11-18 18:01:55.000000000 -0500
32616@@ -53,7 +53,7 @@ static const struct ide_port_ops netcell
32617 .udma_mask = ATA_UDMA6, \
32618 }
32619
32620-static const struct ide_port_info generic_chipsets[] __devinitdata = {
32621+static const struct ide_port_info generic_chipsets[] __devinitconst = {
32622 /* 0: Unknown */
32623 DECLARE_GENERIC_PCI_DEV(0),
32624
32625diff -urNp linux-2.6.32.48/drivers/ide/it8172.c linux-2.6.32.48/drivers/ide/it8172.c
32626--- linux-2.6.32.48/drivers/ide/it8172.c 2011-11-08 19:02:43.000000000 -0500
32627+++ linux-2.6.32.48/drivers/ide/it8172.c 2011-11-18 18:01:55.000000000 -0500
32628@@ -115,7 +115,7 @@ static const struct ide_port_ops it8172_
32629 .set_dma_mode = it8172_set_dma_mode,
32630 };
32631
32632-static const struct ide_port_info it8172_port_info __devinitdata = {
32633+static const struct ide_port_info it8172_port_info __devinitconst = {
32634 .name = DRV_NAME,
32635 .port_ops = &it8172_port_ops,
32636 .enablebits = { {0x41, 0x80, 0x80}, {0x00, 0x00, 0x00} },
32637diff -urNp linux-2.6.32.48/drivers/ide/it8213.c linux-2.6.32.48/drivers/ide/it8213.c
32638--- linux-2.6.32.48/drivers/ide/it8213.c 2011-11-08 19:02:43.000000000 -0500
32639+++ linux-2.6.32.48/drivers/ide/it8213.c 2011-11-18 18:01:55.000000000 -0500
32640@@ -156,7 +156,7 @@ static const struct ide_port_ops it8213_
32641 .cable_detect = it8213_cable_detect,
32642 };
32643
32644-static const struct ide_port_info it8213_chipset __devinitdata = {
32645+static const struct ide_port_info it8213_chipset __devinitconst = {
32646 .name = DRV_NAME,
32647 .enablebits = { {0x41, 0x80, 0x80} },
32648 .port_ops = &it8213_port_ops,
32649diff -urNp linux-2.6.32.48/drivers/ide/it821x.c linux-2.6.32.48/drivers/ide/it821x.c
32650--- linux-2.6.32.48/drivers/ide/it821x.c 2011-11-08 19:02:43.000000000 -0500
32651+++ linux-2.6.32.48/drivers/ide/it821x.c 2011-11-18 18:01:55.000000000 -0500
32652@@ -627,7 +627,7 @@ static const struct ide_port_ops it821x_
32653 .cable_detect = it821x_cable_detect,
32654 };
32655
32656-static const struct ide_port_info it821x_chipset __devinitdata = {
32657+static const struct ide_port_info it821x_chipset __devinitconst = {
32658 .name = DRV_NAME,
32659 .init_chipset = init_chipset_it821x,
32660 .init_hwif = init_hwif_it821x,
32661diff -urNp linux-2.6.32.48/drivers/ide/jmicron.c linux-2.6.32.48/drivers/ide/jmicron.c
32662--- linux-2.6.32.48/drivers/ide/jmicron.c 2011-11-08 19:02:43.000000000 -0500
32663+++ linux-2.6.32.48/drivers/ide/jmicron.c 2011-11-18 18:01:55.000000000 -0500
32664@@ -102,7 +102,7 @@ static const struct ide_port_ops jmicron
32665 .cable_detect = jmicron_cable_detect,
32666 };
32667
32668-static const struct ide_port_info jmicron_chipset __devinitdata = {
32669+static const struct ide_port_info jmicron_chipset __devinitconst = {
32670 .name = DRV_NAME,
32671 .enablebits = { { 0x40, 0x01, 0x01 }, { 0x40, 0x10, 0x10 } },
32672 .port_ops = &jmicron_port_ops,
32673diff -urNp linux-2.6.32.48/drivers/ide/ns87415.c linux-2.6.32.48/drivers/ide/ns87415.c
32674--- linux-2.6.32.48/drivers/ide/ns87415.c 2011-11-08 19:02:43.000000000 -0500
32675+++ linux-2.6.32.48/drivers/ide/ns87415.c 2011-11-18 18:01:55.000000000 -0500
32676@@ -293,7 +293,7 @@ static const struct ide_dma_ops ns87415_
32677 .dma_sff_read_status = superio_dma_sff_read_status,
32678 };
32679
32680-static const struct ide_port_info ns87415_chipset __devinitdata = {
32681+static const struct ide_port_info ns87415_chipset __devinitconst = {
32682 .name = DRV_NAME,
32683 .init_hwif = init_hwif_ns87415,
32684 .tp_ops = &ns87415_tp_ops,
32685diff -urNp linux-2.6.32.48/drivers/ide/opti621.c linux-2.6.32.48/drivers/ide/opti621.c
32686--- linux-2.6.32.48/drivers/ide/opti621.c 2011-11-08 19:02:43.000000000 -0500
32687+++ linux-2.6.32.48/drivers/ide/opti621.c 2011-11-18 18:01:55.000000000 -0500
32688@@ -202,7 +202,7 @@ static const struct ide_port_ops opti621
32689 .set_pio_mode = opti621_set_pio_mode,
32690 };
32691
32692-static const struct ide_port_info opti621_chipset __devinitdata = {
32693+static const struct ide_port_info opti621_chipset __devinitconst = {
32694 .name = DRV_NAME,
32695 .enablebits = { {0x45, 0x80, 0x00}, {0x40, 0x08, 0x00} },
32696 .port_ops = &opti621_port_ops,
32697diff -urNp linux-2.6.32.48/drivers/ide/pdc202xx_new.c linux-2.6.32.48/drivers/ide/pdc202xx_new.c
32698--- linux-2.6.32.48/drivers/ide/pdc202xx_new.c 2011-11-08 19:02:43.000000000 -0500
32699+++ linux-2.6.32.48/drivers/ide/pdc202xx_new.c 2011-11-18 18:01:55.000000000 -0500
32700@@ -465,7 +465,7 @@ static const struct ide_port_ops pdcnew_
32701 .udma_mask = udma, \
32702 }
32703
32704-static const struct ide_port_info pdcnew_chipsets[] __devinitdata = {
32705+static const struct ide_port_info pdcnew_chipsets[] __devinitconst = {
32706 /* 0: PDC202{68,70} */ DECLARE_PDCNEW_DEV(ATA_UDMA5),
32707 /* 1: PDC202{69,71,75,76,77} */ DECLARE_PDCNEW_DEV(ATA_UDMA6),
32708 };
32709diff -urNp linux-2.6.32.48/drivers/ide/pdc202xx_old.c linux-2.6.32.48/drivers/ide/pdc202xx_old.c
32710--- linux-2.6.32.48/drivers/ide/pdc202xx_old.c 2011-11-08 19:02:43.000000000 -0500
32711+++ linux-2.6.32.48/drivers/ide/pdc202xx_old.c 2011-11-18 18:01:55.000000000 -0500
32712@@ -285,7 +285,7 @@ static const struct ide_dma_ops pdc2026x
32713 .max_sectors = sectors, \
32714 }
32715
32716-static const struct ide_port_info pdc202xx_chipsets[] __devinitdata = {
32717+static const struct ide_port_info pdc202xx_chipsets[] __devinitconst = {
32718 { /* 0: PDC20246 */
32719 .name = DRV_NAME,
32720 .init_chipset = init_chipset_pdc202xx,
32721diff -urNp linux-2.6.32.48/drivers/ide/piix.c linux-2.6.32.48/drivers/ide/piix.c
32722--- linux-2.6.32.48/drivers/ide/piix.c 2011-11-08 19:02:43.000000000 -0500
32723+++ linux-2.6.32.48/drivers/ide/piix.c 2011-11-18 18:01:55.000000000 -0500
32724@@ -344,7 +344,7 @@ static const struct ide_port_ops ich_por
32725 .udma_mask = udma, \
32726 }
32727
32728-static const struct ide_port_info piix_pci_info[] __devinitdata = {
32729+static const struct ide_port_info piix_pci_info[] __devinitconst = {
32730 /* 0: MPIIX */
32731 { /*
32732 * MPIIX actually has only a single IDE channel mapped to
32733diff -urNp linux-2.6.32.48/drivers/ide/rz1000.c linux-2.6.32.48/drivers/ide/rz1000.c
32734--- linux-2.6.32.48/drivers/ide/rz1000.c 2011-11-08 19:02:43.000000000 -0500
32735+++ linux-2.6.32.48/drivers/ide/rz1000.c 2011-11-18 18:01:55.000000000 -0500
32736@@ -38,7 +38,7 @@ static int __devinit rz1000_disable_read
32737 }
32738 }
32739
32740-static const struct ide_port_info rz1000_chipset __devinitdata = {
32741+static const struct ide_port_info rz1000_chipset __devinitconst = {
32742 .name = DRV_NAME,
32743 .host_flags = IDE_HFLAG_NO_DMA,
32744 };
32745diff -urNp linux-2.6.32.48/drivers/ide/sc1200.c linux-2.6.32.48/drivers/ide/sc1200.c
32746--- linux-2.6.32.48/drivers/ide/sc1200.c 2011-11-08 19:02:43.000000000 -0500
32747+++ linux-2.6.32.48/drivers/ide/sc1200.c 2011-11-18 18:01:55.000000000 -0500
32748@@ -290,7 +290,7 @@ static const struct ide_dma_ops sc1200_d
32749 .dma_sff_read_status = ide_dma_sff_read_status,
32750 };
32751
32752-static const struct ide_port_info sc1200_chipset __devinitdata = {
32753+static const struct ide_port_info sc1200_chipset __devinitconst = {
32754 .name = DRV_NAME,
32755 .port_ops = &sc1200_port_ops,
32756 .dma_ops = &sc1200_dma_ops,
32757diff -urNp linux-2.6.32.48/drivers/ide/scc_pata.c linux-2.6.32.48/drivers/ide/scc_pata.c
32758--- linux-2.6.32.48/drivers/ide/scc_pata.c 2011-11-08 19:02:43.000000000 -0500
32759+++ linux-2.6.32.48/drivers/ide/scc_pata.c 2011-11-18 18:01:55.000000000 -0500
32760@@ -811,7 +811,7 @@ static const struct ide_dma_ops scc_dma_
32761 .dma_sff_read_status = scc_dma_sff_read_status,
32762 };
32763
32764-static const struct ide_port_info scc_chipset __devinitdata = {
32765+static const struct ide_port_info scc_chipset __devinitconst = {
32766 .name = "sccIDE",
32767 .init_iops = init_iops_scc,
32768 .init_dma = scc_init_dma,
32769diff -urNp linux-2.6.32.48/drivers/ide/serverworks.c linux-2.6.32.48/drivers/ide/serverworks.c
32770--- linux-2.6.32.48/drivers/ide/serverworks.c 2011-11-08 19:02:43.000000000 -0500
32771+++ linux-2.6.32.48/drivers/ide/serverworks.c 2011-11-18 18:01:55.000000000 -0500
32772@@ -353,7 +353,7 @@ static const struct ide_port_ops svwks_p
32773 .cable_detect = svwks_cable_detect,
32774 };
32775
32776-static const struct ide_port_info serverworks_chipsets[] __devinitdata = {
32777+static const struct ide_port_info serverworks_chipsets[] __devinitconst = {
32778 { /* 0: OSB4 */
32779 .name = DRV_NAME,
32780 .init_chipset = init_chipset_svwks,
32781diff -urNp linux-2.6.32.48/drivers/ide/setup-pci.c linux-2.6.32.48/drivers/ide/setup-pci.c
32782--- linux-2.6.32.48/drivers/ide/setup-pci.c 2011-11-08 19:02:43.000000000 -0500
32783+++ linux-2.6.32.48/drivers/ide/setup-pci.c 2011-11-15 19:59:43.000000000 -0500
32784@@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
32785 int ret, i, n_ports = dev2 ? 4 : 2;
32786 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
32787
32788+ pax_track_stack();
32789+
32790 for (i = 0; i < n_ports / 2; i++) {
32791 ret = ide_setup_pci_controller(pdev[i], d, !i);
32792 if (ret < 0)
32793diff -urNp linux-2.6.32.48/drivers/ide/siimage.c linux-2.6.32.48/drivers/ide/siimage.c
32794--- linux-2.6.32.48/drivers/ide/siimage.c 2011-11-08 19:02:43.000000000 -0500
32795+++ linux-2.6.32.48/drivers/ide/siimage.c 2011-11-18 18:01:55.000000000 -0500
32796@@ -719,7 +719,7 @@ static const struct ide_dma_ops sil_dma_
32797 .udma_mask = ATA_UDMA6, \
32798 }
32799
32800-static const struct ide_port_info siimage_chipsets[] __devinitdata = {
32801+static const struct ide_port_info siimage_chipsets[] __devinitconst = {
32802 /* 0: SiI680 */ DECLARE_SII_DEV(&sil_pata_port_ops),
32803 /* 1: SiI3112 */ DECLARE_SII_DEV(&sil_sata_port_ops)
32804 };
32805diff -urNp linux-2.6.32.48/drivers/ide/sis5513.c linux-2.6.32.48/drivers/ide/sis5513.c
32806--- linux-2.6.32.48/drivers/ide/sis5513.c 2011-11-08 19:02:43.000000000 -0500
32807+++ linux-2.6.32.48/drivers/ide/sis5513.c 2011-11-18 18:01:55.000000000 -0500
32808@@ -561,7 +561,7 @@ static const struct ide_port_ops sis_ata
32809 .cable_detect = sis_cable_detect,
32810 };
32811
32812-static const struct ide_port_info sis5513_chipset __devinitdata = {
32813+static const struct ide_port_info sis5513_chipset __devinitconst = {
32814 .name = DRV_NAME,
32815 .init_chipset = init_chipset_sis5513,
32816 .enablebits = { {0x4a, 0x02, 0x02}, {0x4a, 0x04, 0x04} },
32817diff -urNp linux-2.6.32.48/drivers/ide/sl82c105.c linux-2.6.32.48/drivers/ide/sl82c105.c
32818--- linux-2.6.32.48/drivers/ide/sl82c105.c 2011-11-08 19:02:43.000000000 -0500
32819+++ linux-2.6.32.48/drivers/ide/sl82c105.c 2011-11-18 18:01:55.000000000 -0500
32820@@ -319,7 +319,7 @@ static const struct ide_dma_ops sl82c105
32821 .dma_sff_read_status = ide_dma_sff_read_status,
32822 };
32823
32824-static const struct ide_port_info sl82c105_chipset __devinitdata = {
32825+static const struct ide_port_info sl82c105_chipset __devinitconst = {
32826 .name = DRV_NAME,
32827 .init_chipset = init_chipset_sl82c105,
32828 .enablebits = {{0x40,0x01,0x01}, {0x40,0x10,0x10}},
32829diff -urNp linux-2.6.32.48/drivers/ide/slc90e66.c linux-2.6.32.48/drivers/ide/slc90e66.c
32830--- linux-2.6.32.48/drivers/ide/slc90e66.c 2011-11-08 19:02:43.000000000 -0500
32831+++ linux-2.6.32.48/drivers/ide/slc90e66.c 2011-11-18 18:01:55.000000000 -0500
32832@@ -131,7 +131,7 @@ static const struct ide_port_ops slc90e6
32833 .cable_detect = slc90e66_cable_detect,
32834 };
32835
32836-static const struct ide_port_info slc90e66_chipset __devinitdata = {
32837+static const struct ide_port_info slc90e66_chipset __devinitconst = {
32838 .name = DRV_NAME,
32839 .enablebits = { {0x41, 0x80, 0x80}, {0x43, 0x80, 0x80} },
32840 .port_ops = &slc90e66_port_ops,
32841diff -urNp linux-2.6.32.48/drivers/ide/tc86c001.c linux-2.6.32.48/drivers/ide/tc86c001.c
32842--- linux-2.6.32.48/drivers/ide/tc86c001.c 2011-11-08 19:02:43.000000000 -0500
32843+++ linux-2.6.32.48/drivers/ide/tc86c001.c 2011-11-18 18:01:55.000000000 -0500
32844@@ -190,7 +190,7 @@ static const struct ide_dma_ops tc86c001
32845 .dma_sff_read_status = ide_dma_sff_read_status,
32846 };
32847
32848-static const struct ide_port_info tc86c001_chipset __devinitdata = {
32849+static const struct ide_port_info tc86c001_chipset __devinitconst = {
32850 .name = DRV_NAME,
32851 .init_hwif = init_hwif_tc86c001,
32852 .port_ops = &tc86c001_port_ops,
32853diff -urNp linux-2.6.32.48/drivers/ide/triflex.c linux-2.6.32.48/drivers/ide/triflex.c
32854--- linux-2.6.32.48/drivers/ide/triflex.c 2011-11-08 19:02:43.000000000 -0500
32855+++ linux-2.6.32.48/drivers/ide/triflex.c 2011-11-18 18:01:55.000000000 -0500
32856@@ -92,7 +92,7 @@ static const struct ide_port_ops triflex
32857 .set_dma_mode = triflex_set_mode,
32858 };
32859
32860-static const struct ide_port_info triflex_device __devinitdata = {
32861+static const struct ide_port_info triflex_device __devinitconst = {
32862 .name = DRV_NAME,
32863 .enablebits = {{0x80, 0x01, 0x01}, {0x80, 0x02, 0x02}},
32864 .port_ops = &triflex_port_ops,
32865diff -urNp linux-2.6.32.48/drivers/ide/trm290.c linux-2.6.32.48/drivers/ide/trm290.c
32866--- linux-2.6.32.48/drivers/ide/trm290.c 2011-11-08 19:02:43.000000000 -0500
32867+++ linux-2.6.32.48/drivers/ide/trm290.c 2011-11-18 18:01:55.000000000 -0500
32868@@ -324,7 +324,7 @@ static struct ide_dma_ops trm290_dma_ops
32869 .dma_check = trm290_dma_check,
32870 };
32871
32872-static const struct ide_port_info trm290_chipset __devinitdata = {
32873+static const struct ide_port_info trm290_chipset __devinitconst = {
32874 .name = DRV_NAME,
32875 .init_hwif = init_hwif_trm290,
32876 .tp_ops = &trm290_tp_ops,
32877diff -urNp linux-2.6.32.48/drivers/ide/via82cxxx.c linux-2.6.32.48/drivers/ide/via82cxxx.c
32878--- linux-2.6.32.48/drivers/ide/via82cxxx.c 2011-11-08 19:02:43.000000000 -0500
32879+++ linux-2.6.32.48/drivers/ide/via82cxxx.c 2011-11-18 18:01:55.000000000 -0500
32880@@ -374,7 +374,7 @@ static const struct ide_port_ops via_por
32881 .cable_detect = via82cxxx_cable_detect,
32882 };
32883
32884-static const struct ide_port_info via82cxxx_chipset __devinitdata = {
32885+static const struct ide_port_info via82cxxx_chipset __devinitconst = {
32886 .name = DRV_NAME,
32887 .init_chipset = init_chipset_via82cxxx,
32888 .enablebits = { { 0x40, 0x02, 0x02 }, { 0x40, 0x01, 0x01 } },
32889diff -urNp linux-2.6.32.48/drivers/ieee1394/dv1394.c linux-2.6.32.48/drivers/ieee1394/dv1394.c
32890--- linux-2.6.32.48/drivers/ieee1394/dv1394.c 2011-11-08 19:02:43.000000000 -0500
32891+++ linux-2.6.32.48/drivers/ieee1394/dv1394.c 2011-11-15 19:59:43.000000000 -0500
32892@@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
32893 based upon DIF section and sequence
32894 */
32895
32896-static void inline
32897+static inline void
32898 frame_put_packet (struct frame *f, struct packet *p)
32899 {
32900 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
32901diff -urNp linux-2.6.32.48/drivers/ieee1394/hosts.c linux-2.6.32.48/drivers/ieee1394/hosts.c
32902--- linux-2.6.32.48/drivers/ieee1394/hosts.c 2011-11-08 19:02:43.000000000 -0500
32903+++ linux-2.6.32.48/drivers/ieee1394/hosts.c 2011-11-15 19:59:43.000000000 -0500
32904@@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
32905 }
32906
32907 static struct hpsb_host_driver dummy_driver = {
32908+ .name = "dummy",
32909 .transmit_packet = dummy_transmit_packet,
32910 .devctl = dummy_devctl,
32911 .isoctl = dummy_isoctl
32912diff -urNp linux-2.6.32.48/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.48/drivers/ieee1394/init_ohci1394_dma.c
32913--- linux-2.6.32.48/drivers/ieee1394/init_ohci1394_dma.c 2011-11-08 19:02:43.000000000 -0500
32914+++ linux-2.6.32.48/drivers/ieee1394/init_ohci1394_dma.c 2011-11-15 19:59:43.000000000 -0500
32915@@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
32916 for (func = 0; func < 8; func++) {
32917 u32 class = read_pci_config(num,slot,func,
32918 PCI_CLASS_REVISION);
32919- if ((class == 0xffffffff))
32920+ if (class == 0xffffffff)
32921 continue; /* No device at this func */
32922
32923 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
32924diff -urNp linux-2.6.32.48/drivers/ieee1394/ohci1394.c linux-2.6.32.48/drivers/ieee1394/ohci1394.c
32925--- linux-2.6.32.48/drivers/ieee1394/ohci1394.c 2011-11-08 19:02:43.000000000 -0500
32926+++ linux-2.6.32.48/drivers/ieee1394/ohci1394.c 2011-11-15 19:59:43.000000000 -0500
32927@@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
32928 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
32929
32930 /* Module Parameters */
32931-static int phys_dma = 1;
32932+static int phys_dma;
32933 module_param(phys_dma, int, 0444);
32934-MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
32935+MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
32936
32937 static void dma_trm_tasklet(unsigned long data);
32938 static void dma_trm_reset(struct dma_trm_ctx *d);
32939diff -urNp linux-2.6.32.48/drivers/ieee1394/sbp2.c linux-2.6.32.48/drivers/ieee1394/sbp2.c
32940--- linux-2.6.32.48/drivers/ieee1394/sbp2.c 2011-11-08 19:02:43.000000000 -0500
32941+++ linux-2.6.32.48/drivers/ieee1394/sbp2.c 2011-11-15 19:59:43.000000000 -0500
32942@@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
32943 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
32944 MODULE_LICENSE("GPL");
32945
32946-static int sbp2_module_init(void)
32947+static int __init sbp2_module_init(void)
32948 {
32949 int ret;
32950
32951diff -urNp linux-2.6.32.48/drivers/infiniband/core/cm.c linux-2.6.32.48/drivers/infiniband/core/cm.c
32952--- linux-2.6.32.48/drivers/infiniband/core/cm.c 2011-11-08 19:02:43.000000000 -0500
32953+++ linux-2.6.32.48/drivers/infiniband/core/cm.c 2011-11-15 19:59:43.000000000 -0500
32954@@ -112,7 +112,7 @@ static char const counter_group_names[CM
32955
32956 struct cm_counter_group {
32957 struct kobject obj;
32958- atomic_long_t counter[CM_ATTR_COUNT];
32959+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
32960 };
32961
32962 struct cm_counter_attribute {
32963@@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
32964 struct ib_mad_send_buf *msg = NULL;
32965 int ret;
32966
32967- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32968+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32969 counter[CM_REQ_COUNTER]);
32970
32971 /* Quick state check to discard duplicate REQs. */
32972@@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
32973 if (!cm_id_priv)
32974 return;
32975
32976- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32977+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32978 counter[CM_REP_COUNTER]);
32979 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
32980 if (ret)
32981@@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
32982 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
32983 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
32984 spin_unlock_irq(&cm_id_priv->lock);
32985- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32986+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32987 counter[CM_RTU_COUNTER]);
32988 goto out;
32989 }
32990@@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
32991 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
32992 dreq_msg->local_comm_id);
32993 if (!cm_id_priv) {
32994- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
32995+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
32996 counter[CM_DREQ_COUNTER]);
32997 cm_issue_drep(work->port, work->mad_recv_wc);
32998 return -EINVAL;
32999@@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
33000 case IB_CM_MRA_REP_RCVD:
33001 break;
33002 case IB_CM_TIMEWAIT:
33003- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33004+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33005 counter[CM_DREQ_COUNTER]);
33006 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
33007 goto unlock;
33008@@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
33009 cm_free_msg(msg);
33010 goto deref;
33011 case IB_CM_DREQ_RCVD:
33012- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33013+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33014 counter[CM_DREQ_COUNTER]);
33015 goto unlock;
33016 default:
33017@@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
33018 ib_modify_mad(cm_id_priv->av.port->mad_agent,
33019 cm_id_priv->msg, timeout)) {
33020 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
33021- atomic_long_inc(&work->port->
33022+ atomic_long_inc_unchecked(&work->port->
33023 counter_group[CM_RECV_DUPLICATES].
33024 counter[CM_MRA_COUNTER]);
33025 goto out;
33026@@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
33027 break;
33028 case IB_CM_MRA_REQ_RCVD:
33029 case IB_CM_MRA_REP_RCVD:
33030- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33031+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33032 counter[CM_MRA_COUNTER]);
33033 /* fall through */
33034 default:
33035@@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
33036 case IB_CM_LAP_IDLE:
33037 break;
33038 case IB_CM_MRA_LAP_SENT:
33039- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33040+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33041 counter[CM_LAP_COUNTER]);
33042 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
33043 goto unlock;
33044@@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
33045 cm_free_msg(msg);
33046 goto deref;
33047 case IB_CM_LAP_RCVD:
33048- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33049+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33050 counter[CM_LAP_COUNTER]);
33051 goto unlock;
33052 default:
33053@@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
33054 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
33055 if (cur_cm_id_priv) {
33056 spin_unlock_irq(&cm.lock);
33057- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
33058+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
33059 counter[CM_SIDR_REQ_COUNTER]);
33060 goto out; /* Duplicate message. */
33061 }
33062@@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
33063 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
33064 msg->retries = 1;
33065
33066- atomic_long_add(1 + msg->retries,
33067+ atomic_long_add_unchecked(1 + msg->retries,
33068 &port->counter_group[CM_XMIT].counter[attr_index]);
33069 if (msg->retries)
33070- atomic_long_add(msg->retries,
33071+ atomic_long_add_unchecked(msg->retries,
33072 &port->counter_group[CM_XMIT_RETRIES].
33073 counter[attr_index]);
33074
33075@@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
33076 }
33077
33078 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
33079- atomic_long_inc(&port->counter_group[CM_RECV].
33080+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
33081 counter[attr_id - CM_ATTR_ID_OFFSET]);
33082
33083 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
33084@@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
33085 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
33086
33087 return sprintf(buf, "%ld\n",
33088- atomic_long_read(&group->counter[cm_attr->index]));
33089+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
33090 }
33091
33092-static struct sysfs_ops cm_counter_ops = {
33093+static const struct sysfs_ops cm_counter_ops = {
33094 .show = cm_show_counter
33095 };
33096
33097diff -urNp linux-2.6.32.48/drivers/infiniband/core/fmr_pool.c linux-2.6.32.48/drivers/infiniband/core/fmr_pool.c
33098--- linux-2.6.32.48/drivers/infiniband/core/fmr_pool.c 2011-11-08 19:02:43.000000000 -0500
33099+++ linux-2.6.32.48/drivers/infiniband/core/fmr_pool.c 2011-11-15 19:59:43.000000000 -0500
33100@@ -97,8 +97,8 @@ struct ib_fmr_pool {
33101
33102 struct task_struct *thread;
33103
33104- atomic_t req_ser;
33105- atomic_t flush_ser;
33106+ atomic_unchecked_t req_ser;
33107+ atomic_unchecked_t flush_ser;
33108
33109 wait_queue_head_t force_wait;
33110 };
33111@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
33112 struct ib_fmr_pool *pool = pool_ptr;
33113
33114 do {
33115- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
33116+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
33117 ib_fmr_batch_release(pool);
33118
33119- atomic_inc(&pool->flush_ser);
33120+ atomic_inc_unchecked(&pool->flush_ser);
33121 wake_up_interruptible(&pool->force_wait);
33122
33123 if (pool->flush_function)
33124@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
33125 }
33126
33127 set_current_state(TASK_INTERRUPTIBLE);
33128- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
33129+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
33130 !kthread_should_stop())
33131 schedule();
33132 __set_current_state(TASK_RUNNING);
33133@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
33134 pool->dirty_watermark = params->dirty_watermark;
33135 pool->dirty_len = 0;
33136 spin_lock_init(&pool->pool_lock);
33137- atomic_set(&pool->req_ser, 0);
33138- atomic_set(&pool->flush_ser, 0);
33139+ atomic_set_unchecked(&pool->req_ser, 0);
33140+ atomic_set_unchecked(&pool->flush_ser, 0);
33141 init_waitqueue_head(&pool->force_wait);
33142
33143 pool->thread = kthread_run(ib_fmr_cleanup_thread,
33144@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
33145 }
33146 spin_unlock_irq(&pool->pool_lock);
33147
33148- serial = atomic_inc_return(&pool->req_ser);
33149+ serial = atomic_inc_return_unchecked(&pool->req_ser);
33150 wake_up_process(pool->thread);
33151
33152 if (wait_event_interruptible(pool->force_wait,
33153- atomic_read(&pool->flush_ser) - serial >= 0))
33154+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
33155 return -EINTR;
33156
33157 return 0;
33158@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
33159 } else {
33160 list_add_tail(&fmr->list, &pool->dirty_list);
33161 if (++pool->dirty_len >= pool->dirty_watermark) {
33162- atomic_inc(&pool->req_ser);
33163+ atomic_inc_unchecked(&pool->req_ser);
33164 wake_up_process(pool->thread);
33165 }
33166 }
33167diff -urNp linux-2.6.32.48/drivers/infiniband/core/sysfs.c linux-2.6.32.48/drivers/infiniband/core/sysfs.c
33168--- linux-2.6.32.48/drivers/infiniband/core/sysfs.c 2011-11-08 19:02:43.000000000 -0500
33169+++ linux-2.6.32.48/drivers/infiniband/core/sysfs.c 2011-11-15 19:59:43.000000000 -0500
33170@@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
33171 return port_attr->show(p, port_attr, buf);
33172 }
33173
33174-static struct sysfs_ops port_sysfs_ops = {
33175+static const struct sysfs_ops port_sysfs_ops = {
33176 .show = port_attr_show
33177 };
33178
33179diff -urNp linux-2.6.32.48/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.48/drivers/infiniband/core/uverbs_marshall.c
33180--- linux-2.6.32.48/drivers/infiniband/core/uverbs_marshall.c 2011-11-08 19:02:43.000000000 -0500
33181+++ linux-2.6.32.48/drivers/infiniband/core/uverbs_marshall.c 2011-11-15 19:59:43.000000000 -0500
33182@@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
33183 dst->grh.sgid_index = src->grh.sgid_index;
33184 dst->grh.hop_limit = src->grh.hop_limit;
33185 dst->grh.traffic_class = src->grh.traffic_class;
33186+ memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
33187 dst->dlid = src->dlid;
33188 dst->sl = src->sl;
33189 dst->src_path_bits = src->src_path_bits;
33190 dst->static_rate = src->static_rate;
33191 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
33192 dst->port_num = src->port_num;
33193+ dst->reserved = 0;
33194 }
33195 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
33196
33197 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
33198 struct ib_qp_attr *src)
33199 {
33200+ dst->qp_state = src->qp_state;
33201 dst->cur_qp_state = src->cur_qp_state;
33202 dst->path_mtu = src->path_mtu;
33203 dst->path_mig_state = src->path_mig_state;
33204@@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
33205 dst->rnr_retry = src->rnr_retry;
33206 dst->alt_port_num = src->alt_port_num;
33207 dst->alt_timeout = src->alt_timeout;
33208+ memset(dst->reserved, 0, sizeof(dst->reserved));
33209 }
33210 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
33211
33212diff -urNp linux-2.6.32.48/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.48/drivers/infiniband/hw/ipath/ipath_fs.c
33213--- linux-2.6.32.48/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-08 19:02:43.000000000 -0500
33214+++ linux-2.6.32.48/drivers/infiniband/hw/ipath/ipath_fs.c 2011-11-15 19:59:43.000000000 -0500
33215@@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
33216 struct infinipath_counters counters;
33217 struct ipath_devdata *dd;
33218
33219+ pax_track_stack();
33220+
33221 dd = file->f_path.dentry->d_inode->i_private;
33222 dd->ipath_f_read_counters(dd, &counters);
33223
33224diff -urNp linux-2.6.32.48/drivers/infiniband/hw/nes/nes.c linux-2.6.32.48/drivers/infiniband/hw/nes/nes.c
33225--- linux-2.6.32.48/drivers/infiniband/hw/nes/nes.c 2011-11-08 19:02:43.000000000 -0500
33226+++ linux-2.6.32.48/drivers/infiniband/hw/nes/nes.c 2011-11-15 19:59:43.000000000 -0500
33227@@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
33228 LIST_HEAD(nes_adapter_list);
33229 static LIST_HEAD(nes_dev_list);
33230
33231-atomic_t qps_destroyed;
33232+atomic_unchecked_t qps_destroyed;
33233
33234 static unsigned int ee_flsh_adapter;
33235 static unsigned int sysfs_nonidx_addr;
33236@@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
33237 struct nes_adapter *nesadapter = nesdev->nesadapter;
33238 u32 qp_id;
33239
33240- atomic_inc(&qps_destroyed);
33241+ atomic_inc_unchecked(&qps_destroyed);
33242
33243 /* Free the control structures */
33244
33245diff -urNp linux-2.6.32.48/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.48/drivers/infiniband/hw/nes/nes_cm.c
33246--- linux-2.6.32.48/drivers/infiniband/hw/nes/nes_cm.c 2011-11-08 19:02:43.000000000 -0500
33247+++ linux-2.6.32.48/drivers/infiniband/hw/nes/nes_cm.c 2011-11-15 19:59:43.000000000 -0500
33248@@ -69,11 +69,11 @@ u32 cm_packets_received;
33249 u32 cm_listens_created;
33250 u32 cm_listens_destroyed;
33251 u32 cm_backlog_drops;
33252-atomic_t cm_loopbacks;
33253-atomic_t cm_nodes_created;
33254-atomic_t cm_nodes_destroyed;
33255-atomic_t cm_accel_dropped_pkts;
33256-atomic_t cm_resets_recvd;
33257+atomic_unchecked_t cm_loopbacks;
33258+atomic_unchecked_t cm_nodes_created;
33259+atomic_unchecked_t cm_nodes_destroyed;
33260+atomic_unchecked_t cm_accel_dropped_pkts;
33261+atomic_unchecked_t cm_resets_recvd;
33262
33263 static inline int mini_cm_accelerated(struct nes_cm_core *,
33264 struct nes_cm_node *);
33265@@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
33266
33267 static struct nes_cm_core *g_cm_core;
33268
33269-atomic_t cm_connects;
33270-atomic_t cm_accepts;
33271-atomic_t cm_disconnects;
33272-atomic_t cm_closes;
33273-atomic_t cm_connecteds;
33274-atomic_t cm_connect_reqs;
33275-atomic_t cm_rejects;
33276+atomic_unchecked_t cm_connects;
33277+atomic_unchecked_t cm_accepts;
33278+atomic_unchecked_t cm_disconnects;
33279+atomic_unchecked_t cm_closes;
33280+atomic_unchecked_t cm_connecteds;
33281+atomic_unchecked_t cm_connect_reqs;
33282+atomic_unchecked_t cm_rejects;
33283
33284
33285 /**
33286@@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
33287 cm_node->rem_mac);
33288
33289 add_hte_node(cm_core, cm_node);
33290- atomic_inc(&cm_nodes_created);
33291+ atomic_inc_unchecked(&cm_nodes_created);
33292
33293 return cm_node;
33294 }
33295@@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
33296 }
33297
33298 atomic_dec(&cm_core->node_cnt);
33299- atomic_inc(&cm_nodes_destroyed);
33300+ atomic_inc_unchecked(&cm_nodes_destroyed);
33301 nesqp = cm_node->nesqp;
33302 if (nesqp) {
33303 nesqp->cm_node = NULL;
33304@@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
33305
33306 static void drop_packet(struct sk_buff *skb)
33307 {
33308- atomic_inc(&cm_accel_dropped_pkts);
33309+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
33310 dev_kfree_skb_any(skb);
33311 }
33312
33313@@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
33314
33315 int reset = 0; /* whether to send reset in case of err.. */
33316 int passive_state;
33317- atomic_inc(&cm_resets_recvd);
33318+ atomic_inc_unchecked(&cm_resets_recvd);
33319 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
33320 " refcnt=%d\n", cm_node, cm_node->state,
33321 atomic_read(&cm_node->ref_count));
33322@@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
33323 rem_ref_cm_node(cm_node->cm_core, cm_node);
33324 return NULL;
33325 }
33326- atomic_inc(&cm_loopbacks);
33327+ atomic_inc_unchecked(&cm_loopbacks);
33328 loopbackremotenode->loopbackpartner = cm_node;
33329 loopbackremotenode->tcp_cntxt.rcv_wscale =
33330 NES_CM_DEFAULT_RCV_WND_SCALE;
33331@@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
33332 add_ref_cm_node(cm_node);
33333 } else if (cm_node->state == NES_CM_STATE_TSA) {
33334 rem_ref_cm_node(cm_core, cm_node);
33335- atomic_inc(&cm_accel_dropped_pkts);
33336+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
33337 dev_kfree_skb_any(skb);
33338 break;
33339 }
33340@@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
33341
33342 if ((cm_id) && (cm_id->event_handler)) {
33343 if (issue_disconn) {
33344- atomic_inc(&cm_disconnects);
33345+ atomic_inc_unchecked(&cm_disconnects);
33346 cm_event.event = IW_CM_EVENT_DISCONNECT;
33347 cm_event.status = disconn_status;
33348 cm_event.local_addr = cm_id->local_addr;
33349@@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
33350 }
33351
33352 if (issue_close) {
33353- atomic_inc(&cm_closes);
33354+ atomic_inc_unchecked(&cm_closes);
33355 nes_disconnect(nesqp, 1);
33356
33357 cm_id->provider_data = nesqp;
33358@@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
33359
33360 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
33361 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
33362- atomic_inc(&cm_accepts);
33363+ atomic_inc_unchecked(&cm_accepts);
33364
33365 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
33366 atomic_read(&nesvnic->netdev->refcnt));
33367@@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
33368
33369 struct nes_cm_core *cm_core;
33370
33371- atomic_inc(&cm_rejects);
33372+ atomic_inc_unchecked(&cm_rejects);
33373 cm_node = (struct nes_cm_node *) cm_id->provider_data;
33374 loopback = cm_node->loopbackpartner;
33375 cm_core = cm_node->cm_core;
33376@@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
33377 ntohl(cm_id->local_addr.sin_addr.s_addr),
33378 ntohs(cm_id->local_addr.sin_port));
33379
33380- atomic_inc(&cm_connects);
33381+ atomic_inc_unchecked(&cm_connects);
33382 nesqp->active_conn = 1;
33383
33384 /* cache the cm_id in the qp */
33385@@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
33386 if (nesqp->destroyed) {
33387 return;
33388 }
33389- atomic_inc(&cm_connecteds);
33390+ atomic_inc_unchecked(&cm_connecteds);
33391 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
33392 " local port 0x%04X. jiffies = %lu.\n",
33393 nesqp->hwqp.qp_id,
33394@@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
33395
33396 ret = cm_id->event_handler(cm_id, &cm_event);
33397 cm_id->add_ref(cm_id);
33398- atomic_inc(&cm_closes);
33399+ atomic_inc_unchecked(&cm_closes);
33400 cm_event.event = IW_CM_EVENT_CLOSE;
33401 cm_event.status = IW_CM_EVENT_STATUS_OK;
33402 cm_event.provider_data = cm_id->provider_data;
33403@@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
33404 return;
33405 cm_id = cm_node->cm_id;
33406
33407- atomic_inc(&cm_connect_reqs);
33408+ atomic_inc_unchecked(&cm_connect_reqs);
33409 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
33410 cm_node, cm_id, jiffies);
33411
33412@@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
33413 return;
33414 cm_id = cm_node->cm_id;
33415
33416- atomic_inc(&cm_connect_reqs);
33417+ atomic_inc_unchecked(&cm_connect_reqs);
33418 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
33419 cm_node, cm_id, jiffies);
33420
33421diff -urNp linux-2.6.32.48/drivers/infiniband/hw/nes/nes.h linux-2.6.32.48/drivers/infiniband/hw/nes/nes.h
33422--- linux-2.6.32.48/drivers/infiniband/hw/nes/nes.h 2011-11-08 19:02:43.000000000 -0500
33423+++ linux-2.6.32.48/drivers/infiniband/hw/nes/nes.h 2011-11-15 19:59:43.000000000 -0500
33424@@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
33425 extern unsigned int wqm_quanta;
33426 extern struct list_head nes_adapter_list;
33427
33428-extern atomic_t cm_connects;
33429-extern atomic_t cm_accepts;
33430-extern atomic_t cm_disconnects;
33431-extern atomic_t cm_closes;
33432-extern atomic_t cm_connecteds;
33433-extern atomic_t cm_connect_reqs;
33434-extern atomic_t cm_rejects;
33435-extern atomic_t mod_qp_timouts;
33436-extern atomic_t qps_created;
33437-extern atomic_t qps_destroyed;
33438-extern atomic_t sw_qps_destroyed;
33439+extern atomic_unchecked_t cm_connects;
33440+extern atomic_unchecked_t cm_accepts;
33441+extern atomic_unchecked_t cm_disconnects;
33442+extern atomic_unchecked_t cm_closes;
33443+extern atomic_unchecked_t cm_connecteds;
33444+extern atomic_unchecked_t cm_connect_reqs;
33445+extern atomic_unchecked_t cm_rejects;
33446+extern atomic_unchecked_t mod_qp_timouts;
33447+extern atomic_unchecked_t qps_created;
33448+extern atomic_unchecked_t qps_destroyed;
33449+extern atomic_unchecked_t sw_qps_destroyed;
33450 extern u32 mh_detected;
33451 extern u32 mh_pauses_sent;
33452 extern u32 cm_packets_sent;
33453@@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
33454 extern u32 cm_listens_created;
33455 extern u32 cm_listens_destroyed;
33456 extern u32 cm_backlog_drops;
33457-extern atomic_t cm_loopbacks;
33458-extern atomic_t cm_nodes_created;
33459-extern atomic_t cm_nodes_destroyed;
33460-extern atomic_t cm_accel_dropped_pkts;
33461-extern atomic_t cm_resets_recvd;
33462+extern atomic_unchecked_t cm_loopbacks;
33463+extern atomic_unchecked_t cm_nodes_created;
33464+extern atomic_unchecked_t cm_nodes_destroyed;
33465+extern atomic_unchecked_t cm_accel_dropped_pkts;
33466+extern atomic_unchecked_t cm_resets_recvd;
33467
33468 extern u32 int_mod_timer_init;
33469 extern u32 int_mod_cq_depth_256;
33470diff -urNp linux-2.6.32.48/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.48/drivers/infiniband/hw/nes/nes_nic.c
33471--- linux-2.6.32.48/drivers/infiniband/hw/nes/nes_nic.c 2011-11-08 19:02:43.000000000 -0500
33472+++ linux-2.6.32.48/drivers/infiniband/hw/nes/nes_nic.c 2011-11-15 19:59:43.000000000 -0500
33473@@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
33474 target_stat_values[++index] = mh_detected;
33475 target_stat_values[++index] = mh_pauses_sent;
33476 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
33477- target_stat_values[++index] = atomic_read(&cm_connects);
33478- target_stat_values[++index] = atomic_read(&cm_accepts);
33479- target_stat_values[++index] = atomic_read(&cm_disconnects);
33480- target_stat_values[++index] = atomic_read(&cm_connecteds);
33481- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
33482- target_stat_values[++index] = atomic_read(&cm_rejects);
33483- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
33484- target_stat_values[++index] = atomic_read(&qps_created);
33485- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
33486- target_stat_values[++index] = atomic_read(&qps_destroyed);
33487- target_stat_values[++index] = atomic_read(&cm_closes);
33488+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
33489+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
33490+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
33491+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
33492+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
33493+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
33494+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
33495+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
33496+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
33497+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
33498+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
33499 target_stat_values[++index] = cm_packets_sent;
33500 target_stat_values[++index] = cm_packets_bounced;
33501 target_stat_values[++index] = cm_packets_created;
33502@@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
33503 target_stat_values[++index] = cm_listens_created;
33504 target_stat_values[++index] = cm_listens_destroyed;
33505 target_stat_values[++index] = cm_backlog_drops;
33506- target_stat_values[++index] = atomic_read(&cm_loopbacks);
33507- target_stat_values[++index] = atomic_read(&cm_nodes_created);
33508- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
33509- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
33510- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
33511+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
33512+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
33513+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
33514+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
33515+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
33516 target_stat_values[++index] = int_mod_timer_init;
33517 target_stat_values[++index] = int_mod_cq_depth_1;
33518 target_stat_values[++index] = int_mod_cq_depth_4;
33519diff -urNp linux-2.6.32.48/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.48/drivers/infiniband/hw/nes/nes_verbs.c
33520--- linux-2.6.32.48/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-08 19:02:43.000000000 -0500
33521+++ linux-2.6.32.48/drivers/infiniband/hw/nes/nes_verbs.c 2011-11-15 19:59:43.000000000 -0500
33522@@ -45,9 +45,9 @@
33523
33524 #include <rdma/ib_umem.h>
33525
33526-atomic_t mod_qp_timouts;
33527-atomic_t qps_created;
33528-atomic_t sw_qps_destroyed;
33529+atomic_unchecked_t mod_qp_timouts;
33530+atomic_unchecked_t qps_created;
33531+atomic_unchecked_t sw_qps_destroyed;
33532
33533 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
33534
33535@@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
33536 if (init_attr->create_flags)
33537 return ERR_PTR(-EINVAL);
33538
33539- atomic_inc(&qps_created);
33540+ atomic_inc_unchecked(&qps_created);
33541 switch (init_attr->qp_type) {
33542 case IB_QPT_RC:
33543 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
33544@@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
33545 struct iw_cm_event cm_event;
33546 int ret;
33547
33548- atomic_inc(&sw_qps_destroyed);
33549+ atomic_inc_unchecked(&sw_qps_destroyed);
33550 nesqp->destroyed = 1;
33551
33552 /* Blow away the connection if it exists. */
33553diff -urNp linux-2.6.32.48/drivers/input/gameport/gameport.c linux-2.6.32.48/drivers/input/gameport/gameport.c
33554--- linux-2.6.32.48/drivers/input/gameport/gameport.c 2011-11-08 19:02:43.000000000 -0500
33555+++ linux-2.6.32.48/drivers/input/gameport/gameport.c 2011-11-15 19:59:43.000000000 -0500
33556@@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
33557 */
33558 static void gameport_init_port(struct gameport *gameport)
33559 {
33560- static atomic_t gameport_no = ATOMIC_INIT(0);
33561+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
33562
33563 __module_get(THIS_MODULE);
33564
33565 mutex_init(&gameport->drv_mutex);
33566 device_initialize(&gameport->dev);
33567- dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
33568+ dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
33569 gameport->dev.bus = &gameport_bus;
33570 gameport->dev.release = gameport_release_port;
33571 if (gameport->parent)
33572diff -urNp linux-2.6.32.48/drivers/input/input.c linux-2.6.32.48/drivers/input/input.c
33573--- linux-2.6.32.48/drivers/input/input.c 2011-11-08 19:02:43.000000000 -0500
33574+++ linux-2.6.32.48/drivers/input/input.c 2011-11-15 19:59:43.000000000 -0500
33575@@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
33576 */
33577 int input_register_device(struct input_dev *dev)
33578 {
33579- static atomic_t input_no = ATOMIC_INIT(0);
33580+ static atomic_unchecked_t input_no = ATOMIC_INIT(0);
33581 struct input_handler *handler;
33582 const char *path;
33583 int error;
33584@@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
33585 dev->setkeycode = input_default_setkeycode;
33586
33587 dev_set_name(&dev->dev, "input%ld",
33588- (unsigned long) atomic_inc_return(&input_no) - 1);
33589+ (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
33590
33591 error = device_add(&dev->dev);
33592 if (error)
33593diff -urNp linux-2.6.32.48/drivers/input/joystick/sidewinder.c linux-2.6.32.48/drivers/input/joystick/sidewinder.c
33594--- linux-2.6.32.48/drivers/input/joystick/sidewinder.c 2011-11-08 19:02:43.000000000 -0500
33595+++ linux-2.6.32.48/drivers/input/joystick/sidewinder.c 2011-11-15 19:59:43.000000000 -0500
33596@@ -30,6 +30,7 @@
33597 #include <linux/kernel.h>
33598 #include <linux/module.h>
33599 #include <linux/slab.h>
33600+#include <linux/sched.h>
33601 #include <linux/init.h>
33602 #include <linux/input.h>
33603 #include <linux/gameport.h>
33604@@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
33605 unsigned char buf[SW_LENGTH];
33606 int i;
33607
33608+ pax_track_stack();
33609+
33610 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
33611
33612 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
33613diff -urNp linux-2.6.32.48/drivers/input/joystick/xpad.c linux-2.6.32.48/drivers/input/joystick/xpad.c
33614--- linux-2.6.32.48/drivers/input/joystick/xpad.c 2011-11-08 19:02:43.000000000 -0500
33615+++ linux-2.6.32.48/drivers/input/joystick/xpad.c 2011-11-15 19:59:43.000000000 -0500
33616@@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
33617
33618 static int xpad_led_probe(struct usb_xpad *xpad)
33619 {
33620- static atomic_t led_seq = ATOMIC_INIT(0);
33621+ static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
33622 long led_no;
33623 struct xpad_led *led;
33624 struct led_classdev *led_cdev;
33625@@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
33626 if (!led)
33627 return -ENOMEM;
33628
33629- led_no = (long)atomic_inc_return(&led_seq) - 1;
33630+ led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
33631
33632 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
33633 led->xpad = xpad;
33634diff -urNp linux-2.6.32.48/drivers/input/serio/serio.c linux-2.6.32.48/drivers/input/serio/serio.c
33635--- linux-2.6.32.48/drivers/input/serio/serio.c 2011-11-08 19:02:43.000000000 -0500
33636+++ linux-2.6.32.48/drivers/input/serio/serio.c 2011-11-15 19:59:43.000000000 -0500
33637@@ -527,7 +527,7 @@ static void serio_release_port(struct de
33638 */
33639 static void serio_init_port(struct serio *serio)
33640 {
33641- static atomic_t serio_no = ATOMIC_INIT(0);
33642+ static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
33643
33644 __module_get(THIS_MODULE);
33645
33646@@ -536,7 +536,7 @@ static void serio_init_port(struct serio
33647 mutex_init(&serio->drv_mutex);
33648 device_initialize(&serio->dev);
33649 dev_set_name(&serio->dev, "serio%ld",
33650- (long)atomic_inc_return(&serio_no) - 1);
33651+ (long)atomic_inc_return_unchecked(&serio_no) - 1);
33652 serio->dev.bus = &serio_bus;
33653 serio->dev.release = serio_release_port;
33654 if (serio->parent) {
33655diff -urNp linux-2.6.32.48/drivers/isdn/gigaset/common.c linux-2.6.32.48/drivers/isdn/gigaset/common.c
33656--- linux-2.6.32.48/drivers/isdn/gigaset/common.c 2011-11-08 19:02:43.000000000 -0500
33657+++ linux-2.6.32.48/drivers/isdn/gigaset/common.c 2011-11-15 19:59:43.000000000 -0500
33658@@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
33659 cs->commands_pending = 0;
33660 cs->cur_at_seq = 0;
33661 cs->gotfwver = -1;
33662- cs->open_count = 0;
33663+ local_set(&cs->open_count, 0);
33664 cs->dev = NULL;
33665 cs->tty = NULL;
33666 cs->tty_dev = NULL;
33667diff -urNp linux-2.6.32.48/drivers/isdn/gigaset/gigaset.h linux-2.6.32.48/drivers/isdn/gigaset/gigaset.h
33668--- linux-2.6.32.48/drivers/isdn/gigaset/gigaset.h 2011-11-08 19:02:43.000000000 -0500
33669+++ linux-2.6.32.48/drivers/isdn/gigaset/gigaset.h 2011-11-15 19:59:43.000000000 -0500
33670@@ -34,6 +34,7 @@
33671 #include <linux/tty_driver.h>
33672 #include <linux/list.h>
33673 #include <asm/atomic.h>
33674+#include <asm/local.h>
33675
33676 #define GIG_VERSION {0,5,0,0}
33677 #define GIG_COMPAT {0,4,0,0}
33678@@ -446,7 +447,7 @@ struct cardstate {
33679 spinlock_t cmdlock;
33680 unsigned curlen, cmdbytes;
33681
33682- unsigned open_count;
33683+ local_t open_count;
33684 struct tty_struct *tty;
33685 struct tasklet_struct if_wake_tasklet;
33686 unsigned control_state;
33687diff -urNp linux-2.6.32.48/drivers/isdn/gigaset/interface.c linux-2.6.32.48/drivers/isdn/gigaset/interface.c
33688--- linux-2.6.32.48/drivers/isdn/gigaset/interface.c 2011-11-08 19:02:43.000000000 -0500
33689+++ linux-2.6.32.48/drivers/isdn/gigaset/interface.c 2011-11-15 19:59:43.000000000 -0500
33690@@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
33691 return -ERESTARTSYS; // FIXME -EINTR?
33692 tty->driver_data = cs;
33693
33694- ++cs->open_count;
33695-
33696- if (cs->open_count == 1) {
33697+ if (local_inc_return(&cs->open_count) == 1) {
33698 spin_lock_irqsave(&cs->lock, flags);
33699 cs->tty = tty;
33700 spin_unlock_irqrestore(&cs->lock, flags);
33701@@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
33702
33703 if (!cs->connected)
33704 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33705- else if (!cs->open_count)
33706+ else if (!local_read(&cs->open_count))
33707 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33708 else {
33709- if (!--cs->open_count) {
33710+ if (!local_dec_return(&cs->open_count)) {
33711 spin_lock_irqsave(&cs->lock, flags);
33712 cs->tty = NULL;
33713 spin_unlock_irqrestore(&cs->lock, flags);
33714@@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
33715 if (!cs->connected) {
33716 gig_dbg(DEBUG_IF, "not connected");
33717 retval = -ENODEV;
33718- } else if (!cs->open_count)
33719+ } else if (!local_read(&cs->open_count))
33720 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33721 else {
33722 retval = 0;
33723@@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
33724 if (!cs->connected) {
33725 gig_dbg(DEBUG_IF, "not connected");
33726 retval = -ENODEV;
33727- } else if (!cs->open_count)
33728+ } else if (!local_read(&cs->open_count))
33729 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33730 else if (cs->mstate != MS_LOCKED) {
33731 dev_warn(cs->dev, "can't write to unlocked device\n");
33732@@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
33733 if (!cs->connected) {
33734 gig_dbg(DEBUG_IF, "not connected");
33735 retval = -ENODEV;
33736- } else if (!cs->open_count)
33737+ } else if (!local_read(&cs->open_count))
33738 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33739 else if (cs->mstate != MS_LOCKED) {
33740 dev_warn(cs->dev, "can't write to unlocked device\n");
33741@@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
33742
33743 if (!cs->connected)
33744 gig_dbg(DEBUG_IF, "not connected");
33745- else if (!cs->open_count)
33746+ else if (!local_read(&cs->open_count))
33747 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33748 else if (cs->mstate != MS_LOCKED)
33749 dev_warn(cs->dev, "can't write to unlocked device\n");
33750@@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
33751
33752 if (!cs->connected)
33753 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33754- else if (!cs->open_count)
33755+ else if (!local_read(&cs->open_count))
33756 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33757 else {
33758 //FIXME
33759@@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
33760
33761 if (!cs->connected)
33762 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
33763- else if (!cs->open_count)
33764+ else if (!local_read(&cs->open_count))
33765 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33766 else {
33767 //FIXME
33768@@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
33769 goto out;
33770 }
33771
33772- if (!cs->open_count) {
33773+ if (!local_read(&cs->open_count)) {
33774 dev_warn(cs->dev, "%s: device not opened\n", __func__);
33775 goto out;
33776 }
33777diff -urNp linux-2.6.32.48/drivers/isdn/hardware/avm/b1.c linux-2.6.32.48/drivers/isdn/hardware/avm/b1.c
33778--- linux-2.6.32.48/drivers/isdn/hardware/avm/b1.c 2011-11-08 19:02:43.000000000 -0500
33779+++ linux-2.6.32.48/drivers/isdn/hardware/avm/b1.c 2011-11-15 19:59:43.000000000 -0500
33780@@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
33781 }
33782 if (left) {
33783 if (t4file->user) {
33784- if (copy_from_user(buf, dp, left))
33785+ if (left > sizeof buf || copy_from_user(buf, dp, left))
33786 return -EFAULT;
33787 } else {
33788 memcpy(buf, dp, left);
33789@@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
33790 }
33791 if (left) {
33792 if (config->user) {
33793- if (copy_from_user(buf, dp, left))
33794+ if (left > sizeof buf || copy_from_user(buf, dp, left))
33795 return -EFAULT;
33796 } else {
33797 memcpy(buf, dp, left);
33798diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.48/drivers/isdn/hardware/eicon/capidtmf.c
33799--- linux-2.6.32.48/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-08 19:02:43.000000000 -0500
33800+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/capidtmf.c 2011-11-15 19:59:43.000000000 -0500
33801@@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
33802 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
33803 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
33804
33805+ pax_track_stack();
33806
33807 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
33808 {
33809diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.48/drivers/isdn/hardware/eicon/capifunc.c
33810--- linux-2.6.32.48/drivers/isdn/hardware/eicon/capifunc.c 2011-11-08 19:02:43.000000000 -0500
33811+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/capifunc.c 2011-11-15 19:59:43.000000000 -0500
33812@@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
33813 IDI_SYNC_REQ req;
33814 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33815
33816+ pax_track_stack();
33817+
33818 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33819
33820 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33821diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.48/drivers/isdn/hardware/eicon/diddfunc.c
33822--- linux-2.6.32.48/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-08 19:02:43.000000000 -0500
33823+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/diddfunc.c 2011-11-15 19:59:43.000000000 -0500
33824@@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
33825 IDI_SYNC_REQ req;
33826 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33827
33828+ pax_track_stack();
33829+
33830 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33831
33832 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33833diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.48/drivers/isdn/hardware/eicon/divasfunc.c
33834--- linux-2.6.32.48/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-08 19:02:43.000000000 -0500
33835+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/divasfunc.c 2011-11-15 19:59:43.000000000 -0500
33836@@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
33837 IDI_SYNC_REQ req;
33838 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33839
33840+ pax_track_stack();
33841+
33842 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33843
33844 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33845diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/divasync.h linux-2.6.32.48/drivers/isdn/hardware/eicon/divasync.h
33846--- linux-2.6.32.48/drivers/isdn/hardware/eicon/divasync.h 2011-11-08 19:02:43.000000000 -0500
33847+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/divasync.h 2011-11-15 19:59:43.000000000 -0500
33848@@ -146,7 +146,7 @@ typedef struct _diva_didd_add_adapter {
33849 } diva_didd_add_adapter_t;
33850 typedef struct _diva_didd_remove_adapter {
33851 IDI_CALL p_request;
33852-} diva_didd_remove_adapter_t;
33853+} __no_const diva_didd_remove_adapter_t;
33854 typedef struct _diva_didd_read_adapter_array {
33855 void * buffer;
33856 dword length;
33857diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.48/drivers/isdn/hardware/eicon/idifunc.c
33858--- linux-2.6.32.48/drivers/isdn/hardware/eicon/idifunc.c 2011-11-08 19:02:43.000000000 -0500
33859+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/idifunc.c 2011-11-15 19:59:43.000000000 -0500
33860@@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
33861 IDI_SYNC_REQ req;
33862 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33863
33864+ pax_track_stack();
33865+
33866 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33867
33868 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33869diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/message.c linux-2.6.32.48/drivers/isdn/hardware/eicon/message.c
33870--- linux-2.6.32.48/drivers/isdn/hardware/eicon/message.c 2011-11-08 19:02:43.000000000 -0500
33871+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/message.c 2011-11-15 19:59:43.000000000 -0500
33872@@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
33873 dword d;
33874 word w;
33875
33876+ pax_track_stack();
33877+
33878 a = plci->adapter;
33879 Id = ((word)plci->Id<<8)|a->Id;
33880 PUT_WORD(&SS_Ind[4],0x0000);
33881@@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
33882 word j, n, w;
33883 dword d;
33884
33885+ pax_track_stack();
33886+
33887
33888 for(i=0;i<8;i++) bp_parms[i].length = 0;
33889 for(i=0;i<2;i++) global_config[i].length = 0;
33890@@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
33891 const byte llc3[] = {4,3,2,2,6,6,0};
33892 const byte header[] = {0,2,3,3,0,0,0};
33893
33894+ pax_track_stack();
33895+
33896 for(i=0;i<8;i++) bp_parms[i].length = 0;
33897 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
33898 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
33899@@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
33900 word appl_number_group_type[MAX_APPL];
33901 PLCI *auxplci;
33902
33903+ pax_track_stack();
33904+
33905 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
33906
33907 if(!a->group_optimization_enabled)
33908diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.48/drivers/isdn/hardware/eicon/mntfunc.c
33909--- linux-2.6.32.48/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-08 19:02:43.000000000 -0500
33910+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/mntfunc.c 2011-11-15 19:59:43.000000000 -0500
33911@@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
33912 IDI_SYNC_REQ req;
33913 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
33914
33915+ pax_track_stack();
33916+
33917 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
33918
33919 for (x = 0; x < MAX_DESCRIPTORS; x++) {
33920diff -urNp linux-2.6.32.48/drivers/isdn/hardware/eicon/xdi_adapter.h linux-2.6.32.48/drivers/isdn/hardware/eicon/xdi_adapter.h
33921--- linux-2.6.32.48/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-08 19:02:43.000000000 -0500
33922+++ linux-2.6.32.48/drivers/isdn/hardware/eicon/xdi_adapter.h 2011-11-15 19:59:43.000000000 -0500
33923@@ -44,7 +44,7 @@ typedef struct _xdi_mbox_t {
33924 typedef struct _diva_os_idi_adapter_interface {
33925 diva_init_card_proc_t cleanup_adapter_proc;
33926 diva_cmd_card_proc_t cmd_proc;
33927-} diva_os_idi_adapter_interface_t;
33928+} __no_const diva_os_idi_adapter_interface_t;
33929
33930 typedef struct _diva_os_xdi_adapter {
33931 struct list_head link;
33932diff -urNp linux-2.6.32.48/drivers/isdn/i4l/isdn_common.c linux-2.6.32.48/drivers/isdn/i4l/isdn_common.c
33933--- linux-2.6.32.48/drivers/isdn/i4l/isdn_common.c 2011-11-08 19:02:43.000000000 -0500
33934+++ linux-2.6.32.48/drivers/isdn/i4l/isdn_common.c 2011-11-15 19:59:43.000000000 -0500
33935@@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
33936 } iocpar;
33937 void __user *argp = (void __user *)arg;
33938
33939+ pax_track_stack();
33940+
33941 #define name iocpar.name
33942 #define bname iocpar.bname
33943 #define iocts iocpar.iocts
33944diff -urNp linux-2.6.32.48/drivers/isdn/icn/icn.c linux-2.6.32.48/drivers/isdn/icn/icn.c
33945--- linux-2.6.32.48/drivers/isdn/icn/icn.c 2011-11-08 19:02:43.000000000 -0500
33946+++ linux-2.6.32.48/drivers/isdn/icn/icn.c 2011-11-15 19:59:43.000000000 -0500
33947@@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
33948 if (count > len)
33949 count = len;
33950 if (user) {
33951- if (copy_from_user(msg, buf, count))
33952+ if (count > sizeof msg || copy_from_user(msg, buf, count))
33953 return -EFAULT;
33954 } else
33955 memcpy(msg, buf, count);
33956diff -urNp linux-2.6.32.48/drivers/isdn/mISDN/socket.c linux-2.6.32.48/drivers/isdn/mISDN/socket.c
33957--- linux-2.6.32.48/drivers/isdn/mISDN/socket.c 2011-11-08 19:02:43.000000000 -0500
33958+++ linux-2.6.32.48/drivers/isdn/mISDN/socket.c 2011-11-15 19:59:43.000000000 -0500
33959@@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
33960 if (dev) {
33961 struct mISDN_devinfo di;
33962
33963+ memset(&di, 0, sizeof(di));
33964 di.id = dev->id;
33965 di.Dprotocols = dev->Dprotocols;
33966 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33967@@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
33968 if (dev) {
33969 struct mISDN_devinfo di;
33970
33971+ memset(&di, 0, sizeof(di));
33972 di.id = dev->id;
33973 di.Dprotocols = dev->Dprotocols;
33974 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
33975diff -urNp linux-2.6.32.48/drivers/isdn/sc/interrupt.c linux-2.6.32.48/drivers/isdn/sc/interrupt.c
33976--- linux-2.6.32.48/drivers/isdn/sc/interrupt.c 2011-11-08 19:02:43.000000000 -0500
33977+++ linux-2.6.32.48/drivers/isdn/sc/interrupt.c 2011-11-15 19:59:43.000000000 -0500
33978@@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
33979 }
33980 else if(callid>=0x0000 && callid<=0x7FFF)
33981 {
33982+ int len;
33983+
33984 pr_debug("%s: Got Incoming Call\n",
33985 sc_adapter[card]->devicename);
33986- strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
33987- strcpy(setup.eazmsn,
33988- sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
33989+ len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
33990+ sizeof(setup.phone));
33991+ if (len >= sizeof(setup.phone))
33992+ continue;
33993+ len = strlcpy(setup.eazmsn,
33994+ sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
33995+ sizeof(setup.eazmsn));
33996+ if (len >= sizeof(setup.eazmsn))
33997+ continue;
33998 setup.si1 = 7;
33999 setup.si2 = 0;
34000 setup.plan = 0;
34001@@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
34002 * Handle a GetMyNumber Rsp
34003 */
34004 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
34005- strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
34006+ strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
34007+ rcvmsg.msg_data.byte_array,
34008+ sizeof(rcvmsg.msg_data.byte_array));
34009 continue;
34010 }
34011
34012diff -urNp linux-2.6.32.48/drivers/lguest/core.c linux-2.6.32.48/drivers/lguest/core.c
34013--- linux-2.6.32.48/drivers/lguest/core.c 2011-11-08 19:02:43.000000000 -0500
34014+++ linux-2.6.32.48/drivers/lguest/core.c 2011-11-15 19:59:43.000000000 -0500
34015@@ -91,9 +91,17 @@ static __init int map_switcher(void)
34016 * it's worked so far. The end address needs +1 because __get_vm_area
34017 * allocates an extra guard page, so we need space for that.
34018 */
34019+
34020+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
34021+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
34022+ VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
34023+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
34024+#else
34025 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
34026 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
34027 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
34028+#endif
34029+
34030 if (!switcher_vma) {
34031 err = -ENOMEM;
34032 printk("lguest: could not map switcher pages high\n");
34033@@ -118,7 +126,7 @@ static __init int map_switcher(void)
34034 * Now the Switcher is mapped at the right address, we can't fail!
34035 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
34036 */
34037- memcpy(switcher_vma->addr, start_switcher_text,
34038+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
34039 end_switcher_text - start_switcher_text);
34040
34041 printk(KERN_INFO "lguest: mapped switcher at %p\n",
34042diff -urNp linux-2.6.32.48/drivers/lguest/x86/core.c linux-2.6.32.48/drivers/lguest/x86/core.c
34043--- linux-2.6.32.48/drivers/lguest/x86/core.c 2011-11-08 19:02:43.000000000 -0500
34044+++ linux-2.6.32.48/drivers/lguest/x86/core.c 2011-11-15 19:59:43.000000000 -0500
34045@@ -59,7 +59,7 @@ static struct {
34046 /* Offset from where switcher.S was compiled to where we've copied it */
34047 static unsigned long switcher_offset(void)
34048 {
34049- return SWITCHER_ADDR - (unsigned long)start_switcher_text;
34050+ return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
34051 }
34052
34053 /* This cpu's struct lguest_pages. */
34054@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
34055 * These copies are pretty cheap, so we do them unconditionally: */
34056 /* Save the current Host top-level page directory.
34057 */
34058+
34059+#ifdef CONFIG_PAX_PER_CPU_PGD
34060+ pages->state.host_cr3 = read_cr3();
34061+#else
34062 pages->state.host_cr3 = __pa(current->mm->pgd);
34063+#endif
34064+
34065 /*
34066 * Set up the Guest's page tables to see this CPU's pages (and no
34067 * other CPU's pages).
34068@@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
34069 * compiled-in switcher code and the high-mapped copy we just made.
34070 */
34071 for (i = 0; i < IDT_ENTRIES; i++)
34072- default_idt_entries[i] += switcher_offset();
34073+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
34074
34075 /*
34076 * Set up the Switcher's per-cpu areas.
34077@@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
34078 * it will be undisturbed when we switch. To change %cs and jump we
34079 * need this structure to feed to Intel's "lcall" instruction.
34080 */
34081- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
34082+ lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
34083 lguest_entry.segment = LGUEST_CS;
34084
34085 /*
34086diff -urNp linux-2.6.32.48/drivers/lguest/x86/switcher_32.S linux-2.6.32.48/drivers/lguest/x86/switcher_32.S
34087--- linux-2.6.32.48/drivers/lguest/x86/switcher_32.S 2011-11-08 19:02:43.000000000 -0500
34088+++ linux-2.6.32.48/drivers/lguest/x86/switcher_32.S 2011-11-15 19:59:43.000000000 -0500
34089@@ -87,6 +87,7 @@
34090 #include <asm/page.h>
34091 #include <asm/segment.h>
34092 #include <asm/lguest.h>
34093+#include <asm/processor-flags.h>
34094
34095 // We mark the start of the code to copy
34096 // It's placed in .text tho it's never run here
34097@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
34098 // Changes type when we load it: damn Intel!
34099 // For after we switch over our page tables
34100 // That entry will be read-only: we'd crash.
34101+
34102+#ifdef CONFIG_PAX_KERNEXEC
34103+ mov %cr0, %edx
34104+ xor $X86_CR0_WP, %edx
34105+ mov %edx, %cr0
34106+#endif
34107+
34108 movl $(GDT_ENTRY_TSS*8), %edx
34109 ltr %dx
34110
34111@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
34112 // Let's clear it again for our return.
34113 // The GDT descriptor of the Host
34114 // Points to the table after two "size" bytes
34115- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
34116+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
34117 // Clear "used" from type field (byte 5, bit 2)
34118- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
34119+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
34120+
34121+#ifdef CONFIG_PAX_KERNEXEC
34122+ mov %cr0, %eax
34123+ xor $X86_CR0_WP, %eax
34124+ mov %eax, %cr0
34125+#endif
34126
34127 // Once our page table's switched, the Guest is live!
34128 // The Host fades as we run this final step.
34129@@ -295,13 +309,12 @@ deliver_to_host:
34130 // I consulted gcc, and it gave
34131 // These instructions, which I gladly credit:
34132 leal (%edx,%ebx,8), %eax
34133- movzwl (%eax),%edx
34134- movl 4(%eax), %eax
34135- xorw %ax, %ax
34136- orl %eax, %edx
34137+ movl 4(%eax), %edx
34138+ movw (%eax), %dx
34139 // Now the address of the handler's in %edx
34140 // We call it now: its "iret" drops us home.
34141- jmp *%edx
34142+ ljmp $__KERNEL_CS, $1f
34143+1: jmp *%edx
34144
34145 // Every interrupt can come to us here
34146 // But we must truly tell each apart.
34147diff -urNp linux-2.6.32.48/drivers/macintosh/macio_asic.c linux-2.6.32.48/drivers/macintosh/macio_asic.c
34148--- linux-2.6.32.48/drivers/macintosh/macio_asic.c 2011-11-08 19:02:43.000000000 -0500
34149+++ linux-2.6.32.48/drivers/macintosh/macio_asic.c 2011-11-18 18:01:55.000000000 -0500
34150@@ -701,7 +701,7 @@ static void __devexit macio_pci_remove(s
34151 * MacIO is matched against any Apple ID, it's probe() function
34152 * will then decide wether it applies or not
34153 */
34154-static const struct pci_device_id __devinitdata pci_ids [] = { {
34155+static const struct pci_device_id __devinitconst pci_ids [] = { {
34156 .vendor = PCI_VENDOR_ID_APPLE,
34157 .device = PCI_ANY_ID,
34158 .subvendor = PCI_ANY_ID,
34159diff -urNp linux-2.6.32.48/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.48/drivers/macintosh/via-pmu-backlight.c
34160--- linux-2.6.32.48/drivers/macintosh/via-pmu-backlight.c 2011-11-08 19:02:43.000000000 -0500
34161+++ linux-2.6.32.48/drivers/macintosh/via-pmu-backlight.c 2011-11-15 19:59:43.000000000 -0500
34162@@ -15,7 +15,7 @@
34163
34164 #define MAX_PMU_LEVEL 0xFF
34165
34166-static struct backlight_ops pmu_backlight_data;
34167+static const struct backlight_ops pmu_backlight_data;
34168 static DEFINE_SPINLOCK(pmu_backlight_lock);
34169 static int sleeping, uses_pmu_bl;
34170 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
34171@@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
34172 return bd->props.brightness;
34173 }
34174
34175-static struct backlight_ops pmu_backlight_data = {
34176+static const struct backlight_ops pmu_backlight_data = {
34177 .get_brightness = pmu_backlight_get_brightness,
34178 .update_status = pmu_backlight_update_status,
34179
34180diff -urNp linux-2.6.32.48/drivers/macintosh/via-pmu.c linux-2.6.32.48/drivers/macintosh/via-pmu.c
34181--- linux-2.6.32.48/drivers/macintosh/via-pmu.c 2011-11-08 19:02:43.000000000 -0500
34182+++ linux-2.6.32.48/drivers/macintosh/via-pmu.c 2011-11-15 19:59:43.000000000 -0500
34183@@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
34184 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
34185 }
34186
34187-static struct platform_suspend_ops pmu_pm_ops = {
34188+static const struct platform_suspend_ops pmu_pm_ops = {
34189 .enter = powerbook_sleep,
34190 .valid = pmu_sleep_valid,
34191 };
34192diff -urNp linux-2.6.32.48/drivers/md/dm.c linux-2.6.32.48/drivers/md/dm.c
34193--- linux-2.6.32.48/drivers/md/dm.c 2011-11-08 19:02:43.000000000 -0500
34194+++ linux-2.6.32.48/drivers/md/dm.c 2011-11-15 19:59:43.000000000 -0500
34195@@ -165,9 +165,9 @@ struct mapped_device {
34196 /*
34197 * Event handling.
34198 */
34199- atomic_t event_nr;
34200+ atomic_unchecked_t event_nr;
34201 wait_queue_head_t eventq;
34202- atomic_t uevent_seq;
34203+ atomic_unchecked_t uevent_seq;
34204 struct list_head uevent_list;
34205 spinlock_t uevent_lock; /* Protect access to uevent_list */
34206
34207@@ -1776,8 +1776,8 @@ static struct mapped_device *alloc_dev(i
34208 rwlock_init(&md->map_lock);
34209 atomic_set(&md->holders, 1);
34210 atomic_set(&md->open_count, 0);
34211- atomic_set(&md->event_nr, 0);
34212- atomic_set(&md->uevent_seq, 0);
34213+ atomic_set_unchecked(&md->event_nr, 0);
34214+ atomic_set_unchecked(&md->uevent_seq, 0);
34215 INIT_LIST_HEAD(&md->uevent_list);
34216 spin_lock_init(&md->uevent_lock);
34217
34218@@ -1927,7 +1927,7 @@ static void event_callback(void *context
34219
34220 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
34221
34222- atomic_inc(&md->event_nr);
34223+ atomic_inc_unchecked(&md->event_nr);
34224 wake_up(&md->eventq);
34225 }
34226
34227@@ -2562,18 +2562,18 @@ void dm_kobject_uevent(struct mapped_dev
34228
34229 uint32_t dm_next_uevent_seq(struct mapped_device *md)
34230 {
34231- return atomic_add_return(1, &md->uevent_seq);
34232+ return atomic_add_return_unchecked(1, &md->uevent_seq);
34233 }
34234
34235 uint32_t dm_get_event_nr(struct mapped_device *md)
34236 {
34237- return atomic_read(&md->event_nr);
34238+ return atomic_read_unchecked(&md->event_nr);
34239 }
34240
34241 int dm_wait_event(struct mapped_device *md, int event_nr)
34242 {
34243 return wait_event_interruptible(md->eventq,
34244- (event_nr != atomic_read(&md->event_nr)));
34245+ (event_nr != atomic_read_unchecked(&md->event_nr)));
34246 }
34247
34248 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
34249diff -urNp linux-2.6.32.48/drivers/md/dm-ioctl.c linux-2.6.32.48/drivers/md/dm-ioctl.c
34250--- linux-2.6.32.48/drivers/md/dm-ioctl.c 2011-11-08 19:02:43.000000000 -0500
34251+++ linux-2.6.32.48/drivers/md/dm-ioctl.c 2011-11-15 19:59:43.000000000 -0500
34252@@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
34253 cmd == DM_LIST_VERSIONS_CMD)
34254 return 0;
34255
34256- if ((cmd == DM_DEV_CREATE_CMD)) {
34257+ if (cmd == DM_DEV_CREATE_CMD) {
34258 if (!*param->name) {
34259 DMWARN("name not supplied when creating device");
34260 return -EINVAL;
34261diff -urNp linux-2.6.32.48/drivers/md/dm-raid1.c linux-2.6.32.48/drivers/md/dm-raid1.c
34262--- linux-2.6.32.48/drivers/md/dm-raid1.c 2011-11-08 19:02:43.000000000 -0500
34263+++ linux-2.6.32.48/drivers/md/dm-raid1.c 2011-11-15 19:59:43.000000000 -0500
34264@@ -41,7 +41,7 @@ enum dm_raid1_error {
34265
34266 struct mirror {
34267 struct mirror_set *ms;
34268- atomic_t error_count;
34269+ atomic_unchecked_t error_count;
34270 unsigned long error_type;
34271 struct dm_dev *dev;
34272 sector_t offset;
34273@@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
34274 * simple way to tell if a device has encountered
34275 * errors.
34276 */
34277- atomic_inc(&m->error_count);
34278+ atomic_inc_unchecked(&m->error_count);
34279
34280 if (test_and_set_bit(error_type, &m->error_type))
34281 return;
34282@@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
34283 }
34284
34285 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
34286- if (!atomic_read(&new->error_count)) {
34287+ if (!atomic_read_unchecked(&new->error_count)) {
34288 set_default_mirror(new);
34289 break;
34290 }
34291@@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
34292 struct mirror *m = get_default_mirror(ms);
34293
34294 do {
34295- if (likely(!atomic_read(&m->error_count)))
34296+ if (likely(!atomic_read_unchecked(&m->error_count)))
34297 return m;
34298
34299 if (m-- == ms->mirror)
34300@@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
34301 {
34302 struct mirror *default_mirror = get_default_mirror(m->ms);
34303
34304- return !atomic_read(&default_mirror->error_count);
34305+ return !atomic_read_unchecked(&default_mirror->error_count);
34306 }
34307
34308 static int mirror_available(struct mirror_set *ms, struct bio *bio)
34309@@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
34310 */
34311 if (likely(region_in_sync(ms, region, 1)))
34312 m = choose_mirror(ms, bio->bi_sector);
34313- else if (m && atomic_read(&m->error_count))
34314+ else if (m && atomic_read_unchecked(&m->error_count))
34315 m = NULL;
34316
34317 if (likely(m))
34318@@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
34319 }
34320
34321 ms->mirror[mirror].ms = ms;
34322- atomic_set(&(ms->mirror[mirror].error_count), 0);
34323+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
34324 ms->mirror[mirror].error_type = 0;
34325 ms->mirror[mirror].offset = offset;
34326
34327@@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
34328 */
34329 static char device_status_char(struct mirror *m)
34330 {
34331- if (!atomic_read(&(m->error_count)))
34332+ if (!atomic_read_unchecked(&(m->error_count)))
34333 return 'A';
34334
34335 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
34336diff -urNp linux-2.6.32.48/drivers/md/dm-stripe.c linux-2.6.32.48/drivers/md/dm-stripe.c
34337--- linux-2.6.32.48/drivers/md/dm-stripe.c 2011-11-08 19:02:43.000000000 -0500
34338+++ linux-2.6.32.48/drivers/md/dm-stripe.c 2011-11-15 19:59:43.000000000 -0500
34339@@ -20,7 +20,7 @@ struct stripe {
34340 struct dm_dev *dev;
34341 sector_t physical_start;
34342
34343- atomic_t error_count;
34344+ atomic_unchecked_t error_count;
34345 };
34346
34347 struct stripe_c {
34348@@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
34349 kfree(sc);
34350 return r;
34351 }
34352- atomic_set(&(sc->stripe[i].error_count), 0);
34353+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
34354 }
34355
34356 ti->private = sc;
34357@@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
34358 DMEMIT("%d ", sc->stripes);
34359 for (i = 0; i < sc->stripes; i++) {
34360 DMEMIT("%s ", sc->stripe[i].dev->name);
34361- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
34362+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
34363 'D' : 'A';
34364 }
34365 buffer[i] = '\0';
34366@@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
34367 */
34368 for (i = 0; i < sc->stripes; i++)
34369 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
34370- atomic_inc(&(sc->stripe[i].error_count));
34371- if (atomic_read(&(sc->stripe[i].error_count)) <
34372+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
34373+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
34374 DM_IO_ERROR_THRESHOLD)
34375 queue_work(kstriped, &sc->kstriped_ws);
34376 }
34377diff -urNp linux-2.6.32.48/drivers/md/dm-sysfs.c linux-2.6.32.48/drivers/md/dm-sysfs.c
34378--- linux-2.6.32.48/drivers/md/dm-sysfs.c 2011-11-08 19:02:43.000000000 -0500
34379+++ linux-2.6.32.48/drivers/md/dm-sysfs.c 2011-11-15 19:59:43.000000000 -0500
34380@@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
34381 NULL,
34382 };
34383
34384-static struct sysfs_ops dm_sysfs_ops = {
34385+static const struct sysfs_ops dm_sysfs_ops = {
34386 .show = dm_attr_show,
34387 };
34388
34389diff -urNp linux-2.6.32.48/drivers/md/dm-table.c linux-2.6.32.48/drivers/md/dm-table.c
34390--- linux-2.6.32.48/drivers/md/dm-table.c 2011-11-08 19:02:43.000000000 -0500
34391+++ linux-2.6.32.48/drivers/md/dm-table.c 2011-11-15 19:59:43.000000000 -0500
34392@@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
34393 if (!dev_size)
34394 return 0;
34395
34396- if ((start >= dev_size) || (start + len > dev_size)) {
34397+ if ((start >= dev_size) || (len > dev_size - start)) {
34398 DMWARN("%s: %s too small for target: "
34399 "start=%llu, len=%llu, dev_size=%llu",
34400 dm_device_name(ti->table->md), bdevname(bdev, b),
34401diff -urNp linux-2.6.32.48/drivers/md/md.c linux-2.6.32.48/drivers/md/md.c
34402--- linux-2.6.32.48/drivers/md/md.c 2011-11-08 19:02:43.000000000 -0500
34403+++ linux-2.6.32.48/drivers/md/md.c 2011-11-15 19:59:43.000000000 -0500
34404@@ -153,10 +153,10 @@ static int start_readonly;
34405 * start build, activate spare
34406 */
34407 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
34408-static atomic_t md_event_count;
34409+static atomic_unchecked_t md_event_count;
34410 void md_new_event(mddev_t *mddev)
34411 {
34412- atomic_inc(&md_event_count);
34413+ atomic_inc_unchecked(&md_event_count);
34414 wake_up(&md_event_waiters);
34415 }
34416 EXPORT_SYMBOL_GPL(md_new_event);
34417@@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
34418 */
34419 static void md_new_event_inintr(mddev_t *mddev)
34420 {
34421- atomic_inc(&md_event_count);
34422+ atomic_inc_unchecked(&md_event_count);
34423 wake_up(&md_event_waiters);
34424 }
34425
34426@@ -1226,7 +1226,7 @@ static int super_1_load(mdk_rdev_t *rdev
34427
34428 rdev->preferred_minor = 0xffff;
34429 rdev->data_offset = le64_to_cpu(sb->data_offset);
34430- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
34431+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
34432
34433 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
34434 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
34435@@ -1400,7 +1400,7 @@ static void super_1_sync(mddev_t *mddev,
34436 else
34437 sb->resync_offset = cpu_to_le64(0);
34438
34439- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
34440+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
34441
34442 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
34443 sb->size = cpu_to_le64(mddev->dev_sectors);
34444@@ -2222,7 +2222,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
34445 static ssize_t
34446 errors_show(mdk_rdev_t *rdev, char *page)
34447 {
34448- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
34449+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
34450 }
34451
34452 static ssize_t
34453@@ -2231,7 +2231,7 @@ errors_store(mdk_rdev_t *rdev, const cha
34454 char *e;
34455 unsigned long n = simple_strtoul(buf, &e, 10);
34456 if (*buf && (*e == 0 || *e == '\n')) {
34457- atomic_set(&rdev->corrected_errors, n);
34458+ atomic_set_unchecked(&rdev->corrected_errors, n);
34459 return len;
34460 }
34461 return -EINVAL;
34462@@ -2525,7 +2525,7 @@ static void rdev_free(struct kobject *ko
34463 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
34464 kfree(rdev);
34465 }
34466-static struct sysfs_ops rdev_sysfs_ops = {
34467+static const struct sysfs_ops rdev_sysfs_ops = {
34468 .show = rdev_attr_show,
34469 .store = rdev_attr_store,
34470 };
34471@@ -2574,8 +2574,8 @@ static mdk_rdev_t *md_import_device(dev_
34472 rdev->data_offset = 0;
34473 rdev->sb_events = 0;
34474 atomic_set(&rdev->nr_pending, 0);
34475- atomic_set(&rdev->read_errors, 0);
34476- atomic_set(&rdev->corrected_errors, 0);
34477+ atomic_set_unchecked(&rdev->read_errors, 0);
34478+ atomic_set_unchecked(&rdev->corrected_errors, 0);
34479
34480 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
34481 if (!size) {
34482@@ -3895,7 +3895,7 @@ static void md_free(struct kobject *ko)
34483 kfree(mddev);
34484 }
34485
34486-static struct sysfs_ops md_sysfs_ops = {
34487+static const struct sysfs_ops md_sysfs_ops = {
34488 .show = md_attr_show,
34489 .store = md_attr_store,
34490 };
34491@@ -4482,7 +4482,8 @@ out:
34492 err = 0;
34493 blk_integrity_unregister(disk);
34494 md_new_event(mddev);
34495- sysfs_notify_dirent(mddev->sysfs_state);
34496+ if (mddev->sysfs_state)
34497+ sysfs_notify_dirent(mddev->sysfs_state);
34498 return err;
34499 }
34500
34501@@ -5962,7 +5963,7 @@ static int md_seq_show(struct seq_file *
34502
34503 spin_unlock(&pers_lock);
34504 seq_printf(seq, "\n");
34505- mi->event = atomic_read(&md_event_count);
34506+ mi->event = atomic_read_unchecked(&md_event_count);
34507 return 0;
34508 }
34509 if (v == (void*)2) {
34510@@ -6051,7 +6052,7 @@ static int md_seq_show(struct seq_file *
34511 chunk_kb ? "KB" : "B");
34512 if (bitmap->file) {
34513 seq_printf(seq, ", file: ");
34514- seq_path(seq, &bitmap->file->f_path, " \t\n");
34515+ seq_path(seq, &bitmap->file->f_path, " \t\n\\");
34516 }
34517
34518 seq_printf(seq, "\n");
34519@@ -6085,7 +6086,7 @@ static int md_seq_open(struct inode *ino
34520 else {
34521 struct seq_file *p = file->private_data;
34522 p->private = mi;
34523- mi->event = atomic_read(&md_event_count);
34524+ mi->event = atomic_read_unchecked(&md_event_count);
34525 }
34526 return error;
34527 }
34528@@ -6101,7 +6102,7 @@ static unsigned int mdstat_poll(struct f
34529 /* always allow read */
34530 mask = POLLIN | POLLRDNORM;
34531
34532- if (mi->event != atomic_read(&md_event_count))
34533+ if (mi->event != atomic_read_unchecked(&md_event_count))
34534 mask |= POLLERR | POLLPRI;
34535 return mask;
34536 }
34537@@ -6145,7 +6146,7 @@ static int is_mddev_idle(mddev_t *mddev,
34538 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
34539 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
34540 (int)part_stat_read(&disk->part0, sectors[1]) -
34541- atomic_read(&disk->sync_io);
34542+ atomic_read_unchecked(&disk->sync_io);
34543 /* sync IO will cause sync_io to increase before the disk_stats
34544 * as sync_io is counted when a request starts, and
34545 * disk_stats is counted when it completes.
34546diff -urNp linux-2.6.32.48/drivers/md/md.h linux-2.6.32.48/drivers/md/md.h
34547--- linux-2.6.32.48/drivers/md/md.h 2011-11-08 19:02:43.000000000 -0500
34548+++ linux-2.6.32.48/drivers/md/md.h 2011-11-15 19:59:43.000000000 -0500
34549@@ -94,10 +94,10 @@ struct mdk_rdev_s
34550 * only maintained for arrays that
34551 * support hot removal
34552 */
34553- atomic_t read_errors; /* number of consecutive read errors that
34554+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
34555 * we have tried to ignore.
34556 */
34557- atomic_t corrected_errors; /* number of corrected read errors,
34558+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
34559 * for reporting to userspace and storing
34560 * in superblock.
34561 */
34562@@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
34563
34564 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
34565 {
34566- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
34567+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
34568 }
34569
34570 struct mdk_personality
34571diff -urNp linux-2.6.32.48/drivers/md/raid10.c linux-2.6.32.48/drivers/md/raid10.c
34572--- linux-2.6.32.48/drivers/md/raid10.c 2011-11-08 19:02:43.000000000 -0500
34573+++ linux-2.6.32.48/drivers/md/raid10.c 2011-11-15 19:59:43.000000000 -0500
34574@@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
34575 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
34576 set_bit(R10BIO_Uptodate, &r10_bio->state);
34577 else {
34578- atomic_add(r10_bio->sectors,
34579+ atomic_add_unchecked(r10_bio->sectors,
34580 &conf->mirrors[d].rdev->corrected_errors);
34581 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
34582 md_error(r10_bio->mddev,
34583@@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
34584 test_bit(In_sync, &rdev->flags)) {
34585 atomic_inc(&rdev->nr_pending);
34586 rcu_read_unlock();
34587- atomic_add(s, &rdev->corrected_errors);
34588+ atomic_add_unchecked(s, &rdev->corrected_errors);
34589 if (sync_page_io(rdev->bdev,
34590 r10_bio->devs[sl].addr +
34591 sect + rdev->data_offset,
34592diff -urNp linux-2.6.32.48/drivers/md/raid1.c linux-2.6.32.48/drivers/md/raid1.c
34593--- linux-2.6.32.48/drivers/md/raid1.c 2011-11-08 19:02:43.000000000 -0500
34594+++ linux-2.6.32.48/drivers/md/raid1.c 2011-11-15 19:59:43.000000000 -0500
34595@@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
34596 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
34597 continue;
34598 rdev = conf->mirrors[d].rdev;
34599- atomic_add(s, &rdev->corrected_errors);
34600+ atomic_add_unchecked(s, &rdev->corrected_errors);
34601 if (sync_page_io(rdev->bdev,
34602 sect + rdev->data_offset,
34603 s<<9,
34604@@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
34605 /* Well, this device is dead */
34606 md_error(mddev, rdev);
34607 else {
34608- atomic_add(s, &rdev->corrected_errors);
34609+ atomic_add_unchecked(s, &rdev->corrected_errors);
34610 printk(KERN_INFO
34611 "raid1:%s: read error corrected "
34612 "(%d sectors at %llu on %s)\n",
34613diff -urNp linux-2.6.32.48/drivers/md/raid5.c linux-2.6.32.48/drivers/md/raid5.c
34614--- linux-2.6.32.48/drivers/md/raid5.c 2011-11-08 19:02:43.000000000 -0500
34615+++ linux-2.6.32.48/drivers/md/raid5.c 2011-11-15 19:59:43.000000000 -0500
34616@@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
34617 bi->bi_next = NULL;
34618 if ((rw & WRITE) &&
34619 test_bit(R5_ReWrite, &sh->dev[i].flags))
34620- atomic_add(STRIPE_SECTORS,
34621+ atomic_add_unchecked(STRIPE_SECTORS,
34622 &rdev->corrected_errors);
34623 generic_make_request(bi);
34624 } else {
34625@@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
34626 clear_bit(R5_ReadError, &sh->dev[i].flags);
34627 clear_bit(R5_ReWrite, &sh->dev[i].flags);
34628 }
34629- if (atomic_read(&conf->disks[i].rdev->read_errors))
34630- atomic_set(&conf->disks[i].rdev->read_errors, 0);
34631+ if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
34632+ atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
34633 } else {
34634 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
34635 int retry = 0;
34636 rdev = conf->disks[i].rdev;
34637
34638 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
34639- atomic_inc(&rdev->read_errors);
34640+ atomic_inc_unchecked(&rdev->read_errors);
34641 if (conf->mddev->degraded >= conf->max_degraded)
34642 printk_rl(KERN_WARNING
34643 "raid5:%s: read error not correctable "
34644@@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
34645 (unsigned long long)(sh->sector
34646 + rdev->data_offset),
34647 bdn);
34648- else if (atomic_read(&rdev->read_errors)
34649+ else if (atomic_read_unchecked(&rdev->read_errors)
34650 > conf->max_nr_stripes)
34651 printk(KERN_WARNING
34652 "raid5:%s: Too many read errors, failing device %s.\n",
34653@@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
34654 sector_t r_sector;
34655 struct stripe_head sh2;
34656
34657+ pax_track_stack();
34658
34659 chunk_offset = sector_div(new_sector, sectors_per_chunk);
34660 stripe = new_sector;
34661diff -urNp linux-2.6.32.48/drivers/media/common/saa7146_hlp.c linux-2.6.32.48/drivers/media/common/saa7146_hlp.c
34662--- linux-2.6.32.48/drivers/media/common/saa7146_hlp.c 2011-11-08 19:02:43.000000000 -0500
34663+++ linux-2.6.32.48/drivers/media/common/saa7146_hlp.c 2011-11-15 19:59:43.000000000 -0500
34664@@ -353,6 +353,8 @@ static void calculate_clipping_registers
34665
34666 int x[32], y[32], w[32], h[32];
34667
34668+ pax_track_stack();
34669+
34670 /* clear out memory */
34671 memset(&line_list[0], 0x00, sizeof(u32)*32);
34672 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
34673diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
34674--- linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-08 19:02:43.000000000 -0500
34675+++ linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-11-15 19:59:43.000000000 -0500
34676@@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
34677 u8 buf[HOST_LINK_BUF_SIZE];
34678 int i;
34679
34680+ pax_track_stack();
34681+
34682 dprintk("%s\n", __func__);
34683
34684 /* check if we have space for a link buf in the rx_buffer */
34685@@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
34686 unsigned long timeout;
34687 int written;
34688
34689+ pax_track_stack();
34690+
34691 dprintk("%s\n", __func__);
34692
34693 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
34694diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_demux.h linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_demux.h
34695--- linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-08 19:02:43.000000000 -0500
34696+++ linux-2.6.32.48/drivers/media/dvb/dvb-core/dvb_demux.h 2011-11-15 19:59:43.000000000 -0500
34697@@ -71,7 +71,7 @@ struct dvb_demux_feed {
34698 union {
34699 dmx_ts_cb ts;
34700 dmx_section_cb sec;
34701- } cb;
34702+ } __no_const cb;
34703
34704 struct dvb_demux *demux;
34705 void *priv;
34706diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.48/drivers/media/dvb/dvb-core/dvbdev.c
34707--- linux-2.6.32.48/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-08 19:02:43.000000000 -0500
34708+++ linux-2.6.32.48/drivers/media/dvb/dvb-core/dvbdev.c 2011-11-15 19:59:43.000000000 -0500
34709@@ -191,7 +191,7 @@ int dvb_register_device(struct dvb_adapt
34710 const struct dvb_device *template, void *priv, int type)
34711 {
34712 struct dvb_device *dvbdev;
34713- struct file_operations *dvbdevfops;
34714+ file_operations_no_const *dvbdevfops;
34715 struct device *clsdev;
34716 int minor;
34717 int id;
34718diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-usb/cxusb.c linux-2.6.32.48/drivers/media/dvb/dvb-usb/cxusb.c
34719--- linux-2.6.32.48/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-08 19:02:43.000000000 -0500
34720+++ linux-2.6.32.48/drivers/media/dvb/dvb-usb/cxusb.c 2011-11-15 19:59:43.000000000 -0500
34721@@ -1040,7 +1040,7 @@ static struct dib0070_config dib7070p_di
34722 struct dib0700_adapter_state {
34723 int (*set_param_save) (struct dvb_frontend *,
34724 struct dvb_frontend_parameters *);
34725-};
34726+} __no_const;
34727
34728 static int dib7070_set_param_override(struct dvb_frontend *fe,
34729 struct dvb_frontend_parameters *fep)
34730diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_core.c
34731--- linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-08 19:02:43.000000000 -0500
34732+++ linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-11-15 19:59:43.000000000 -0500
34733@@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
34734
34735 u8 buf[260];
34736
34737+ pax_track_stack();
34738+
34739 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
34740 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
34741
34742diff -urNp linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_devices.c linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_devices.c
34743--- linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-11-08 19:02:43.000000000 -0500
34744+++ linux-2.6.32.48/drivers/media/dvb/dvb-usb/dib0700_devices.c 2011-11-15 19:59:43.000000000 -0500
34745@@ -28,7 +28,7 @@ MODULE_PARM_DESC(force_lna_activation, "
34746
34747 struct dib0700_adapter_state {
34748 int (*set_param_save) (struct dvb_frontend *, struct dvb_frontend_parameters *);
34749-};
34750+} __no_const;
34751
34752 /* Hauppauge Nova-T 500 (aka Bristol)
34753 * has a LNA on GPIO0 which is enabled by setting 1 */
34754diff -urNp linux-2.6.32.48/drivers/media/dvb/frontends/dib3000.h linux-2.6.32.48/drivers/media/dvb/frontends/dib3000.h
34755--- linux-2.6.32.48/drivers/media/dvb/frontends/dib3000.h 2011-11-08 19:02:43.000000000 -0500
34756+++ linux-2.6.32.48/drivers/media/dvb/frontends/dib3000.h 2011-11-15 19:59:43.000000000 -0500
34757@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
34758 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
34759 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
34760 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
34761-};
34762+} __no_const;
34763
34764 #if defined(CONFIG_DVB_DIB3000MB) || (defined(CONFIG_DVB_DIB3000MB_MODULE) && defined(MODULE))
34765 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
34766diff -urNp linux-2.6.32.48/drivers/media/dvb/frontends/or51211.c linux-2.6.32.48/drivers/media/dvb/frontends/or51211.c
34767--- linux-2.6.32.48/drivers/media/dvb/frontends/or51211.c 2011-11-08 19:02:43.000000000 -0500
34768+++ linux-2.6.32.48/drivers/media/dvb/frontends/or51211.c 2011-11-15 19:59:43.000000000 -0500
34769@@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
34770 u8 tudata[585];
34771 int i;
34772
34773+ pax_track_stack();
34774+
34775 dprintk("Firmware is %zd bytes\n",fw->size);
34776
34777 /* Get eprom data */
34778diff -urNp linux-2.6.32.48/drivers/media/radio/radio-cadet.c linux-2.6.32.48/drivers/media/radio/radio-cadet.c
34779--- linux-2.6.32.48/drivers/media/radio/radio-cadet.c 2011-11-08 19:02:43.000000000 -0500
34780+++ linux-2.6.32.48/drivers/media/radio/radio-cadet.c 2011-11-15 19:59:43.000000000 -0500
34781@@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
34782 while (i < count && dev->rdsin != dev->rdsout)
34783 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
34784
34785- if (copy_to_user(data, readbuf, i))
34786+ if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
34787 return -EFAULT;
34788 return i;
34789 }
34790diff -urNp linux-2.6.32.48/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.48/drivers/media/video/cx18/cx18-driver.c
34791--- linux-2.6.32.48/drivers/media/video/cx18/cx18-driver.c 2011-11-08 19:02:43.000000000 -0500
34792+++ linux-2.6.32.48/drivers/media/video/cx18/cx18-driver.c 2011-11-15 19:59:43.000000000 -0500
34793@@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
34794
34795 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
34796
34797-static atomic_t cx18_instance = ATOMIC_INIT(0);
34798+static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
34799
34800 /* Parameter declarations */
34801 static int cardtype[CX18_MAX_CARDS];
34802@@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
34803 struct i2c_client c;
34804 u8 eedata[256];
34805
34806+ pax_track_stack();
34807+
34808 memset(&c, 0, sizeof(c));
34809 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
34810 c.adapter = &cx->i2c_adap[0];
34811@@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
34812 struct cx18 *cx;
34813
34814 /* FIXME - module parameter arrays constrain max instances */
34815- i = atomic_inc_return(&cx18_instance) - 1;
34816+ i = atomic_inc_return_unchecked(&cx18_instance) - 1;
34817 if (i >= CX18_MAX_CARDS) {
34818 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
34819 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
34820diff -urNp linux-2.6.32.48/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.48/drivers/media/video/ivtv/ivtv-driver.c
34821--- linux-2.6.32.48/drivers/media/video/ivtv/ivtv-driver.c 2011-11-08 19:02:43.000000000 -0500
34822+++ linux-2.6.32.48/drivers/media/video/ivtv/ivtv-driver.c 2011-11-15 19:59:43.000000000 -0500
34823@@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
34824 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
34825
34826 /* ivtv instance counter */
34827-static atomic_t ivtv_instance = ATOMIC_INIT(0);
34828+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
34829
34830 /* Parameter declarations */
34831 static int cardtype[IVTV_MAX_CARDS];
34832diff -urNp linux-2.6.32.48/drivers/media/video/omap24xxcam.c linux-2.6.32.48/drivers/media/video/omap24xxcam.c
34833--- linux-2.6.32.48/drivers/media/video/omap24xxcam.c 2011-11-08 19:02:43.000000000 -0500
34834+++ linux-2.6.32.48/drivers/media/video/omap24xxcam.c 2011-11-15 19:59:43.000000000 -0500
34835@@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
34836 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
34837
34838 do_gettimeofday(&vb->ts);
34839- vb->field_count = atomic_add_return(2, &fh->field_count);
34840+ vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
34841 if (csr & csr_error) {
34842 vb->state = VIDEOBUF_ERROR;
34843 if (!atomic_read(&fh->cam->in_reset)) {
34844diff -urNp linux-2.6.32.48/drivers/media/video/omap24xxcam.h linux-2.6.32.48/drivers/media/video/omap24xxcam.h
34845--- linux-2.6.32.48/drivers/media/video/omap24xxcam.h 2011-11-08 19:02:43.000000000 -0500
34846+++ linux-2.6.32.48/drivers/media/video/omap24xxcam.h 2011-11-15 19:59:43.000000000 -0500
34847@@ -533,7 +533,7 @@ struct omap24xxcam_fh {
34848 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
34849 struct videobuf_queue vbq;
34850 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
34851- atomic_t field_count; /* field counter for videobuf_buffer */
34852+ atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
34853 /* accessing cam here doesn't need serialisation: it's constant */
34854 struct omap24xxcam_device *cam;
34855 };
34856diff -urNp linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
34857--- linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-08 19:02:43.000000000 -0500
34858+++ linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-11-15 19:59:43.000000000 -0500
34859@@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
34860 u8 *eeprom;
34861 struct tveeprom tvdata;
34862
34863+ pax_track_stack();
34864+
34865 memset(&tvdata,0,sizeof(tvdata));
34866
34867 eeprom = pvr2_eeprom_fetch(hdw);
34868diff -urNp linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h
34869--- linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-08 19:02:43.000000000 -0500
34870+++ linux-2.6.32.48/drivers/media/video/pvrusb2/pvrusb2-hdw-internal.h 2011-11-15 19:59:43.000000000 -0500
34871@@ -195,7 +195,7 @@ struct pvr2_hdw {
34872
34873 /* I2C stuff */
34874 struct i2c_adapter i2c_adap;
34875- struct i2c_algorithm i2c_algo;
34876+ i2c_algorithm_no_const i2c_algo;
34877 pvr2_i2c_func i2c_func[PVR2_I2C_FUNC_CNT];
34878 int i2c_cx25840_hack_state;
34879 int i2c_linked;
34880diff -urNp linux-2.6.32.48/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.48/drivers/media/video/saa7134/saa6752hs.c
34881--- linux-2.6.32.48/drivers/media/video/saa7134/saa6752hs.c 2011-11-08 19:02:43.000000000 -0500
34882+++ linux-2.6.32.48/drivers/media/video/saa7134/saa6752hs.c 2011-11-15 19:59:43.000000000 -0500
34883@@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
34884 unsigned char localPAT[256];
34885 unsigned char localPMT[256];
34886
34887+ pax_track_stack();
34888+
34889 /* Set video format - must be done first as it resets other settings */
34890 set_reg8(client, 0x41, h->video_format);
34891
34892diff -urNp linux-2.6.32.48/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.48/drivers/media/video/saa7164/saa7164-cmd.c
34893--- linux-2.6.32.48/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-08 19:02:43.000000000 -0500
34894+++ linux-2.6.32.48/drivers/media/video/saa7164/saa7164-cmd.c 2011-11-15 19:59:43.000000000 -0500
34895@@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
34896 wait_queue_head_t *q = 0;
34897 dprintk(DBGLVL_CMD, "%s()\n", __func__);
34898
34899+ pax_track_stack();
34900+
34901 /* While any outstand message on the bus exists... */
34902 do {
34903
34904@@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
34905 u8 tmp[512];
34906 dprintk(DBGLVL_CMD, "%s()\n", __func__);
34907
34908+ pax_track_stack();
34909+
34910 while (loop) {
34911
34912 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
34913diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/ibmcam.c linux-2.6.32.48/drivers/media/video/usbvideo/ibmcam.c
34914--- linux-2.6.32.48/drivers/media/video/usbvideo/ibmcam.c 2011-11-08 19:02:43.000000000 -0500
34915+++ linux-2.6.32.48/drivers/media/video/usbvideo/ibmcam.c 2011-11-15 19:59:43.000000000 -0500
34916@@ -3947,15 +3947,15 @@ static struct usb_device_id id_table[] =
34917 static int __init ibmcam_init(void)
34918 {
34919 struct usbvideo_cb cbTbl;
34920- memset(&cbTbl, 0, sizeof(cbTbl));
34921- cbTbl.probe = ibmcam_probe;
34922- cbTbl.setupOnOpen = ibmcam_setup_on_open;
34923- cbTbl.videoStart = ibmcam_video_start;
34924- cbTbl.videoStop = ibmcam_video_stop;
34925- cbTbl.processData = ibmcam_ProcessIsocData;
34926- cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34927- cbTbl.adjustPicture = ibmcam_adjust_picture;
34928- cbTbl.getFPS = ibmcam_calculate_fps;
34929+ memset((void *)&cbTbl, 0, sizeof(cbTbl));
34930+ *(void **)&cbTbl.probe = ibmcam_probe;
34931+ *(void **)&cbTbl.setupOnOpen = ibmcam_setup_on_open;
34932+ *(void **)&cbTbl.videoStart = ibmcam_video_start;
34933+ *(void **)&cbTbl.videoStop = ibmcam_video_stop;
34934+ *(void **)&cbTbl.processData = ibmcam_ProcessIsocData;
34935+ *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
34936+ *(void **)&cbTbl.adjustPicture = ibmcam_adjust_picture;
34937+ *(void **)&cbTbl.getFPS = ibmcam_calculate_fps;
34938 return usbvideo_register(
34939 &cams,
34940 MAX_IBMCAM,
34941diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.48/drivers/media/video/usbvideo/konicawc.c
34942--- linux-2.6.32.48/drivers/media/video/usbvideo/konicawc.c 2011-11-08 19:02:43.000000000 -0500
34943+++ linux-2.6.32.48/drivers/media/video/usbvideo/konicawc.c 2011-11-15 19:59:43.000000000 -0500
34944@@ -225,7 +225,7 @@ static void konicawc_register_input(stru
34945 int error;
34946
34947 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34948- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34949+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34950
34951 cam->input = input_dev = input_allocate_device();
34952 if (!input_dev) {
34953@@ -935,16 +935,16 @@ static int __init konicawc_init(void)
34954 struct usbvideo_cb cbTbl;
34955 printk(KERN_INFO KBUILD_MODNAME ": " DRIVER_VERSION ":"
34956 DRIVER_DESC "\n");
34957- memset(&cbTbl, 0, sizeof(cbTbl));
34958- cbTbl.probe = konicawc_probe;
34959- cbTbl.setupOnOpen = konicawc_setup_on_open;
34960- cbTbl.processData = konicawc_process_isoc;
34961- cbTbl.getFPS = konicawc_calculate_fps;
34962- cbTbl.setVideoMode = konicawc_set_video_mode;
34963- cbTbl.startDataPump = konicawc_start_data;
34964- cbTbl.stopDataPump = konicawc_stop_data;
34965- cbTbl.adjustPicture = konicawc_adjust_picture;
34966- cbTbl.userFree = konicawc_free_uvd;
34967+ memset((void * )&cbTbl, 0, sizeof(cbTbl));
34968+ *(void **)&cbTbl.probe = konicawc_probe;
34969+ *(void **)&cbTbl.setupOnOpen = konicawc_setup_on_open;
34970+ *(void **)&cbTbl.processData = konicawc_process_isoc;
34971+ *(void **)&cbTbl.getFPS = konicawc_calculate_fps;
34972+ *(void **)&cbTbl.setVideoMode = konicawc_set_video_mode;
34973+ *(void **)&cbTbl.startDataPump = konicawc_start_data;
34974+ *(void **)&cbTbl.stopDataPump = konicawc_stop_data;
34975+ *(void **)&cbTbl.adjustPicture = konicawc_adjust_picture;
34976+ *(void **)&cbTbl.userFree = konicawc_free_uvd;
34977 return usbvideo_register(
34978 &cams,
34979 MAX_CAMERAS,
34980diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.48/drivers/media/video/usbvideo/quickcam_messenger.c
34981--- linux-2.6.32.48/drivers/media/video/usbvideo/quickcam_messenger.c 2011-11-08 19:02:43.000000000 -0500
34982+++ linux-2.6.32.48/drivers/media/video/usbvideo/quickcam_messenger.c 2011-11-15 19:59:43.000000000 -0500
34983@@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
34984 int error;
34985
34986 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
34987- strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34988+ strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
34989
34990 cam->input = input_dev = input_allocate_device();
34991 if (!input_dev) {
34992diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/ultracam.c linux-2.6.32.48/drivers/media/video/usbvideo/ultracam.c
34993--- linux-2.6.32.48/drivers/media/video/usbvideo/ultracam.c 2011-11-08 19:02:43.000000000 -0500
34994+++ linux-2.6.32.48/drivers/media/video/usbvideo/ultracam.c 2011-11-15 19:59:43.000000000 -0500
34995@@ -655,14 +655,14 @@ static int __init ultracam_init(void)
34996 {
34997 struct usbvideo_cb cbTbl;
34998 memset(&cbTbl, 0, sizeof(cbTbl));
34999- cbTbl.probe = ultracam_probe;
35000- cbTbl.setupOnOpen = ultracam_setup_on_open;
35001- cbTbl.videoStart = ultracam_video_start;
35002- cbTbl.videoStop = ultracam_video_stop;
35003- cbTbl.processData = ultracam_ProcessIsocData;
35004- cbTbl.postProcess = usbvideo_DeinterlaceFrame;
35005- cbTbl.adjustPicture = ultracam_adjust_picture;
35006- cbTbl.getFPS = ultracam_calculate_fps;
35007+ *(void **)&cbTbl.probe = ultracam_probe;
35008+ *(void **)&cbTbl.setupOnOpen = ultracam_setup_on_open;
35009+ *(void **)&cbTbl.videoStart = ultracam_video_start;
35010+ *(void **)&cbTbl.videoStop = ultracam_video_stop;
35011+ *(void **)&cbTbl.processData = ultracam_ProcessIsocData;
35012+ *(void **)&cbTbl.postProcess = usbvideo_DeinterlaceFrame;
35013+ *(void **)&cbTbl.adjustPicture = ultracam_adjust_picture;
35014+ *(void **)&cbTbl.getFPS = ultracam_calculate_fps;
35015 return usbvideo_register(
35016 &cams,
35017 MAX_CAMERAS,
35018diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.c linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.c
35019--- linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.c 2011-11-08 19:02:43.000000000 -0500
35020+++ linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.c 2011-11-15 19:59:43.000000000 -0500
35021@@ -697,15 +697,15 @@ int usbvideo_register(
35022 __func__, cams, base_size, num_cams);
35023
35024 /* Copy callbacks, apply defaults for those that are not set */
35025- memmove(&cams->cb, cbTbl, sizeof(cams->cb));
35026+ memmove((void *)&cams->cb, cbTbl, sizeof(cams->cb));
35027 if (cams->cb.getFrame == NULL)
35028- cams->cb.getFrame = usbvideo_GetFrame;
35029+ *(void **)&cams->cb.getFrame = usbvideo_GetFrame;
35030 if (cams->cb.disconnect == NULL)
35031- cams->cb.disconnect = usbvideo_Disconnect;
35032+ *(void **)&cams->cb.disconnect = usbvideo_Disconnect;
35033 if (cams->cb.startDataPump == NULL)
35034- cams->cb.startDataPump = usbvideo_StartDataPump;
35035+ *(void **)&cams->cb.startDataPump = usbvideo_StartDataPump;
35036 if (cams->cb.stopDataPump == NULL)
35037- cams->cb.stopDataPump = usbvideo_StopDataPump;
35038+ *(void **)&cams->cb.stopDataPump = usbvideo_StopDataPump;
35039
35040 cams->num_cameras = num_cams;
35041 cams->cam = (struct uvd *) &cams[1];
35042diff -urNp linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.h linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.h
35043--- linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.h 2011-11-08 19:02:43.000000000 -0500
35044+++ linux-2.6.32.48/drivers/media/video/usbvideo/usbvideo.h 2011-11-15 19:59:43.000000000 -0500
35045@@ -268,7 +268,7 @@ struct usbvideo_cb {
35046 int (*startDataPump)(struct uvd *uvd);
35047 void (*stopDataPump)(struct uvd *uvd);
35048 int (*setVideoMode)(struct uvd *uvd, struct video_window *vw);
35049-};
35050+} __no_const;
35051
35052 struct usbvideo {
35053 int num_cameras; /* As allocated */
35054diff -urNp linux-2.6.32.48/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.48/drivers/media/video/usbvision/usbvision-core.c
35055--- linux-2.6.32.48/drivers/media/video/usbvision/usbvision-core.c 2011-11-08 19:02:43.000000000 -0500
35056+++ linux-2.6.32.48/drivers/media/video/usbvision/usbvision-core.c 2011-11-15 19:59:43.000000000 -0500
35057@@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
35058 unsigned char rv, gv, bv;
35059 static unsigned char *Y, *U, *V;
35060
35061+ pax_track_stack();
35062+
35063 frame = usbvision->curFrame;
35064 imageSize = frame->frmwidth * frame->frmheight;
35065 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
35066diff -urNp linux-2.6.32.48/drivers/media/video/v4l2-device.c linux-2.6.32.48/drivers/media/video/v4l2-device.c
35067--- linux-2.6.32.48/drivers/media/video/v4l2-device.c 2011-11-08 19:02:43.000000000 -0500
35068+++ linux-2.6.32.48/drivers/media/video/v4l2-device.c 2011-11-15 19:59:43.000000000 -0500
35069@@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
35070 EXPORT_SYMBOL_GPL(v4l2_device_register);
35071
35072 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
35073- atomic_t *instance)
35074+ atomic_unchecked_t *instance)
35075 {
35076- int num = atomic_inc_return(instance) - 1;
35077+ int num = atomic_inc_return_unchecked(instance) - 1;
35078 int len = strlen(basename);
35079
35080 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
35081diff -urNp linux-2.6.32.48/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.48/drivers/media/video/videobuf-dma-sg.c
35082--- linux-2.6.32.48/drivers/media/video/videobuf-dma-sg.c 2011-11-08 19:02:43.000000000 -0500
35083+++ linux-2.6.32.48/drivers/media/video/videobuf-dma-sg.c 2011-11-15 19:59:43.000000000 -0500
35084@@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
35085 {
35086 struct videobuf_queue q;
35087
35088+ pax_track_stack();
35089+
35090 /* Required to make generic handler to call __videobuf_alloc */
35091 q.int_ops = &sg_ops;
35092
35093diff -urNp linux-2.6.32.48/drivers/message/fusion/mptbase.c linux-2.6.32.48/drivers/message/fusion/mptbase.c
35094--- linux-2.6.32.48/drivers/message/fusion/mptbase.c 2011-11-08 19:02:43.000000000 -0500
35095+++ linux-2.6.32.48/drivers/message/fusion/mptbase.c 2011-11-15 19:59:43.000000000 -0500
35096@@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
35097 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
35098 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
35099
35100+#ifdef CONFIG_GRKERNSEC_HIDESYM
35101+ len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
35102+ NULL, NULL);
35103+#else
35104 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
35105 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
35106+#endif
35107+
35108 /*
35109 * Rounding UP to nearest 4-kB boundary here...
35110 */
35111diff -urNp linux-2.6.32.48/drivers/message/fusion/mptsas.c linux-2.6.32.48/drivers/message/fusion/mptsas.c
35112--- linux-2.6.32.48/drivers/message/fusion/mptsas.c 2011-11-08 19:02:43.000000000 -0500
35113+++ linux-2.6.32.48/drivers/message/fusion/mptsas.c 2011-11-15 19:59:43.000000000 -0500
35114@@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
35115 return 0;
35116 }
35117
35118+static inline void
35119+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
35120+{
35121+ if (phy_info->port_details) {
35122+ phy_info->port_details->rphy = rphy;
35123+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
35124+ ioc->name, rphy));
35125+ }
35126+
35127+ if (rphy) {
35128+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
35129+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
35130+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
35131+ ioc->name, rphy, rphy->dev.release));
35132+ }
35133+}
35134+
35135 /* no mutex */
35136 static void
35137 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
35138@@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
35139 return NULL;
35140 }
35141
35142-static inline void
35143-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
35144-{
35145- if (phy_info->port_details) {
35146- phy_info->port_details->rphy = rphy;
35147- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
35148- ioc->name, rphy));
35149- }
35150-
35151- if (rphy) {
35152- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
35153- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
35154- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
35155- ioc->name, rphy, rphy->dev.release));
35156- }
35157-}
35158-
35159 static inline struct sas_port *
35160 mptsas_get_port(struct mptsas_phyinfo *phy_info)
35161 {
35162diff -urNp linux-2.6.32.48/drivers/message/fusion/mptscsih.c linux-2.6.32.48/drivers/message/fusion/mptscsih.c
35163--- linux-2.6.32.48/drivers/message/fusion/mptscsih.c 2011-11-08 19:02:43.000000000 -0500
35164+++ linux-2.6.32.48/drivers/message/fusion/mptscsih.c 2011-11-15 19:59:43.000000000 -0500
35165@@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
35166
35167 h = shost_priv(SChost);
35168
35169- if (h) {
35170- if (h->info_kbuf == NULL)
35171- if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
35172- return h->info_kbuf;
35173- h->info_kbuf[0] = '\0';
35174+ if (!h)
35175+ return NULL;
35176
35177- mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
35178- h->info_kbuf[size-1] = '\0';
35179- }
35180+ if (h->info_kbuf == NULL)
35181+ if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
35182+ return h->info_kbuf;
35183+ h->info_kbuf[0] = '\0';
35184+
35185+ mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
35186+ h->info_kbuf[size-1] = '\0';
35187
35188 return h->info_kbuf;
35189 }
35190diff -urNp linux-2.6.32.48/drivers/message/i2o/i2o_config.c linux-2.6.32.48/drivers/message/i2o/i2o_config.c
35191--- linux-2.6.32.48/drivers/message/i2o/i2o_config.c 2011-11-08 19:02:43.000000000 -0500
35192+++ linux-2.6.32.48/drivers/message/i2o/i2o_config.c 2011-11-15 19:59:43.000000000 -0500
35193@@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
35194 struct i2o_message *msg;
35195 unsigned int iop;
35196
35197+ pax_track_stack();
35198+
35199 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
35200 return -EFAULT;
35201
35202diff -urNp linux-2.6.32.48/drivers/message/i2o/i2o_proc.c linux-2.6.32.48/drivers/message/i2o/i2o_proc.c
35203--- linux-2.6.32.48/drivers/message/i2o/i2o_proc.c 2011-11-08 19:02:43.000000000 -0500
35204+++ linux-2.6.32.48/drivers/message/i2o/i2o_proc.c 2011-11-15 19:59:43.000000000 -0500
35205@@ -259,13 +259,6 @@ static char *scsi_devices[] = {
35206 "Array Controller Device"
35207 };
35208
35209-static char *chtostr(u8 * chars, int n)
35210-{
35211- char tmp[256];
35212- tmp[0] = 0;
35213- return strncat(tmp, (char *)chars, n);
35214-}
35215-
35216 static int i2o_report_query_status(struct seq_file *seq, int block_status,
35217 char *group)
35218 {
35219@@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
35220
35221 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
35222 seq_printf(seq, "%-#8x", ddm_table.module_id);
35223- seq_printf(seq, "%-29s",
35224- chtostr(ddm_table.module_name_version, 28));
35225+ seq_printf(seq, "%-.28s", ddm_table.module_name_version);
35226 seq_printf(seq, "%9d ", ddm_table.data_size);
35227 seq_printf(seq, "%8d", ddm_table.code_size);
35228
35229@@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
35230
35231 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
35232 seq_printf(seq, "%-#8x", dst->module_id);
35233- seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
35234- seq_printf(seq, "%-9s", chtostr(dst->date, 8));
35235+ seq_printf(seq, "%-.28s", dst->module_name_version);
35236+ seq_printf(seq, "%-.8s", dst->date);
35237 seq_printf(seq, "%8d ", dst->module_size);
35238 seq_printf(seq, "%8d ", dst->mpb_size);
35239 seq_printf(seq, "0x%04x", dst->module_flags);
35240@@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
35241 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
35242 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
35243 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
35244- seq_printf(seq, "Vendor info : %s\n",
35245- chtostr((u8 *) (work32 + 2), 16));
35246- seq_printf(seq, "Product info : %s\n",
35247- chtostr((u8 *) (work32 + 6), 16));
35248- seq_printf(seq, "Description : %s\n",
35249- chtostr((u8 *) (work32 + 10), 16));
35250- seq_printf(seq, "Product rev. : %s\n",
35251- chtostr((u8 *) (work32 + 14), 8));
35252+ seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
35253+ seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
35254+ seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
35255+ seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
35256
35257 seq_printf(seq, "Serial number : ");
35258 print_serial_number(seq, (u8 *) (work32 + 16),
35259@@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
35260 }
35261
35262 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
35263- seq_printf(seq, "Module name : %s\n",
35264- chtostr(result.module_name, 24));
35265- seq_printf(seq, "Module revision : %s\n",
35266- chtostr(result.module_rev, 8));
35267+ seq_printf(seq, "Module name : %.24s\n", result.module_name);
35268+ seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
35269
35270 seq_printf(seq, "Serial number : ");
35271 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
35272@@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
35273 return 0;
35274 }
35275
35276- seq_printf(seq, "Device name : %s\n",
35277- chtostr(result.device_name, 64));
35278- seq_printf(seq, "Service name : %s\n",
35279- chtostr(result.service_name, 64));
35280- seq_printf(seq, "Physical name : %s\n",
35281- chtostr(result.physical_location, 64));
35282- seq_printf(seq, "Instance number : %s\n",
35283- chtostr(result.instance_number, 4));
35284+ seq_printf(seq, "Device name : %.64s\n", result.device_name);
35285+ seq_printf(seq, "Service name : %.64s\n", result.service_name);
35286+ seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
35287+ seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
35288
35289 return 0;
35290 }
35291diff -urNp linux-2.6.32.48/drivers/message/i2o/iop.c linux-2.6.32.48/drivers/message/i2o/iop.c
35292--- linux-2.6.32.48/drivers/message/i2o/iop.c 2011-11-08 19:02:43.000000000 -0500
35293+++ linux-2.6.32.48/drivers/message/i2o/iop.c 2011-11-15 19:59:43.000000000 -0500
35294@@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
35295
35296 spin_lock_irqsave(&c->context_list_lock, flags);
35297
35298- if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
35299- atomic_inc(&c->context_list_counter);
35300+ if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
35301+ atomic_inc_unchecked(&c->context_list_counter);
35302
35303- entry->context = atomic_read(&c->context_list_counter);
35304+ entry->context = atomic_read_unchecked(&c->context_list_counter);
35305
35306 list_add(&entry->list, &c->context_list);
35307
35308@@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
35309
35310 #if BITS_PER_LONG == 64
35311 spin_lock_init(&c->context_list_lock);
35312- atomic_set(&c->context_list_counter, 0);
35313+ atomic_set_unchecked(&c->context_list_counter, 0);
35314 INIT_LIST_HEAD(&c->context_list);
35315 #endif
35316
35317diff -urNp linux-2.6.32.48/drivers/mfd/ab3100-core.c linux-2.6.32.48/drivers/mfd/ab3100-core.c
35318--- linux-2.6.32.48/drivers/mfd/ab3100-core.c 2011-11-08 19:02:43.000000000 -0500
35319+++ linux-2.6.32.48/drivers/mfd/ab3100-core.c 2011-11-18 18:01:55.000000000 -0500
35320@@ -777,7 +777,7 @@ struct ab_family_id {
35321 char *name;
35322 };
35323
35324-static const struct ab_family_id ids[] __initdata = {
35325+static const struct ab_family_id ids[] __initconst = {
35326 /* AB3100 */
35327 {
35328 .id = 0xc0,
35329diff -urNp linux-2.6.32.48/drivers/mfd/wm8350-i2c.c linux-2.6.32.48/drivers/mfd/wm8350-i2c.c
35330--- linux-2.6.32.48/drivers/mfd/wm8350-i2c.c 2011-11-08 19:02:43.000000000 -0500
35331+++ linux-2.6.32.48/drivers/mfd/wm8350-i2c.c 2011-11-15 19:59:43.000000000 -0500
35332@@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
35333 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
35334 int ret;
35335
35336+ pax_track_stack();
35337+
35338 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
35339 return -EINVAL;
35340
35341diff -urNp linux-2.6.32.48/drivers/misc/kgdbts.c linux-2.6.32.48/drivers/misc/kgdbts.c
35342--- linux-2.6.32.48/drivers/misc/kgdbts.c 2011-11-08 19:02:43.000000000 -0500
35343+++ linux-2.6.32.48/drivers/misc/kgdbts.c 2011-11-15 19:59:43.000000000 -0500
35344@@ -118,7 +118,7 @@
35345 } while (0)
35346 #define MAX_CONFIG_LEN 40
35347
35348-static struct kgdb_io kgdbts_io_ops;
35349+static const struct kgdb_io kgdbts_io_ops;
35350 static char get_buf[BUFMAX];
35351 static int get_buf_cnt;
35352 static char put_buf[BUFMAX];
35353@@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
35354 module_put(THIS_MODULE);
35355 }
35356
35357-static struct kgdb_io kgdbts_io_ops = {
35358+static const struct kgdb_io kgdbts_io_ops = {
35359 .name = "kgdbts",
35360 .read_char = kgdbts_get_char,
35361 .write_char = kgdbts_put_char,
35362diff -urNp linux-2.6.32.48/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.48/drivers/misc/sgi-gru/gruhandles.c
35363--- linux-2.6.32.48/drivers/misc/sgi-gru/gruhandles.c 2011-11-08 19:02:43.000000000 -0500
35364+++ linux-2.6.32.48/drivers/misc/sgi-gru/gruhandles.c 2011-11-15 19:59:43.000000000 -0500
35365@@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
35366
35367 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
35368 {
35369- atomic_long_inc(&mcs_op_statistics[op].count);
35370- atomic_long_add(clks, &mcs_op_statistics[op].total);
35371+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
35372+ atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
35373 if (mcs_op_statistics[op].max < clks)
35374 mcs_op_statistics[op].max = clks;
35375 }
35376diff -urNp linux-2.6.32.48/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.48/drivers/misc/sgi-gru/gruprocfs.c
35377--- linux-2.6.32.48/drivers/misc/sgi-gru/gruprocfs.c 2011-11-08 19:02:43.000000000 -0500
35378+++ linux-2.6.32.48/drivers/misc/sgi-gru/gruprocfs.c 2011-11-15 19:59:43.000000000 -0500
35379@@ -32,9 +32,9 @@
35380
35381 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
35382
35383-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
35384+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
35385 {
35386- unsigned long val = atomic_long_read(v);
35387+ unsigned long val = atomic_long_read_unchecked(v);
35388
35389 if (val)
35390 seq_printf(s, "%16lu %s\n", val, id);
35391@@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
35392 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
35393
35394 for (op = 0; op < mcsop_last; op++) {
35395- count = atomic_long_read(&mcs_op_statistics[op].count);
35396- total = atomic_long_read(&mcs_op_statistics[op].total);
35397+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
35398+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
35399 max = mcs_op_statistics[op].max;
35400 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
35401 count ? total / count : 0, max);
35402diff -urNp linux-2.6.32.48/drivers/misc/sgi-gru/grutables.h linux-2.6.32.48/drivers/misc/sgi-gru/grutables.h
35403--- linux-2.6.32.48/drivers/misc/sgi-gru/grutables.h 2011-11-08 19:02:43.000000000 -0500
35404+++ linux-2.6.32.48/drivers/misc/sgi-gru/grutables.h 2011-11-15 19:59:43.000000000 -0500
35405@@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
35406 * GRU statistics.
35407 */
35408 struct gru_stats_s {
35409- atomic_long_t vdata_alloc;
35410- atomic_long_t vdata_free;
35411- atomic_long_t gts_alloc;
35412- atomic_long_t gts_free;
35413- atomic_long_t vdata_double_alloc;
35414- atomic_long_t gts_double_allocate;
35415- atomic_long_t assign_context;
35416- atomic_long_t assign_context_failed;
35417- atomic_long_t free_context;
35418- atomic_long_t load_user_context;
35419- atomic_long_t load_kernel_context;
35420- atomic_long_t lock_kernel_context;
35421- atomic_long_t unlock_kernel_context;
35422- atomic_long_t steal_user_context;
35423- atomic_long_t steal_kernel_context;
35424- atomic_long_t steal_context_failed;
35425- atomic_long_t nopfn;
35426- atomic_long_t break_cow;
35427- atomic_long_t asid_new;
35428- atomic_long_t asid_next;
35429- atomic_long_t asid_wrap;
35430- atomic_long_t asid_reuse;
35431- atomic_long_t intr;
35432- atomic_long_t intr_mm_lock_failed;
35433- atomic_long_t call_os;
35434- atomic_long_t call_os_offnode_reference;
35435- atomic_long_t call_os_check_for_bug;
35436- atomic_long_t call_os_wait_queue;
35437- atomic_long_t user_flush_tlb;
35438- atomic_long_t user_unload_context;
35439- atomic_long_t user_exception;
35440- atomic_long_t set_context_option;
35441- atomic_long_t migrate_check;
35442- atomic_long_t migrated_retarget;
35443- atomic_long_t migrated_unload;
35444- atomic_long_t migrated_unload_delay;
35445- atomic_long_t migrated_nopfn_retarget;
35446- atomic_long_t migrated_nopfn_unload;
35447- atomic_long_t tlb_dropin;
35448- atomic_long_t tlb_dropin_fail_no_asid;
35449- atomic_long_t tlb_dropin_fail_upm;
35450- atomic_long_t tlb_dropin_fail_invalid;
35451- atomic_long_t tlb_dropin_fail_range_active;
35452- atomic_long_t tlb_dropin_fail_idle;
35453- atomic_long_t tlb_dropin_fail_fmm;
35454- atomic_long_t tlb_dropin_fail_no_exception;
35455- atomic_long_t tlb_dropin_fail_no_exception_war;
35456- atomic_long_t tfh_stale_on_fault;
35457- atomic_long_t mmu_invalidate_range;
35458- atomic_long_t mmu_invalidate_page;
35459- atomic_long_t mmu_clear_flush_young;
35460- atomic_long_t flush_tlb;
35461- atomic_long_t flush_tlb_gru;
35462- atomic_long_t flush_tlb_gru_tgh;
35463- atomic_long_t flush_tlb_gru_zero_asid;
35464-
35465- atomic_long_t copy_gpa;
35466-
35467- atomic_long_t mesq_receive;
35468- atomic_long_t mesq_receive_none;
35469- atomic_long_t mesq_send;
35470- atomic_long_t mesq_send_failed;
35471- atomic_long_t mesq_noop;
35472- atomic_long_t mesq_send_unexpected_error;
35473- atomic_long_t mesq_send_lb_overflow;
35474- atomic_long_t mesq_send_qlimit_reached;
35475- atomic_long_t mesq_send_amo_nacked;
35476- atomic_long_t mesq_send_put_nacked;
35477- atomic_long_t mesq_qf_not_full;
35478- atomic_long_t mesq_qf_locked;
35479- atomic_long_t mesq_qf_noop_not_full;
35480- atomic_long_t mesq_qf_switch_head_failed;
35481- atomic_long_t mesq_qf_unexpected_error;
35482- atomic_long_t mesq_noop_unexpected_error;
35483- atomic_long_t mesq_noop_lb_overflow;
35484- atomic_long_t mesq_noop_qlimit_reached;
35485- atomic_long_t mesq_noop_amo_nacked;
35486- atomic_long_t mesq_noop_put_nacked;
35487+ atomic_long_unchecked_t vdata_alloc;
35488+ atomic_long_unchecked_t vdata_free;
35489+ atomic_long_unchecked_t gts_alloc;
35490+ atomic_long_unchecked_t gts_free;
35491+ atomic_long_unchecked_t vdata_double_alloc;
35492+ atomic_long_unchecked_t gts_double_allocate;
35493+ atomic_long_unchecked_t assign_context;
35494+ atomic_long_unchecked_t assign_context_failed;
35495+ atomic_long_unchecked_t free_context;
35496+ atomic_long_unchecked_t load_user_context;
35497+ atomic_long_unchecked_t load_kernel_context;
35498+ atomic_long_unchecked_t lock_kernel_context;
35499+ atomic_long_unchecked_t unlock_kernel_context;
35500+ atomic_long_unchecked_t steal_user_context;
35501+ atomic_long_unchecked_t steal_kernel_context;
35502+ atomic_long_unchecked_t steal_context_failed;
35503+ atomic_long_unchecked_t nopfn;
35504+ atomic_long_unchecked_t break_cow;
35505+ atomic_long_unchecked_t asid_new;
35506+ atomic_long_unchecked_t asid_next;
35507+ atomic_long_unchecked_t asid_wrap;
35508+ atomic_long_unchecked_t asid_reuse;
35509+ atomic_long_unchecked_t intr;
35510+ atomic_long_unchecked_t intr_mm_lock_failed;
35511+ atomic_long_unchecked_t call_os;
35512+ atomic_long_unchecked_t call_os_offnode_reference;
35513+ atomic_long_unchecked_t call_os_check_for_bug;
35514+ atomic_long_unchecked_t call_os_wait_queue;
35515+ atomic_long_unchecked_t user_flush_tlb;
35516+ atomic_long_unchecked_t user_unload_context;
35517+ atomic_long_unchecked_t user_exception;
35518+ atomic_long_unchecked_t set_context_option;
35519+ atomic_long_unchecked_t migrate_check;
35520+ atomic_long_unchecked_t migrated_retarget;
35521+ atomic_long_unchecked_t migrated_unload;
35522+ atomic_long_unchecked_t migrated_unload_delay;
35523+ atomic_long_unchecked_t migrated_nopfn_retarget;
35524+ atomic_long_unchecked_t migrated_nopfn_unload;
35525+ atomic_long_unchecked_t tlb_dropin;
35526+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
35527+ atomic_long_unchecked_t tlb_dropin_fail_upm;
35528+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
35529+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
35530+ atomic_long_unchecked_t tlb_dropin_fail_idle;
35531+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
35532+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
35533+ atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
35534+ atomic_long_unchecked_t tfh_stale_on_fault;
35535+ atomic_long_unchecked_t mmu_invalidate_range;
35536+ atomic_long_unchecked_t mmu_invalidate_page;
35537+ atomic_long_unchecked_t mmu_clear_flush_young;
35538+ atomic_long_unchecked_t flush_tlb;
35539+ atomic_long_unchecked_t flush_tlb_gru;
35540+ atomic_long_unchecked_t flush_tlb_gru_tgh;
35541+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
35542+
35543+ atomic_long_unchecked_t copy_gpa;
35544+
35545+ atomic_long_unchecked_t mesq_receive;
35546+ atomic_long_unchecked_t mesq_receive_none;
35547+ atomic_long_unchecked_t mesq_send;
35548+ atomic_long_unchecked_t mesq_send_failed;
35549+ atomic_long_unchecked_t mesq_noop;
35550+ atomic_long_unchecked_t mesq_send_unexpected_error;
35551+ atomic_long_unchecked_t mesq_send_lb_overflow;
35552+ atomic_long_unchecked_t mesq_send_qlimit_reached;
35553+ atomic_long_unchecked_t mesq_send_amo_nacked;
35554+ atomic_long_unchecked_t mesq_send_put_nacked;
35555+ atomic_long_unchecked_t mesq_qf_not_full;
35556+ atomic_long_unchecked_t mesq_qf_locked;
35557+ atomic_long_unchecked_t mesq_qf_noop_not_full;
35558+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
35559+ atomic_long_unchecked_t mesq_qf_unexpected_error;
35560+ atomic_long_unchecked_t mesq_noop_unexpected_error;
35561+ atomic_long_unchecked_t mesq_noop_lb_overflow;
35562+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
35563+ atomic_long_unchecked_t mesq_noop_amo_nacked;
35564+ atomic_long_unchecked_t mesq_noop_put_nacked;
35565
35566 };
35567
35568@@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
35569 cchop_deallocate, tghop_invalidate, mcsop_last};
35570
35571 struct mcs_op_statistic {
35572- atomic_long_t count;
35573- atomic_long_t total;
35574+ atomic_long_unchecked_t count;
35575+ atomic_long_unchecked_t total;
35576 unsigned long max;
35577 };
35578
35579@@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
35580
35581 #define STAT(id) do { \
35582 if (gru_options & OPT_STATS) \
35583- atomic_long_inc(&gru_stats.id); \
35584+ atomic_long_inc_unchecked(&gru_stats.id); \
35585 } while (0)
35586
35587 #ifdef CONFIG_SGI_GRU_DEBUG
35588diff -urNp linux-2.6.32.48/drivers/misc/sgi-xp/xpc.h linux-2.6.32.48/drivers/misc/sgi-xp/xpc.h
35589--- linux-2.6.32.48/drivers/misc/sgi-xp/xpc.h 2011-11-08 19:02:43.000000000 -0500
35590+++ linux-2.6.32.48/drivers/misc/sgi-xp/xpc.h 2011-11-18 18:05:51.000000000 -0500
35591@@ -835,6 +835,7 @@ struct xpc_arch_operations {
35592 void (*received_payload) (struct xpc_channel *, void *);
35593 void (*notify_senders_of_disconnect) (struct xpc_channel *);
35594 };
35595+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
35596
35597 /* struct xpc_partition act_state values (for XPC HB) */
35598
35599@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_regis
35600 /* found in xpc_main.c */
35601 extern struct device *xpc_part;
35602 extern struct device *xpc_chan;
35603-extern struct xpc_arch_operations xpc_arch_ops;
35604+extern xpc_arch_operations_no_const xpc_arch_ops;
35605 extern int xpc_disengage_timelimit;
35606 extern int xpc_disengage_timedout;
35607 extern int xpc_activate_IRQ_rcvd;
35608diff -urNp linux-2.6.32.48/drivers/misc/sgi-xp/xpc_main.c linux-2.6.32.48/drivers/misc/sgi-xp/xpc_main.c
35609--- linux-2.6.32.48/drivers/misc/sgi-xp/xpc_main.c 2011-11-08 19:02:43.000000000 -0500
35610+++ linux-2.6.32.48/drivers/misc/sgi-xp/xpc_main.c 2011-11-18 18:05:28.000000000 -0500
35611@@ -169,7 +169,7 @@ static struct notifier_block xpc_die_not
35612 .notifier_call = xpc_system_die,
35613 };
35614
35615-struct xpc_arch_operations xpc_arch_ops;
35616+xpc_arch_operations_no_const xpc_arch_ops;
35617
35618 /*
35619 * Timer function to enforce the timelimit on the partition disengage.
35620diff -urNp linux-2.6.32.48/drivers/misc/sgi-xp/xpc_sn2.c linux-2.6.32.48/drivers/misc/sgi-xp/xpc_sn2.c
35621--- linux-2.6.32.48/drivers/misc/sgi-xp/xpc_sn2.c 2011-11-08 19:02:43.000000000 -0500
35622+++ linux-2.6.32.48/drivers/misc/sgi-xp/xpc_sn2.c 2011-11-15 19:59:43.000000000 -0500
35623@@ -2350,7 +2350,7 @@ xpc_received_payload_sn2(struct xpc_chan
35624 xpc_acknowledge_msgs_sn2(ch, get, msg->flags);
35625 }
35626
35627-static struct xpc_arch_operations xpc_arch_ops_sn2 = {
35628+static const struct xpc_arch_operations xpc_arch_ops_sn2 = {
35629 .setup_partitions = xpc_setup_partitions_sn2,
35630 .teardown_partitions = xpc_teardown_partitions_sn2,
35631 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_sn2,
35632@@ -2413,7 +2413,9 @@ xpc_init_sn2(void)
35633 int ret;
35634 size_t buf_size;
35635
35636- xpc_arch_ops = xpc_arch_ops_sn2;
35637+ pax_open_kernel();
35638+ memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_sn2, sizeof(xpc_arch_ops_sn2));
35639+ pax_close_kernel();
35640
35641 if (offsetof(struct xpc_msg_sn2, payload) > XPC_MSG_HDR_MAX_SIZE) {
35642 dev_err(xpc_part, "header portion of struct xpc_msg_sn2 is "
35643diff -urNp linux-2.6.32.48/drivers/misc/sgi-xp/xpc_uv.c linux-2.6.32.48/drivers/misc/sgi-xp/xpc_uv.c
35644--- linux-2.6.32.48/drivers/misc/sgi-xp/xpc_uv.c 2011-11-08 19:02:43.000000000 -0500
35645+++ linux-2.6.32.48/drivers/misc/sgi-xp/xpc_uv.c 2011-11-15 19:59:43.000000000 -0500
35646@@ -1669,7 +1669,7 @@ xpc_received_payload_uv(struct xpc_chann
35647 XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);
35648 }
35649
35650-static struct xpc_arch_operations xpc_arch_ops_uv = {
35651+static const struct xpc_arch_operations xpc_arch_ops_uv = {
35652 .setup_partitions = xpc_setup_partitions_uv,
35653 .teardown_partitions = xpc_teardown_partitions_uv,
35654 .process_activate_IRQ_rcvd = xpc_process_activate_IRQ_rcvd_uv,
35655@@ -1729,7 +1729,9 @@ static struct xpc_arch_operations xpc_ar
35656 int
35657 xpc_init_uv(void)
35658 {
35659- xpc_arch_ops = xpc_arch_ops_uv;
35660+ pax_open_kernel();
35661+ memcpy((void *)&xpc_arch_ops, &xpc_arch_ops_uv, sizeof(xpc_arch_ops_uv));
35662+ pax_close_kernel();
35663
35664 if (sizeof(struct xpc_notify_mq_msghdr_uv) > XPC_MSG_HDR_MAX_SIZE) {
35665 dev_err(xpc_part, "xpc_notify_mq_msghdr_uv is larger than %d\n",
35666diff -urNp linux-2.6.32.48/drivers/misc/sgi-xp/xp.h linux-2.6.32.48/drivers/misc/sgi-xp/xp.h
35667--- linux-2.6.32.48/drivers/misc/sgi-xp/xp.h 2011-11-08 19:02:43.000000000 -0500
35668+++ linux-2.6.32.48/drivers/misc/sgi-xp/xp.h 2011-11-15 19:59:43.000000000 -0500
35669@@ -289,7 +289,7 @@ struct xpc_interface {
35670 xpc_notify_func, void *);
35671 void (*received) (short, int, void *);
35672 enum xp_retval (*partid_to_nasids) (short, void *);
35673-};
35674+} __no_const;
35675
35676 extern struct xpc_interface xpc_interface;
35677
35678diff -urNp linux-2.6.32.48/drivers/mmc/host/sdhci-pci.c linux-2.6.32.48/drivers/mmc/host/sdhci-pci.c
35679--- linux-2.6.32.48/drivers/mmc/host/sdhci-pci.c 2011-11-08 19:02:43.000000000 -0500
35680+++ linux-2.6.32.48/drivers/mmc/host/sdhci-pci.c 2011-11-18 18:01:55.000000000 -0500
35681@@ -297,7 +297,7 @@ static const struct sdhci_pci_fixes sdhc
35682 .probe = via_probe,
35683 };
35684
35685-static const struct pci_device_id pci_ids[] __devinitdata = {
35686+static const struct pci_device_id pci_ids[] __devinitconst = {
35687 {
35688 .vendor = PCI_VENDOR_ID_RICOH,
35689 .device = PCI_DEVICE_ID_RICOH_R5C822,
35690diff -urNp linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0001.c
35691--- linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-08 19:02:43.000000000 -0500
35692+++ linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0001.c 2011-11-15 19:59:43.000000000 -0500
35693@@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
35694 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
35695 unsigned long timeo = jiffies + HZ;
35696
35697+ pax_track_stack();
35698+
35699 /* Prevent setting state FL_SYNCING for chip in suspended state. */
35700 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
35701 goto sleep;
35702@@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
35703 unsigned long initial_adr;
35704 int initial_len = len;
35705
35706+ pax_track_stack();
35707+
35708 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
35709 adr += chip->start;
35710 initial_adr = adr;
35711@@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
35712 int retries = 3;
35713 int ret;
35714
35715+ pax_track_stack();
35716+
35717 adr += chip->start;
35718
35719 retry:
35720diff -urNp linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0020.c
35721--- linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-08 19:02:43.000000000 -0500
35722+++ linux-2.6.32.48/drivers/mtd/chips/cfi_cmdset_0020.c 2011-11-15 19:59:43.000000000 -0500
35723@@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
35724 unsigned long cmd_addr;
35725 struct cfi_private *cfi = map->fldrv_priv;
35726
35727+ pax_track_stack();
35728+
35729 adr += chip->start;
35730
35731 /* Ensure cmd read/writes are aligned. */
35732@@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
35733 DECLARE_WAITQUEUE(wait, current);
35734 int wbufsize, z;
35735
35736+ pax_track_stack();
35737+
35738 /* M58LW064A requires bus alignment for buffer wriets -- saw */
35739 if (adr & (map_bankwidth(map)-1))
35740 return -EINVAL;
35741@@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
35742 DECLARE_WAITQUEUE(wait, current);
35743 int ret = 0;
35744
35745+ pax_track_stack();
35746+
35747 adr += chip->start;
35748
35749 /* Let's determine this according to the interleave only once */
35750@@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
35751 unsigned long timeo = jiffies + HZ;
35752 DECLARE_WAITQUEUE(wait, current);
35753
35754+ pax_track_stack();
35755+
35756 adr += chip->start;
35757
35758 /* Let's determine this according to the interleave only once */
35759@@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
35760 unsigned long timeo = jiffies + HZ;
35761 DECLARE_WAITQUEUE(wait, current);
35762
35763+ pax_track_stack();
35764+
35765 adr += chip->start;
35766
35767 /* Let's determine this according to the interleave only once */
35768diff -urNp linux-2.6.32.48/drivers/mtd/devices/doc2000.c linux-2.6.32.48/drivers/mtd/devices/doc2000.c
35769--- linux-2.6.32.48/drivers/mtd/devices/doc2000.c 2011-11-08 19:02:43.000000000 -0500
35770+++ linux-2.6.32.48/drivers/mtd/devices/doc2000.c 2011-11-15 19:59:43.000000000 -0500
35771@@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
35772
35773 /* The ECC will not be calculated correctly if less than 512 is written */
35774 /* DBB-
35775- if (len != 0x200 && eccbuf)
35776+ if (len != 0x200)
35777 printk(KERN_WARNING
35778 "ECC needs a full sector write (adr: %lx size %lx)\n",
35779 (long) to, (long) len);
35780diff -urNp linux-2.6.32.48/drivers/mtd/devices/doc2001.c linux-2.6.32.48/drivers/mtd/devices/doc2001.c
35781--- linux-2.6.32.48/drivers/mtd/devices/doc2001.c 2011-11-08 19:02:43.000000000 -0500
35782+++ linux-2.6.32.48/drivers/mtd/devices/doc2001.c 2011-11-15 19:59:43.000000000 -0500
35783@@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
35784 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
35785
35786 /* Don't allow read past end of device */
35787- if (from >= this->totlen)
35788+ if (from >= this->totlen || !len)
35789 return -EINVAL;
35790
35791 /* Don't allow a single read to cross a 512-byte block boundary */
35792diff -urNp linux-2.6.32.48/drivers/mtd/ftl.c linux-2.6.32.48/drivers/mtd/ftl.c
35793--- linux-2.6.32.48/drivers/mtd/ftl.c 2011-11-08 19:02:43.000000000 -0500
35794+++ linux-2.6.32.48/drivers/mtd/ftl.c 2011-11-15 19:59:43.000000000 -0500
35795@@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
35796 loff_t offset;
35797 uint16_t srcunitswap = cpu_to_le16(srcunit);
35798
35799+ pax_track_stack();
35800+
35801 eun = &part->EUNInfo[srcunit];
35802 xfer = &part->XferInfo[xferunit];
35803 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
35804diff -urNp linux-2.6.32.48/drivers/mtd/inftlcore.c linux-2.6.32.48/drivers/mtd/inftlcore.c
35805--- linux-2.6.32.48/drivers/mtd/inftlcore.c 2011-11-08 19:02:43.000000000 -0500
35806+++ linux-2.6.32.48/drivers/mtd/inftlcore.c 2011-11-15 19:59:43.000000000 -0500
35807@@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
35808 struct inftl_oob oob;
35809 size_t retlen;
35810
35811+ pax_track_stack();
35812+
35813 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
35814 "pending=%d)\n", inftl, thisVUC, pendingblock);
35815
35816diff -urNp linux-2.6.32.48/drivers/mtd/inftlmount.c linux-2.6.32.48/drivers/mtd/inftlmount.c
35817--- linux-2.6.32.48/drivers/mtd/inftlmount.c 2011-11-08 19:02:43.000000000 -0500
35818+++ linux-2.6.32.48/drivers/mtd/inftlmount.c 2011-11-15 19:59:43.000000000 -0500
35819@@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
35820 struct INFTLPartition *ip;
35821 size_t retlen;
35822
35823+ pax_track_stack();
35824+
35825 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
35826
35827 /*
35828diff -urNp linux-2.6.32.48/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.48/drivers/mtd/lpddr/qinfo_probe.c
35829--- linux-2.6.32.48/drivers/mtd/lpddr/qinfo_probe.c 2011-11-08 19:02:43.000000000 -0500
35830+++ linux-2.6.32.48/drivers/mtd/lpddr/qinfo_probe.c 2011-11-15 19:59:43.000000000 -0500
35831@@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
35832 {
35833 map_word pfow_val[4];
35834
35835+ pax_track_stack();
35836+
35837 /* Check identification string */
35838 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
35839 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
35840diff -urNp linux-2.6.32.48/drivers/mtd/mtdchar.c linux-2.6.32.48/drivers/mtd/mtdchar.c
35841--- linux-2.6.32.48/drivers/mtd/mtdchar.c 2011-11-08 19:02:43.000000000 -0500
35842+++ linux-2.6.32.48/drivers/mtd/mtdchar.c 2011-11-15 19:59:43.000000000 -0500
35843@@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
35844 u_long size;
35845 struct mtd_info_user info;
35846
35847+ pax_track_stack();
35848+
35849 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
35850
35851 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
35852diff -urNp linux-2.6.32.48/drivers/mtd/nftlcore.c linux-2.6.32.48/drivers/mtd/nftlcore.c
35853--- linux-2.6.32.48/drivers/mtd/nftlcore.c 2011-11-08 19:02:43.000000000 -0500
35854+++ linux-2.6.32.48/drivers/mtd/nftlcore.c 2011-11-15 19:59:43.000000000 -0500
35855@@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
35856 int inplace = 1;
35857 size_t retlen;
35858
35859+ pax_track_stack();
35860+
35861 memset(BlockMap, 0xff, sizeof(BlockMap));
35862 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
35863
35864diff -urNp linux-2.6.32.48/drivers/mtd/nftlmount.c linux-2.6.32.48/drivers/mtd/nftlmount.c
35865--- linux-2.6.32.48/drivers/mtd/nftlmount.c 2011-11-08 19:02:43.000000000 -0500
35866+++ linux-2.6.32.48/drivers/mtd/nftlmount.c 2011-11-15 19:59:43.000000000 -0500
35867@@ -23,6 +23,7 @@
35868 #include <asm/errno.h>
35869 #include <linux/delay.h>
35870 #include <linux/slab.h>
35871+#include <linux/sched.h>
35872 #include <linux/mtd/mtd.h>
35873 #include <linux/mtd/nand.h>
35874 #include <linux/mtd/nftl.h>
35875@@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
35876 struct mtd_info *mtd = nftl->mbd.mtd;
35877 unsigned int i;
35878
35879+ pax_track_stack();
35880+
35881 /* Assume logical EraseSize == physical erasesize for starting the scan.
35882 We'll sort it out later if we find a MediaHeader which says otherwise */
35883 /* Actually, we won't. The new DiskOnChip driver has already scanned
35884diff -urNp linux-2.6.32.48/drivers/mtd/ubi/build.c linux-2.6.32.48/drivers/mtd/ubi/build.c
35885--- linux-2.6.32.48/drivers/mtd/ubi/build.c 2011-11-08 19:02:43.000000000 -0500
35886+++ linux-2.6.32.48/drivers/mtd/ubi/build.c 2011-11-15 19:59:43.000000000 -0500
35887@@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
35888 static int __init bytes_str_to_int(const char *str)
35889 {
35890 char *endp;
35891- unsigned long result;
35892+ unsigned long result, scale = 1;
35893
35894 result = simple_strtoul(str, &endp, 0);
35895 if (str == endp || result >= INT_MAX) {
35896@@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
35897
35898 switch (*endp) {
35899 case 'G':
35900- result *= 1024;
35901+ scale *= 1024;
35902 case 'M':
35903- result *= 1024;
35904+ scale *= 1024;
35905 case 'K':
35906- result *= 1024;
35907+ scale *= 1024;
35908 if (endp[1] == 'i' && endp[2] == 'B')
35909 endp += 2;
35910 case '\0':
35911@@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
35912 return -EINVAL;
35913 }
35914
35915- return result;
35916+ if ((intoverflow_t)result*scale >= INT_MAX) {
35917+ printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
35918+ str);
35919+ return -EINVAL;
35920+ }
35921+
35922+ return result*scale;
35923 }
35924
35925 /**
35926diff -urNp linux-2.6.32.48/drivers/net/atlx/atl2.c linux-2.6.32.48/drivers/net/atlx/atl2.c
35927--- linux-2.6.32.48/drivers/net/atlx/atl2.c 2011-11-08 19:02:43.000000000 -0500
35928+++ linux-2.6.32.48/drivers/net/atlx/atl2.c 2011-11-18 18:01:55.000000000 -0500
35929@@ -2845,7 +2845,7 @@ static void atl2_force_ps(struct atl2_hw
35930 */
35931
35932 #define ATL2_PARAM(X, desc) \
35933- static const int __devinitdata X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
35934+ static const int __devinitconst X[ATL2_MAX_NIC + 1] = ATL2_PARAM_INIT; \
35935 MODULE_PARM(X, "1-" __MODULE_STRING(ATL2_MAX_NIC) "i"); \
35936 MODULE_PARM_DESC(X, desc);
35937 #else
35938diff -urNp linux-2.6.32.48/drivers/net/bnx2.c linux-2.6.32.48/drivers/net/bnx2.c
35939--- linux-2.6.32.48/drivers/net/bnx2.c 2011-11-08 19:02:43.000000000 -0500
35940+++ linux-2.6.32.48/drivers/net/bnx2.c 2011-11-15 19:59:43.000000000 -0500
35941@@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
35942 int rc = 0;
35943 u32 magic, csum;
35944
35945+ pax_track_stack();
35946+
35947 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
35948 goto test_nvram_done;
35949
35950diff -urNp linux-2.6.32.48/drivers/net/cxgb3/l2t.h linux-2.6.32.48/drivers/net/cxgb3/l2t.h
35951--- linux-2.6.32.48/drivers/net/cxgb3/l2t.h 2011-11-08 19:02:43.000000000 -0500
35952+++ linux-2.6.32.48/drivers/net/cxgb3/l2t.h 2011-11-15 19:59:43.000000000 -0500
35953@@ -86,7 +86,7 @@ typedef void (*arp_failure_handler_func)
35954 */
35955 struct l2t_skb_cb {
35956 arp_failure_handler_func arp_failure_handler;
35957-};
35958+} __no_const;
35959
35960 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
35961
35962diff -urNp linux-2.6.32.48/drivers/net/cxgb3/t3_hw.c linux-2.6.32.48/drivers/net/cxgb3/t3_hw.c
35963--- linux-2.6.32.48/drivers/net/cxgb3/t3_hw.c 2011-11-08 19:02:43.000000000 -0500
35964+++ linux-2.6.32.48/drivers/net/cxgb3/t3_hw.c 2011-11-15 19:59:43.000000000 -0500
35965@@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
35966 int i, addr, ret;
35967 struct t3_vpd vpd;
35968
35969+ pax_track_stack();
35970+
35971 /*
35972 * Card information is normally at VPD_BASE but some early cards had
35973 * it at 0.
35974diff -urNp linux-2.6.32.48/drivers/net/e1000e/82571.c linux-2.6.32.48/drivers/net/e1000e/82571.c
35975--- linux-2.6.32.48/drivers/net/e1000e/82571.c 2011-11-08 19:02:43.000000000 -0500
35976+++ linux-2.6.32.48/drivers/net/e1000e/82571.c 2011-11-15 19:59:43.000000000 -0500
35977@@ -212,7 +212,7 @@ static s32 e1000_init_mac_params_82571(s
35978 {
35979 struct e1000_hw *hw = &adapter->hw;
35980 struct e1000_mac_info *mac = &hw->mac;
35981- struct e1000_mac_operations *func = &mac->ops;
35982+ e1000_mac_operations_no_const *func = &mac->ops;
35983 u32 swsm = 0;
35984 u32 swsm2 = 0;
35985 bool force_clear_smbi = false;
35986@@ -1656,7 +1656,7 @@ static void e1000_clear_hw_cntrs_82571(s
35987 temp = er32(ICRXDMTC);
35988 }
35989
35990-static struct e1000_mac_operations e82571_mac_ops = {
35991+static const struct e1000_mac_operations e82571_mac_ops = {
35992 /* .check_mng_mode: mac type dependent */
35993 /* .check_for_link: media type dependent */
35994 .id_led_init = e1000e_id_led_init,
35995@@ -1674,7 +1674,7 @@ static struct e1000_mac_operations e8257
35996 .setup_led = e1000e_setup_led_generic,
35997 };
35998
35999-static struct e1000_phy_operations e82_phy_ops_igp = {
36000+static const struct e1000_phy_operations e82_phy_ops_igp = {
36001 .acquire_phy = e1000_get_hw_semaphore_82571,
36002 .check_reset_block = e1000e_check_reset_block_generic,
36003 .commit_phy = NULL,
36004@@ -1691,7 +1691,7 @@ static struct e1000_phy_operations e82_p
36005 .cfg_on_link_up = NULL,
36006 };
36007
36008-static struct e1000_phy_operations e82_phy_ops_m88 = {
36009+static const struct e1000_phy_operations e82_phy_ops_m88 = {
36010 .acquire_phy = e1000_get_hw_semaphore_82571,
36011 .check_reset_block = e1000e_check_reset_block_generic,
36012 .commit_phy = e1000e_phy_sw_reset,
36013@@ -1708,7 +1708,7 @@ static struct e1000_phy_operations e82_p
36014 .cfg_on_link_up = NULL,
36015 };
36016
36017-static struct e1000_phy_operations e82_phy_ops_bm = {
36018+static const struct e1000_phy_operations e82_phy_ops_bm = {
36019 .acquire_phy = e1000_get_hw_semaphore_82571,
36020 .check_reset_block = e1000e_check_reset_block_generic,
36021 .commit_phy = e1000e_phy_sw_reset,
36022@@ -1725,7 +1725,7 @@ static struct e1000_phy_operations e82_p
36023 .cfg_on_link_up = NULL,
36024 };
36025
36026-static struct e1000_nvm_operations e82571_nvm_ops = {
36027+static const struct e1000_nvm_operations e82571_nvm_ops = {
36028 .acquire_nvm = e1000_acquire_nvm_82571,
36029 .read_nvm = e1000e_read_nvm_eerd,
36030 .release_nvm = e1000_release_nvm_82571,
36031diff -urNp linux-2.6.32.48/drivers/net/e1000e/e1000.h linux-2.6.32.48/drivers/net/e1000e/e1000.h
36032--- linux-2.6.32.48/drivers/net/e1000e/e1000.h 2011-11-08 19:02:43.000000000 -0500
36033+++ linux-2.6.32.48/drivers/net/e1000e/e1000.h 2011-11-15 19:59:43.000000000 -0500
36034@@ -375,9 +375,9 @@ struct e1000_info {
36035 u32 pba;
36036 u32 max_hw_frame_size;
36037 s32 (*get_variants)(struct e1000_adapter *);
36038- struct e1000_mac_operations *mac_ops;
36039- struct e1000_phy_operations *phy_ops;
36040- struct e1000_nvm_operations *nvm_ops;
36041+ const struct e1000_mac_operations *mac_ops;
36042+ const struct e1000_phy_operations *phy_ops;
36043+ const struct e1000_nvm_operations *nvm_ops;
36044 };
36045
36046 /* hardware capability, feature, and workaround flags */
36047diff -urNp linux-2.6.32.48/drivers/net/e1000e/es2lan.c linux-2.6.32.48/drivers/net/e1000e/es2lan.c
36048--- linux-2.6.32.48/drivers/net/e1000e/es2lan.c 2011-11-08 19:02:43.000000000 -0500
36049+++ linux-2.6.32.48/drivers/net/e1000e/es2lan.c 2011-11-15 19:59:43.000000000 -0500
36050@@ -207,7 +207,7 @@ static s32 e1000_init_mac_params_80003es
36051 {
36052 struct e1000_hw *hw = &adapter->hw;
36053 struct e1000_mac_info *mac = &hw->mac;
36054- struct e1000_mac_operations *func = &mac->ops;
36055+ e1000_mac_operations_no_const *func = &mac->ops;
36056
36057 /* Set media type */
36058 switch (adapter->pdev->device) {
36059@@ -1365,7 +1365,7 @@ static void e1000_clear_hw_cntrs_80003es
36060 temp = er32(ICRXDMTC);
36061 }
36062
36063-static struct e1000_mac_operations es2_mac_ops = {
36064+static const struct e1000_mac_operations es2_mac_ops = {
36065 .id_led_init = e1000e_id_led_init,
36066 .check_mng_mode = e1000e_check_mng_mode_generic,
36067 /* check_for_link dependent on media type */
36068@@ -1383,7 +1383,7 @@ static struct e1000_mac_operations es2_m
36069 .setup_led = e1000e_setup_led_generic,
36070 };
36071
36072-static struct e1000_phy_operations es2_phy_ops = {
36073+static const struct e1000_phy_operations es2_phy_ops = {
36074 .acquire_phy = e1000_acquire_phy_80003es2lan,
36075 .check_reset_block = e1000e_check_reset_block_generic,
36076 .commit_phy = e1000e_phy_sw_reset,
36077@@ -1400,7 +1400,7 @@ static struct e1000_phy_operations es2_p
36078 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
36079 };
36080
36081-static struct e1000_nvm_operations es2_nvm_ops = {
36082+static const struct e1000_nvm_operations es2_nvm_ops = {
36083 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
36084 .read_nvm = e1000e_read_nvm_eerd,
36085 .release_nvm = e1000_release_nvm_80003es2lan,
36086diff -urNp linux-2.6.32.48/drivers/net/e1000e/hw.h linux-2.6.32.48/drivers/net/e1000e/hw.h
36087--- linux-2.6.32.48/drivers/net/e1000e/hw.h 2011-11-08 19:02:43.000000000 -0500
36088+++ linux-2.6.32.48/drivers/net/e1000e/hw.h 2011-11-15 19:59:43.000000000 -0500
36089@@ -753,6 +753,7 @@ struct e1000_mac_operations {
36090 s32 (*setup_physical_interface)(struct e1000_hw *);
36091 s32 (*setup_led)(struct e1000_hw *);
36092 };
36093+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36094
36095 /* Function pointers for the PHY. */
36096 struct e1000_phy_operations {
36097@@ -774,6 +775,7 @@ struct e1000_phy_operations {
36098 s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
36099 s32 (*cfg_on_link_up)(struct e1000_hw *);
36100 };
36101+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
36102
36103 /* Function pointers for the NVM. */
36104 struct e1000_nvm_operations {
36105@@ -785,9 +787,10 @@ struct e1000_nvm_operations {
36106 s32 (*validate_nvm)(struct e1000_hw *);
36107 s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
36108 };
36109+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
36110
36111 struct e1000_mac_info {
36112- struct e1000_mac_operations ops;
36113+ e1000_mac_operations_no_const ops;
36114
36115 u8 addr[6];
36116 u8 perm_addr[6];
36117@@ -823,7 +826,7 @@ struct e1000_mac_info {
36118 };
36119
36120 struct e1000_phy_info {
36121- struct e1000_phy_operations ops;
36122+ e1000_phy_operations_no_const ops;
36123
36124 enum e1000_phy_type type;
36125
36126@@ -857,7 +860,7 @@ struct e1000_phy_info {
36127 };
36128
36129 struct e1000_nvm_info {
36130- struct e1000_nvm_operations ops;
36131+ e1000_nvm_operations_no_const ops;
36132
36133 enum e1000_nvm_type type;
36134 enum e1000_nvm_override override;
36135diff -urNp linux-2.6.32.48/drivers/net/e1000e/ich8lan.c linux-2.6.32.48/drivers/net/e1000e/ich8lan.c
36136--- linux-2.6.32.48/drivers/net/e1000e/ich8lan.c 2011-11-08 19:02:43.000000000 -0500
36137+++ linux-2.6.32.48/drivers/net/e1000e/ich8lan.c 2011-11-15 19:59:43.000000000 -0500
36138@@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
36139 }
36140 }
36141
36142-static struct e1000_mac_operations ich8_mac_ops = {
36143+static const struct e1000_mac_operations ich8_mac_ops = {
36144 .id_led_init = e1000e_id_led_init,
36145 .check_mng_mode = e1000_check_mng_mode_ich8lan,
36146 .check_for_link = e1000_check_for_copper_link_ich8lan,
36147@@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
36148 /* id_led_init dependent on mac type */
36149 };
36150
36151-static struct e1000_phy_operations ich8_phy_ops = {
36152+static const struct e1000_phy_operations ich8_phy_ops = {
36153 .acquire_phy = e1000_acquire_swflag_ich8lan,
36154 .check_reset_block = e1000_check_reset_block_ich8lan,
36155 .commit_phy = NULL,
36156@@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
36157 .write_phy_reg = e1000e_write_phy_reg_igp,
36158 };
36159
36160-static struct e1000_nvm_operations ich8_nvm_ops = {
36161+static const struct e1000_nvm_operations ich8_nvm_ops = {
36162 .acquire_nvm = e1000_acquire_nvm_ich8lan,
36163 .read_nvm = e1000_read_nvm_ich8lan,
36164 .release_nvm = e1000_release_nvm_ich8lan,
36165diff -urNp linux-2.6.32.48/drivers/net/fealnx.c linux-2.6.32.48/drivers/net/fealnx.c
36166--- linux-2.6.32.48/drivers/net/fealnx.c 2011-11-08 19:02:43.000000000 -0500
36167+++ linux-2.6.32.48/drivers/net/fealnx.c 2011-11-18 18:01:55.000000000 -0500
36168@@ -151,7 +151,7 @@ struct chip_info {
36169 int flags;
36170 };
36171
36172-static const struct chip_info skel_netdrv_tbl[] __devinitdata = {
36173+static const struct chip_info skel_netdrv_tbl[] __devinitconst = {
36174 { "100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
36175 { "100/10M Ethernet PCI Adapter", HAS_CHIP_XCVR },
36176 { "1000/100/10M Ethernet PCI Adapter", HAS_MII_XCVR },
36177diff -urNp linux-2.6.32.48/drivers/net/hamradio/6pack.c linux-2.6.32.48/drivers/net/hamradio/6pack.c
36178--- linux-2.6.32.48/drivers/net/hamradio/6pack.c 2011-11-08 19:02:43.000000000 -0500
36179+++ linux-2.6.32.48/drivers/net/hamradio/6pack.c 2011-11-15 19:59:43.000000000 -0500
36180@@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
36181 unsigned char buf[512];
36182 int count1;
36183
36184+ pax_track_stack();
36185+
36186 if (!count)
36187 return;
36188
36189diff -urNp linux-2.6.32.48/drivers/net/ibmveth.c linux-2.6.32.48/drivers/net/ibmveth.c
36190--- linux-2.6.32.48/drivers/net/ibmveth.c 2011-11-08 19:02:43.000000000 -0500
36191+++ linux-2.6.32.48/drivers/net/ibmveth.c 2011-11-15 19:59:43.000000000 -0500
36192@@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
36193 NULL,
36194 };
36195
36196-static struct sysfs_ops veth_pool_ops = {
36197+static const struct sysfs_ops veth_pool_ops = {
36198 .show = veth_pool_show,
36199 .store = veth_pool_store,
36200 };
36201diff -urNp linux-2.6.32.48/drivers/net/igb/e1000_82575.c linux-2.6.32.48/drivers/net/igb/e1000_82575.c
36202--- linux-2.6.32.48/drivers/net/igb/e1000_82575.c 2011-11-08 19:02:43.000000000 -0500
36203+++ linux-2.6.32.48/drivers/net/igb/e1000_82575.c 2011-11-15 19:59:43.000000000 -0500
36204@@ -1411,7 +1411,7 @@ void igb_vmdq_set_replication_pf(struct
36205 wr32(E1000_VT_CTL, vt_ctl);
36206 }
36207
36208-static struct e1000_mac_operations e1000_mac_ops_82575 = {
36209+static const struct e1000_mac_operations e1000_mac_ops_82575 = {
36210 .reset_hw = igb_reset_hw_82575,
36211 .init_hw = igb_init_hw_82575,
36212 .check_for_link = igb_check_for_link_82575,
36213@@ -1420,13 +1420,13 @@ static struct e1000_mac_operations e1000
36214 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
36215 };
36216
36217-static struct e1000_phy_operations e1000_phy_ops_82575 = {
36218+static const struct e1000_phy_operations e1000_phy_ops_82575 = {
36219 .acquire = igb_acquire_phy_82575,
36220 .get_cfg_done = igb_get_cfg_done_82575,
36221 .release = igb_release_phy_82575,
36222 };
36223
36224-static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
36225+static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
36226 .acquire = igb_acquire_nvm_82575,
36227 .read = igb_read_nvm_eerd,
36228 .release = igb_release_nvm_82575,
36229diff -urNp linux-2.6.32.48/drivers/net/igb/e1000_hw.h linux-2.6.32.48/drivers/net/igb/e1000_hw.h
36230--- linux-2.6.32.48/drivers/net/igb/e1000_hw.h 2011-11-08 19:02:43.000000000 -0500
36231+++ linux-2.6.32.48/drivers/net/igb/e1000_hw.h 2011-11-15 19:59:43.000000000 -0500
36232@@ -288,6 +288,7 @@ struct e1000_mac_operations {
36233 s32 (*read_mac_addr)(struct e1000_hw *);
36234 s32 (*get_speed_and_duplex)(struct e1000_hw *, u16 *, u16 *);
36235 };
36236+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36237
36238 struct e1000_phy_operations {
36239 s32 (*acquire)(struct e1000_hw *);
36240@@ -303,6 +304,7 @@ struct e1000_phy_operations {
36241 s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
36242 s32 (*write_reg)(struct e1000_hw *, u32, u16);
36243 };
36244+typedef struct e1000_phy_operations __no_const e1000_phy_operations_no_const;
36245
36246 struct e1000_nvm_operations {
36247 s32 (*acquire)(struct e1000_hw *);
36248@@ -310,6 +312,7 @@ struct e1000_nvm_operations {
36249 void (*release)(struct e1000_hw *);
36250 s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
36251 };
36252+typedef struct e1000_nvm_operations __no_const e1000_nvm_operations_no_const;
36253
36254 struct e1000_info {
36255 s32 (*get_invariants)(struct e1000_hw *);
36256@@ -321,7 +324,7 @@ struct e1000_info {
36257 extern const struct e1000_info e1000_82575_info;
36258
36259 struct e1000_mac_info {
36260- struct e1000_mac_operations ops;
36261+ e1000_mac_operations_no_const ops;
36262
36263 u8 addr[6];
36264 u8 perm_addr[6];
36265@@ -365,7 +368,7 @@ struct e1000_mac_info {
36266 };
36267
36268 struct e1000_phy_info {
36269- struct e1000_phy_operations ops;
36270+ e1000_phy_operations_no_const ops;
36271
36272 enum e1000_phy_type type;
36273
36274@@ -400,7 +403,7 @@ struct e1000_phy_info {
36275 };
36276
36277 struct e1000_nvm_info {
36278- struct e1000_nvm_operations ops;
36279+ e1000_nvm_operations_no_const ops;
36280
36281 enum e1000_nvm_type type;
36282 enum e1000_nvm_override override;
36283@@ -446,6 +449,7 @@ struct e1000_mbx_operations {
36284 s32 (*check_for_ack)(struct e1000_hw *, u16);
36285 s32 (*check_for_rst)(struct e1000_hw *, u16);
36286 };
36287+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
36288
36289 struct e1000_mbx_stats {
36290 u32 msgs_tx;
36291@@ -457,7 +461,7 @@ struct e1000_mbx_stats {
36292 };
36293
36294 struct e1000_mbx_info {
36295- struct e1000_mbx_operations ops;
36296+ e1000_mbx_operations_no_const ops;
36297 struct e1000_mbx_stats stats;
36298 u32 timeout;
36299 u32 usec_delay;
36300diff -urNp linux-2.6.32.48/drivers/net/igbvf/vf.h linux-2.6.32.48/drivers/net/igbvf/vf.h
36301--- linux-2.6.32.48/drivers/net/igbvf/vf.h 2011-11-08 19:02:43.000000000 -0500
36302+++ linux-2.6.32.48/drivers/net/igbvf/vf.h 2011-11-15 19:59:43.000000000 -0500
36303@@ -187,9 +187,10 @@ struct e1000_mac_operations {
36304 s32 (*read_mac_addr)(struct e1000_hw *);
36305 s32 (*set_vfta)(struct e1000_hw *, u16, bool);
36306 };
36307+typedef struct e1000_mac_operations __no_const e1000_mac_operations_no_const;
36308
36309 struct e1000_mac_info {
36310- struct e1000_mac_operations ops;
36311+ e1000_mac_operations_no_const ops;
36312 u8 addr[6];
36313 u8 perm_addr[6];
36314
36315@@ -211,6 +212,7 @@ struct e1000_mbx_operations {
36316 s32 (*check_for_ack)(struct e1000_hw *);
36317 s32 (*check_for_rst)(struct e1000_hw *);
36318 };
36319+typedef struct e1000_mbx_operations __no_const e1000_mbx_operations_no_const;
36320
36321 struct e1000_mbx_stats {
36322 u32 msgs_tx;
36323@@ -222,7 +224,7 @@ struct e1000_mbx_stats {
36324 };
36325
36326 struct e1000_mbx_info {
36327- struct e1000_mbx_operations ops;
36328+ e1000_mbx_operations_no_const ops;
36329 struct e1000_mbx_stats stats;
36330 u32 timeout;
36331 u32 usec_delay;
36332diff -urNp linux-2.6.32.48/drivers/net/iseries_veth.c linux-2.6.32.48/drivers/net/iseries_veth.c
36333--- linux-2.6.32.48/drivers/net/iseries_veth.c 2011-11-08 19:02:43.000000000 -0500
36334+++ linux-2.6.32.48/drivers/net/iseries_veth.c 2011-11-15 19:59:43.000000000 -0500
36335@@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
36336 NULL
36337 };
36338
36339-static struct sysfs_ops veth_cnx_sysfs_ops = {
36340+static const struct sysfs_ops veth_cnx_sysfs_ops = {
36341 .show = veth_cnx_attribute_show
36342 };
36343
36344@@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
36345 NULL
36346 };
36347
36348-static struct sysfs_ops veth_port_sysfs_ops = {
36349+static const struct sysfs_ops veth_port_sysfs_ops = {
36350 .show = veth_port_attribute_show
36351 };
36352
36353diff -urNp linux-2.6.32.48/drivers/net/ixgb/ixgb_main.c linux-2.6.32.48/drivers/net/ixgb/ixgb_main.c
36354--- linux-2.6.32.48/drivers/net/ixgb/ixgb_main.c 2011-11-08 19:02:43.000000000 -0500
36355+++ linux-2.6.32.48/drivers/net/ixgb/ixgb_main.c 2011-11-15 19:59:43.000000000 -0500
36356@@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
36357 u32 rctl;
36358 int i;
36359
36360+ pax_track_stack();
36361+
36362 /* Check for Promiscuous and All Multicast modes */
36363
36364 rctl = IXGB_READ_REG(hw, RCTL);
36365diff -urNp linux-2.6.32.48/drivers/net/ixgb/ixgb_param.c linux-2.6.32.48/drivers/net/ixgb/ixgb_param.c
36366--- linux-2.6.32.48/drivers/net/ixgb/ixgb_param.c 2011-11-08 19:02:43.000000000 -0500
36367+++ linux-2.6.32.48/drivers/net/ixgb/ixgb_param.c 2011-11-15 19:59:43.000000000 -0500
36368@@ -260,6 +260,9 @@ void __devinit
36369 ixgb_check_options(struct ixgb_adapter *adapter)
36370 {
36371 int bd = adapter->bd_number;
36372+
36373+ pax_track_stack();
36374+
36375 if (bd >= IXGB_MAX_NIC) {
36376 printk(KERN_NOTICE
36377 "Warning: no configuration for board #%i\n", bd);
36378diff -urNp linux-2.6.32.48/drivers/net/ixgbe/ixgbe_type.h linux-2.6.32.48/drivers/net/ixgbe/ixgbe_type.h
36379--- linux-2.6.32.48/drivers/net/ixgbe/ixgbe_type.h 2011-11-08 19:02:43.000000000 -0500
36380+++ linux-2.6.32.48/drivers/net/ixgbe/ixgbe_type.h 2011-11-15 19:59:43.000000000 -0500
36381@@ -2327,6 +2327,7 @@ struct ixgbe_eeprom_operations {
36382 s32 (*validate_checksum)(struct ixgbe_hw *, u16 *);
36383 s32 (*update_checksum)(struct ixgbe_hw *);
36384 };
36385+typedef struct ixgbe_eeprom_operations __no_const ixgbe_eeprom_operations_no_const;
36386
36387 struct ixgbe_mac_operations {
36388 s32 (*init_hw)(struct ixgbe_hw *);
36389@@ -2376,6 +2377,7 @@ struct ixgbe_mac_operations {
36390 /* Flow Control */
36391 s32 (*fc_enable)(struct ixgbe_hw *, s32);
36392 };
36393+typedef struct ixgbe_mac_operations __no_const ixgbe_mac_operations_no_const;
36394
36395 struct ixgbe_phy_operations {
36396 s32 (*identify)(struct ixgbe_hw *);
36397@@ -2394,9 +2396,10 @@ struct ixgbe_phy_operations {
36398 s32 (*read_i2c_eeprom)(struct ixgbe_hw *, u8 , u8 *);
36399 s32 (*write_i2c_eeprom)(struct ixgbe_hw *, u8, u8);
36400 };
36401+typedef struct ixgbe_phy_operations __no_const ixgbe_phy_operations_no_const;
36402
36403 struct ixgbe_eeprom_info {
36404- struct ixgbe_eeprom_operations ops;
36405+ ixgbe_eeprom_operations_no_const ops;
36406 enum ixgbe_eeprom_type type;
36407 u32 semaphore_delay;
36408 u16 word_size;
36409@@ -2404,7 +2407,7 @@ struct ixgbe_eeprom_info {
36410 };
36411
36412 struct ixgbe_mac_info {
36413- struct ixgbe_mac_operations ops;
36414+ ixgbe_mac_operations_no_const ops;
36415 enum ixgbe_mac_type type;
36416 u8 addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
36417 u8 perm_addr[IXGBE_ETH_LENGTH_OF_ADDRESS];
36418@@ -2423,7 +2426,7 @@ struct ixgbe_mac_info {
36419 };
36420
36421 struct ixgbe_phy_info {
36422- struct ixgbe_phy_operations ops;
36423+ ixgbe_phy_operations_no_const ops;
36424 struct mdio_if_info mdio;
36425 enum ixgbe_phy_type type;
36426 u32 id;
36427diff -urNp linux-2.6.32.48/drivers/net/mlx4/main.c linux-2.6.32.48/drivers/net/mlx4/main.c
36428--- linux-2.6.32.48/drivers/net/mlx4/main.c 2011-11-08 19:02:43.000000000 -0500
36429+++ linux-2.6.32.48/drivers/net/mlx4/main.c 2011-11-15 19:59:43.000000000 -0500
36430@@ -38,6 +38,7 @@
36431 #include <linux/errno.h>
36432 #include <linux/pci.h>
36433 #include <linux/dma-mapping.h>
36434+#include <linux/sched.h>
36435
36436 #include <linux/mlx4/device.h>
36437 #include <linux/mlx4/doorbell.h>
36438@@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
36439 u64 icm_size;
36440 int err;
36441
36442+ pax_track_stack();
36443+
36444 err = mlx4_QUERY_FW(dev);
36445 if (err) {
36446 if (err == -EACCES)
36447diff -urNp linux-2.6.32.48/drivers/net/niu.c linux-2.6.32.48/drivers/net/niu.c
36448--- linux-2.6.32.48/drivers/net/niu.c 2011-11-08 19:02:43.000000000 -0500
36449+++ linux-2.6.32.48/drivers/net/niu.c 2011-11-15 19:59:43.000000000 -0500
36450@@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
36451 int i, num_irqs, err;
36452 u8 first_ldg;
36453
36454+ pax_track_stack();
36455+
36456 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
36457 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
36458 ldg_num_map[i] = first_ldg + i;
36459diff -urNp linux-2.6.32.48/drivers/net/pcnet32.c linux-2.6.32.48/drivers/net/pcnet32.c
36460--- linux-2.6.32.48/drivers/net/pcnet32.c 2011-11-08 19:02:43.000000000 -0500
36461+++ linux-2.6.32.48/drivers/net/pcnet32.c 2011-11-15 19:59:43.000000000 -0500
36462@@ -79,7 +79,7 @@ static int cards_found;
36463 /*
36464 * VLB I/O addresses
36465 */
36466-static unsigned int pcnet32_portlist[] __initdata =
36467+static unsigned int pcnet32_portlist[] __devinitdata =
36468 { 0x300, 0x320, 0x340, 0x360, 0 };
36469
36470 static int pcnet32_debug = 0;
36471@@ -267,7 +267,7 @@ struct pcnet32_private {
36472 struct sk_buff **rx_skbuff;
36473 dma_addr_t *tx_dma_addr;
36474 dma_addr_t *rx_dma_addr;
36475- struct pcnet32_access a;
36476+ struct pcnet32_access *a;
36477 spinlock_t lock; /* Guard lock */
36478 unsigned int cur_rx, cur_tx; /* The next free ring entry */
36479 unsigned int rx_ring_size; /* current rx ring size */
36480@@ -457,9 +457,9 @@ static void pcnet32_netif_start(struct n
36481 u16 val;
36482
36483 netif_wake_queue(dev);
36484- val = lp->a.read_csr(ioaddr, CSR3);
36485+ val = lp->a->read_csr(ioaddr, CSR3);
36486 val &= 0x00ff;
36487- lp->a.write_csr(ioaddr, CSR3, val);
36488+ lp->a->write_csr(ioaddr, CSR3, val);
36489 napi_enable(&lp->napi);
36490 }
36491
36492@@ -744,7 +744,7 @@ static u32 pcnet32_get_link(struct net_d
36493 r = mii_link_ok(&lp->mii_if);
36494 } else if (lp->chip_version >= PCNET32_79C970A) {
36495 ulong ioaddr = dev->base_addr; /* card base I/O address */
36496- r = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
36497+ r = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
36498 } else { /* can not detect link on really old chips */
36499 r = 1;
36500 }
36501@@ -806,7 +806,7 @@ static int pcnet32_set_ringparam(struct
36502 pcnet32_netif_stop(dev);
36503
36504 spin_lock_irqsave(&lp->lock, flags);
36505- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36506+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36507
36508 size = min(ering->tx_pending, (unsigned int)TX_MAX_RING_SIZE);
36509
36510@@ -886,7 +886,7 @@ static void pcnet32_ethtool_test(struct
36511 static int pcnet32_loopback_test(struct net_device *dev, uint64_t * data1)
36512 {
36513 struct pcnet32_private *lp = netdev_priv(dev);
36514- struct pcnet32_access *a = &lp->a; /* access to registers */
36515+ struct pcnet32_access *a = lp->a; /* access to registers */
36516 ulong ioaddr = dev->base_addr; /* card base I/O address */
36517 struct sk_buff *skb; /* sk buff */
36518 int x, i; /* counters */
36519@@ -906,21 +906,21 @@ static int pcnet32_loopback_test(struct
36520 pcnet32_netif_stop(dev);
36521
36522 spin_lock_irqsave(&lp->lock, flags);
36523- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36524+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* stop the chip */
36525
36526 numbuffs = min(numbuffs, (int)min(lp->rx_ring_size, lp->tx_ring_size));
36527
36528 /* Reset the PCNET32 */
36529- lp->a.reset(ioaddr);
36530- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36531+ lp->a->reset(ioaddr);
36532+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36533
36534 /* switch pcnet32 to 32bit mode */
36535- lp->a.write_bcr(ioaddr, 20, 2);
36536+ lp->a->write_bcr(ioaddr, 20, 2);
36537
36538 /* purge & init rings but don't actually restart */
36539 pcnet32_restart(dev, 0x0000);
36540
36541- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36542+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36543
36544 /* Initialize Transmit buffers. */
36545 size = data_len + 15;
36546@@ -966,10 +966,10 @@ static int pcnet32_loopback_test(struct
36547
36548 /* set int loopback in CSR15 */
36549 x = a->read_csr(ioaddr, CSR15) & 0xfffc;
36550- lp->a.write_csr(ioaddr, CSR15, x | 0x0044);
36551+ lp->a->write_csr(ioaddr, CSR15, x | 0x0044);
36552
36553 teststatus = cpu_to_le16(0x8000);
36554- lp->a.write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
36555+ lp->a->write_csr(ioaddr, CSR0, CSR0_START); /* Set STRT bit */
36556
36557 /* Check status of descriptors */
36558 for (x = 0; x < numbuffs; x++) {
36559@@ -990,7 +990,7 @@ static int pcnet32_loopback_test(struct
36560 }
36561 }
36562
36563- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36564+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP); /* Set STOP bit */
36565 wmb();
36566 if (netif_msg_hw(lp) && netif_msg_pktdata(lp)) {
36567 printk(KERN_DEBUG "%s: RX loopback packets:\n", dev->name);
36568@@ -1039,7 +1039,7 @@ static int pcnet32_loopback_test(struct
36569 pcnet32_restart(dev, CSR0_NORMAL);
36570 } else {
36571 pcnet32_purge_rx_ring(dev);
36572- lp->a.write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
36573+ lp->a->write_bcr(ioaddr, 20, 4); /* return to 16bit mode */
36574 }
36575 spin_unlock_irqrestore(&lp->lock, flags);
36576
36577@@ -1049,7 +1049,7 @@ static int pcnet32_loopback_test(struct
36578 static void pcnet32_led_blink_callback(struct net_device *dev)
36579 {
36580 struct pcnet32_private *lp = netdev_priv(dev);
36581- struct pcnet32_access *a = &lp->a;
36582+ struct pcnet32_access *a = lp->a;
36583 ulong ioaddr = dev->base_addr;
36584 unsigned long flags;
36585 int i;
36586@@ -1066,7 +1066,7 @@ static void pcnet32_led_blink_callback(s
36587 static int pcnet32_phys_id(struct net_device *dev, u32 data)
36588 {
36589 struct pcnet32_private *lp = netdev_priv(dev);
36590- struct pcnet32_access *a = &lp->a;
36591+ struct pcnet32_access *a = lp->a;
36592 ulong ioaddr = dev->base_addr;
36593 unsigned long flags;
36594 int i, regs[4];
36595@@ -1112,7 +1112,7 @@ static int pcnet32_suspend(struct net_de
36596 {
36597 int csr5;
36598 struct pcnet32_private *lp = netdev_priv(dev);
36599- struct pcnet32_access *a = &lp->a;
36600+ struct pcnet32_access *a = lp->a;
36601 ulong ioaddr = dev->base_addr;
36602 int ticks;
36603
36604@@ -1388,8 +1388,8 @@ static int pcnet32_poll(struct napi_stru
36605 spin_lock_irqsave(&lp->lock, flags);
36606 if (pcnet32_tx(dev)) {
36607 /* reset the chip to clear the error condition, then restart */
36608- lp->a.reset(ioaddr);
36609- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36610+ lp->a->reset(ioaddr);
36611+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36612 pcnet32_restart(dev, CSR0_START);
36613 netif_wake_queue(dev);
36614 }
36615@@ -1401,12 +1401,12 @@ static int pcnet32_poll(struct napi_stru
36616 __napi_complete(napi);
36617
36618 /* clear interrupt masks */
36619- val = lp->a.read_csr(ioaddr, CSR3);
36620+ val = lp->a->read_csr(ioaddr, CSR3);
36621 val &= 0x00ff;
36622- lp->a.write_csr(ioaddr, CSR3, val);
36623+ lp->a->write_csr(ioaddr, CSR3, val);
36624
36625 /* Set interrupt enable. */
36626- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN);
36627+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN);
36628
36629 spin_unlock_irqrestore(&lp->lock, flags);
36630 }
36631@@ -1429,7 +1429,7 @@ static void pcnet32_get_regs(struct net_
36632 int i, csr0;
36633 u16 *buff = ptr;
36634 struct pcnet32_private *lp = netdev_priv(dev);
36635- struct pcnet32_access *a = &lp->a;
36636+ struct pcnet32_access *a = lp->a;
36637 ulong ioaddr = dev->base_addr;
36638 unsigned long flags;
36639
36640@@ -1466,9 +1466,9 @@ static void pcnet32_get_regs(struct net_
36641 for (j = 0; j < PCNET32_MAX_PHYS; j++) {
36642 if (lp->phymask & (1 << j)) {
36643 for (i = 0; i < PCNET32_REGS_PER_PHY; i++) {
36644- lp->a.write_bcr(ioaddr, 33,
36645+ lp->a->write_bcr(ioaddr, 33,
36646 (j << 5) | i);
36647- *buff++ = lp->a.read_bcr(ioaddr, 34);
36648+ *buff++ = lp->a->read_bcr(ioaddr, 34);
36649 }
36650 }
36651 }
36652@@ -1858,7 +1858,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36653 ((cards_found >= MAX_UNITS) || full_duplex[cards_found]))
36654 lp->options |= PCNET32_PORT_FD;
36655
36656- lp->a = *a;
36657+ lp->a = a;
36658
36659 /* prior to register_netdev, dev->name is not yet correct */
36660 if (pcnet32_alloc_ring(dev, pci_name(lp->pci_dev))) {
36661@@ -1917,7 +1917,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36662 if (lp->mii) {
36663 /* lp->phycount and lp->phymask are set to 0 by memset above */
36664
36665- lp->mii_if.phy_id = ((lp->a.read_bcr(ioaddr, 33)) >> 5) & 0x1f;
36666+ lp->mii_if.phy_id = ((lp->a->read_bcr(ioaddr, 33)) >> 5) & 0x1f;
36667 /* scan for PHYs */
36668 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
36669 unsigned short id1, id2;
36670@@ -1938,7 +1938,7 @@ pcnet32_probe1(unsigned long ioaddr, int
36671 "Found PHY %04x:%04x at address %d.\n",
36672 id1, id2, i);
36673 }
36674- lp->a.write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
36675+ lp->a->write_bcr(ioaddr, 33, (lp->mii_if.phy_id) << 5);
36676 if (lp->phycount > 1) {
36677 lp->options |= PCNET32_PORT_MII;
36678 }
36679@@ -2109,10 +2109,10 @@ static int pcnet32_open(struct net_devic
36680 }
36681
36682 /* Reset the PCNET32 */
36683- lp->a.reset(ioaddr);
36684+ lp->a->reset(ioaddr);
36685
36686 /* switch pcnet32 to 32bit mode */
36687- lp->a.write_bcr(ioaddr, 20, 2);
36688+ lp->a->write_bcr(ioaddr, 20, 2);
36689
36690 if (netif_msg_ifup(lp))
36691 printk(KERN_DEBUG
36692@@ -2122,14 +2122,14 @@ static int pcnet32_open(struct net_devic
36693 (u32) (lp->init_dma_addr));
36694
36695 /* set/reset autoselect bit */
36696- val = lp->a.read_bcr(ioaddr, 2) & ~2;
36697+ val = lp->a->read_bcr(ioaddr, 2) & ~2;
36698 if (lp->options & PCNET32_PORT_ASEL)
36699 val |= 2;
36700- lp->a.write_bcr(ioaddr, 2, val);
36701+ lp->a->write_bcr(ioaddr, 2, val);
36702
36703 /* handle full duplex setting */
36704 if (lp->mii_if.full_duplex) {
36705- val = lp->a.read_bcr(ioaddr, 9) & ~3;
36706+ val = lp->a->read_bcr(ioaddr, 9) & ~3;
36707 if (lp->options & PCNET32_PORT_FD) {
36708 val |= 1;
36709 if (lp->options == (PCNET32_PORT_FD | PCNET32_PORT_AUI))
36710@@ -2139,14 +2139,14 @@ static int pcnet32_open(struct net_devic
36711 if (lp->chip_version == 0x2627)
36712 val |= 3;
36713 }
36714- lp->a.write_bcr(ioaddr, 9, val);
36715+ lp->a->write_bcr(ioaddr, 9, val);
36716 }
36717
36718 /* set/reset GPSI bit in test register */
36719- val = lp->a.read_csr(ioaddr, 124) & ~0x10;
36720+ val = lp->a->read_csr(ioaddr, 124) & ~0x10;
36721 if ((lp->options & PCNET32_PORT_PORTSEL) == PCNET32_PORT_GPSI)
36722 val |= 0x10;
36723- lp->a.write_csr(ioaddr, 124, val);
36724+ lp->a->write_csr(ioaddr, 124, val);
36725
36726 /* Allied Telesyn AT 2700/2701 FX are 100Mbit only and do not negotiate */
36727 if (pdev && pdev->subsystem_vendor == PCI_VENDOR_ID_AT &&
36728@@ -2167,24 +2167,24 @@ static int pcnet32_open(struct net_devic
36729 * duplex, and/or enable auto negotiation, and clear DANAS
36730 */
36731 if (lp->mii && !(lp->options & PCNET32_PORT_ASEL)) {
36732- lp->a.write_bcr(ioaddr, 32,
36733- lp->a.read_bcr(ioaddr, 32) | 0x0080);
36734+ lp->a->write_bcr(ioaddr, 32,
36735+ lp->a->read_bcr(ioaddr, 32) | 0x0080);
36736 /* disable Auto Negotiation, set 10Mpbs, HD */
36737- val = lp->a.read_bcr(ioaddr, 32) & ~0xb8;
36738+ val = lp->a->read_bcr(ioaddr, 32) & ~0xb8;
36739 if (lp->options & PCNET32_PORT_FD)
36740 val |= 0x10;
36741 if (lp->options & PCNET32_PORT_100)
36742 val |= 0x08;
36743- lp->a.write_bcr(ioaddr, 32, val);
36744+ lp->a->write_bcr(ioaddr, 32, val);
36745 } else {
36746 if (lp->options & PCNET32_PORT_ASEL) {
36747- lp->a.write_bcr(ioaddr, 32,
36748- lp->a.read_bcr(ioaddr,
36749+ lp->a->write_bcr(ioaddr, 32,
36750+ lp->a->read_bcr(ioaddr,
36751 32) | 0x0080);
36752 /* enable auto negotiate, setup, disable fd */
36753- val = lp->a.read_bcr(ioaddr, 32) & ~0x98;
36754+ val = lp->a->read_bcr(ioaddr, 32) & ~0x98;
36755 val |= 0x20;
36756- lp->a.write_bcr(ioaddr, 32, val);
36757+ lp->a->write_bcr(ioaddr, 32, val);
36758 }
36759 }
36760 } else {
36761@@ -2197,10 +2197,10 @@ static int pcnet32_open(struct net_devic
36762 * There is really no good other way to handle multiple PHYs
36763 * other than turning off all automatics
36764 */
36765- val = lp->a.read_bcr(ioaddr, 2);
36766- lp->a.write_bcr(ioaddr, 2, val & ~2);
36767- val = lp->a.read_bcr(ioaddr, 32);
36768- lp->a.write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
36769+ val = lp->a->read_bcr(ioaddr, 2);
36770+ lp->a->write_bcr(ioaddr, 2, val & ~2);
36771+ val = lp->a->read_bcr(ioaddr, 32);
36772+ lp->a->write_bcr(ioaddr, 32, val & ~(1 << 7)); /* stop MII manager */
36773
36774 if (!(lp->options & PCNET32_PORT_ASEL)) {
36775 /* setup ecmd */
36776@@ -2210,7 +2210,7 @@ static int pcnet32_open(struct net_devic
36777 ecmd.speed =
36778 lp->
36779 options & PCNET32_PORT_100 ? SPEED_100 : SPEED_10;
36780- bcr9 = lp->a.read_bcr(ioaddr, 9);
36781+ bcr9 = lp->a->read_bcr(ioaddr, 9);
36782
36783 if (lp->options & PCNET32_PORT_FD) {
36784 ecmd.duplex = DUPLEX_FULL;
36785@@ -2219,7 +2219,7 @@ static int pcnet32_open(struct net_devic
36786 ecmd.duplex = DUPLEX_HALF;
36787 bcr9 |= ~(1 << 0);
36788 }
36789- lp->a.write_bcr(ioaddr, 9, bcr9);
36790+ lp->a->write_bcr(ioaddr, 9, bcr9);
36791 }
36792
36793 for (i = 0; i < PCNET32_MAX_PHYS; i++) {
36794@@ -2252,9 +2252,9 @@ static int pcnet32_open(struct net_devic
36795
36796 #ifdef DO_DXSUFLO
36797 if (lp->dxsuflo) { /* Disable transmit stop on underflow */
36798- val = lp->a.read_csr(ioaddr, CSR3);
36799+ val = lp->a->read_csr(ioaddr, CSR3);
36800 val |= 0x40;
36801- lp->a.write_csr(ioaddr, CSR3, val);
36802+ lp->a->write_csr(ioaddr, CSR3, val);
36803 }
36804 #endif
36805
36806@@ -2270,11 +2270,11 @@ static int pcnet32_open(struct net_devic
36807 napi_enable(&lp->napi);
36808
36809 /* Re-initialize the PCNET32, and start it when done. */
36810- lp->a.write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
36811- lp->a.write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
36812+ lp->a->write_csr(ioaddr, 1, (lp->init_dma_addr & 0xffff));
36813+ lp->a->write_csr(ioaddr, 2, (lp->init_dma_addr >> 16));
36814
36815- lp->a.write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36816- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
36817+ lp->a->write_csr(ioaddr, CSR4, 0x0915); /* auto tx pad */
36818+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
36819
36820 netif_start_queue(dev);
36821
36822@@ -2286,20 +2286,20 @@ static int pcnet32_open(struct net_devic
36823
36824 i = 0;
36825 while (i++ < 100)
36826- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
36827+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
36828 break;
36829 /*
36830 * We used to clear the InitDone bit, 0x0100, here but Mark Stockton
36831 * reports that doing so triggers a bug in the '974.
36832 */
36833- lp->a.write_csr(ioaddr, CSR0, CSR0_NORMAL);
36834+ lp->a->write_csr(ioaddr, CSR0, CSR0_NORMAL);
36835
36836 if (netif_msg_ifup(lp))
36837 printk(KERN_DEBUG
36838 "%s: pcnet32 open after %d ticks, init block %#x csr0 %4.4x.\n",
36839 dev->name, i,
36840 (u32) (lp->init_dma_addr),
36841- lp->a.read_csr(ioaddr, CSR0));
36842+ lp->a->read_csr(ioaddr, CSR0));
36843
36844 spin_unlock_irqrestore(&lp->lock, flags);
36845
36846@@ -2313,7 +2313,7 @@ static int pcnet32_open(struct net_devic
36847 * Switch back to 16bit mode to avoid problems with dumb
36848 * DOS packet driver after a warm reboot
36849 */
36850- lp->a.write_bcr(ioaddr, 20, 4);
36851+ lp->a->write_bcr(ioaddr, 20, 4);
36852
36853 err_free_irq:
36854 spin_unlock_irqrestore(&lp->lock, flags);
36855@@ -2420,7 +2420,7 @@ static void pcnet32_restart(struct net_d
36856
36857 /* wait for stop */
36858 for (i = 0; i < 100; i++)
36859- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_STOP)
36860+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_STOP)
36861 break;
36862
36863 if (i >= 100 && netif_msg_drv(lp))
36864@@ -2433,13 +2433,13 @@ static void pcnet32_restart(struct net_d
36865 return;
36866
36867 /* ReInit Ring */
36868- lp->a.write_csr(ioaddr, CSR0, CSR0_INIT);
36869+ lp->a->write_csr(ioaddr, CSR0, CSR0_INIT);
36870 i = 0;
36871 while (i++ < 1000)
36872- if (lp->a.read_csr(ioaddr, CSR0) & CSR0_IDON)
36873+ if (lp->a->read_csr(ioaddr, CSR0) & CSR0_IDON)
36874 break;
36875
36876- lp->a.write_csr(ioaddr, CSR0, csr0_bits);
36877+ lp->a->write_csr(ioaddr, CSR0, csr0_bits);
36878 }
36879
36880 static void pcnet32_tx_timeout(struct net_device *dev)
36881@@ -2452,8 +2452,8 @@ static void pcnet32_tx_timeout(struct ne
36882 if (pcnet32_debug & NETIF_MSG_DRV)
36883 printk(KERN_ERR
36884 "%s: transmit timed out, status %4.4x, resetting.\n",
36885- dev->name, lp->a.read_csr(ioaddr, CSR0));
36886- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36887+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36888+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36889 dev->stats.tx_errors++;
36890 if (netif_msg_tx_err(lp)) {
36891 int i;
36892@@ -2497,7 +2497,7 @@ static netdev_tx_t pcnet32_start_xmit(st
36893 if (netif_msg_tx_queued(lp)) {
36894 printk(KERN_DEBUG
36895 "%s: pcnet32_start_xmit() called, csr0 %4.4x.\n",
36896- dev->name, lp->a.read_csr(ioaddr, CSR0));
36897+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36898 }
36899
36900 /* Default status -- will not enable Successful-TxDone
36901@@ -2528,7 +2528,7 @@ static netdev_tx_t pcnet32_start_xmit(st
36902 dev->stats.tx_bytes += skb->len;
36903
36904 /* Trigger an immediate send poll. */
36905- lp->a.write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36906+ lp->a->write_csr(ioaddr, CSR0, CSR0_INTEN | CSR0_TXPOLL);
36907
36908 dev->trans_start = jiffies;
36909
36910@@ -2555,18 +2555,18 @@ pcnet32_interrupt(int irq, void *dev_id)
36911
36912 spin_lock(&lp->lock);
36913
36914- csr0 = lp->a.read_csr(ioaddr, CSR0);
36915+ csr0 = lp->a->read_csr(ioaddr, CSR0);
36916 while ((csr0 & 0x8f00) && --boguscnt >= 0) {
36917 if (csr0 == 0xffff) {
36918 break; /* PCMCIA remove happened */
36919 }
36920 /* Acknowledge all of the current interrupt sources ASAP. */
36921- lp->a.write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36922+ lp->a->write_csr(ioaddr, CSR0, csr0 & ~0x004f);
36923
36924 if (netif_msg_intr(lp))
36925 printk(KERN_DEBUG
36926 "%s: interrupt csr0=%#2.2x new csr=%#2.2x.\n",
36927- dev->name, csr0, lp->a.read_csr(ioaddr, CSR0));
36928+ dev->name, csr0, lp->a->read_csr(ioaddr, CSR0));
36929
36930 /* Log misc errors. */
36931 if (csr0 & 0x4000)
36932@@ -2595,19 +2595,19 @@ pcnet32_interrupt(int irq, void *dev_id)
36933 if (napi_schedule_prep(&lp->napi)) {
36934 u16 val;
36935 /* set interrupt masks */
36936- val = lp->a.read_csr(ioaddr, CSR3);
36937+ val = lp->a->read_csr(ioaddr, CSR3);
36938 val |= 0x5f00;
36939- lp->a.write_csr(ioaddr, CSR3, val);
36940+ lp->a->write_csr(ioaddr, CSR3, val);
36941
36942 __napi_schedule(&lp->napi);
36943 break;
36944 }
36945- csr0 = lp->a.read_csr(ioaddr, CSR0);
36946+ csr0 = lp->a->read_csr(ioaddr, CSR0);
36947 }
36948
36949 if (netif_msg_intr(lp))
36950 printk(KERN_DEBUG "%s: exiting interrupt, csr0=%#4.4x.\n",
36951- dev->name, lp->a.read_csr(ioaddr, CSR0));
36952+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36953
36954 spin_unlock(&lp->lock);
36955
36956@@ -2627,21 +2627,21 @@ static int pcnet32_close(struct net_devi
36957
36958 spin_lock_irqsave(&lp->lock, flags);
36959
36960- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36961+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36962
36963 if (netif_msg_ifdown(lp))
36964 printk(KERN_DEBUG
36965 "%s: Shutting down ethercard, status was %2.2x.\n",
36966- dev->name, lp->a.read_csr(ioaddr, CSR0));
36967+ dev->name, lp->a->read_csr(ioaddr, CSR0));
36968
36969 /* We stop the PCNET32 here -- it occasionally polls memory if we don't. */
36970- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
36971+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
36972
36973 /*
36974 * Switch back to 16bit mode to avoid problems with dumb
36975 * DOS packet driver after a warm reboot
36976 */
36977- lp->a.write_bcr(ioaddr, 20, 4);
36978+ lp->a->write_bcr(ioaddr, 20, 4);
36979
36980 spin_unlock_irqrestore(&lp->lock, flags);
36981
36982@@ -2664,7 +2664,7 @@ static struct net_device_stats *pcnet32_
36983 unsigned long flags;
36984
36985 spin_lock_irqsave(&lp->lock, flags);
36986- dev->stats.rx_missed_errors = lp->a.read_csr(ioaddr, 112);
36987+ dev->stats.rx_missed_errors = lp->a->read_csr(ioaddr, 112);
36988 spin_unlock_irqrestore(&lp->lock, flags);
36989
36990 return &dev->stats;
36991@@ -2686,10 +2686,10 @@ static void pcnet32_load_multicast(struc
36992 if (dev->flags & IFF_ALLMULTI) {
36993 ib->filter[0] = cpu_to_le32(~0U);
36994 ib->filter[1] = cpu_to_le32(~0U);
36995- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
36996- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
36997- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
36998- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
36999+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER, 0xffff);
37000+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+1, 0xffff);
37001+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+2, 0xffff);
37002+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER+3, 0xffff);
37003 return;
37004 }
37005 /* clear the multicast filter */
37006@@ -2710,7 +2710,7 @@ static void pcnet32_load_multicast(struc
37007 mcast_table[crc >> 4] |= cpu_to_le16(1 << (crc & 0xf));
37008 }
37009 for (i = 0; i < 4; i++)
37010- lp->a.write_csr(ioaddr, PCNET32_MC_FILTER + i,
37011+ lp->a->write_csr(ioaddr, PCNET32_MC_FILTER + i,
37012 le16_to_cpu(mcast_table[i]));
37013 return;
37014 }
37015@@ -2726,7 +2726,7 @@ static void pcnet32_set_multicast_list(s
37016
37017 spin_lock_irqsave(&lp->lock, flags);
37018 suspended = pcnet32_suspend(dev, &flags, 0);
37019- csr15 = lp->a.read_csr(ioaddr, CSR15);
37020+ csr15 = lp->a->read_csr(ioaddr, CSR15);
37021 if (dev->flags & IFF_PROMISC) {
37022 /* Log any net taps. */
37023 if (netif_msg_hw(lp))
37024@@ -2735,21 +2735,21 @@ static void pcnet32_set_multicast_list(s
37025 lp->init_block->mode =
37026 cpu_to_le16(0x8000 | (lp->options & PCNET32_PORT_PORTSEL) <<
37027 7);
37028- lp->a.write_csr(ioaddr, CSR15, csr15 | 0x8000);
37029+ lp->a->write_csr(ioaddr, CSR15, csr15 | 0x8000);
37030 } else {
37031 lp->init_block->mode =
37032 cpu_to_le16((lp->options & PCNET32_PORT_PORTSEL) << 7);
37033- lp->a.write_csr(ioaddr, CSR15, csr15 & 0x7fff);
37034+ lp->a->write_csr(ioaddr, CSR15, csr15 & 0x7fff);
37035 pcnet32_load_multicast(dev);
37036 }
37037
37038 if (suspended) {
37039 int csr5;
37040 /* clear SUSPEND (SPND) - CSR5 bit 0 */
37041- csr5 = lp->a.read_csr(ioaddr, CSR5);
37042- lp->a.write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
37043+ csr5 = lp->a->read_csr(ioaddr, CSR5);
37044+ lp->a->write_csr(ioaddr, CSR5, csr5 & (~CSR5_SUSPEND));
37045 } else {
37046- lp->a.write_csr(ioaddr, CSR0, CSR0_STOP);
37047+ lp->a->write_csr(ioaddr, CSR0, CSR0_STOP);
37048 pcnet32_restart(dev, CSR0_NORMAL);
37049 netif_wake_queue(dev);
37050 }
37051@@ -2767,8 +2767,8 @@ static int mdio_read(struct net_device *
37052 if (!lp->mii)
37053 return 0;
37054
37055- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37056- val_out = lp->a.read_bcr(ioaddr, 34);
37057+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37058+ val_out = lp->a->read_bcr(ioaddr, 34);
37059
37060 return val_out;
37061 }
37062@@ -2782,8 +2782,8 @@ static void mdio_write(struct net_device
37063 if (!lp->mii)
37064 return;
37065
37066- lp->a.write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37067- lp->a.write_bcr(ioaddr, 34, val);
37068+ lp->a->write_bcr(ioaddr, 33, ((phy_id & 0x1f) << 5) | (reg_num & 0x1f));
37069+ lp->a->write_bcr(ioaddr, 34, val);
37070 }
37071
37072 static int pcnet32_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
37073@@ -2862,7 +2862,7 @@ static void pcnet32_check_media(struct n
37074 curr_link = mii_link_ok(&lp->mii_if);
37075 } else {
37076 ulong ioaddr = dev->base_addr; /* card base I/O address */
37077- curr_link = (lp->a.read_bcr(ioaddr, 4) != 0xc0);
37078+ curr_link = (lp->a->read_bcr(ioaddr, 4) != 0xc0);
37079 }
37080 if (!curr_link) {
37081 if (prev_link || verbose) {
37082@@ -2887,13 +2887,13 @@ static void pcnet32_check_media(struct n
37083 (ecmd.duplex ==
37084 DUPLEX_FULL) ? "full" : "half");
37085 }
37086- bcr9 = lp->a.read_bcr(dev->base_addr, 9);
37087+ bcr9 = lp->a->read_bcr(dev->base_addr, 9);
37088 if ((bcr9 & (1 << 0)) != lp->mii_if.full_duplex) {
37089 if (lp->mii_if.full_duplex)
37090 bcr9 |= (1 << 0);
37091 else
37092 bcr9 &= ~(1 << 0);
37093- lp->a.write_bcr(dev->base_addr, 9, bcr9);
37094+ lp->a->write_bcr(dev->base_addr, 9, bcr9);
37095 }
37096 } else {
37097 if (netif_msg_link(lp))
37098diff -urNp linux-2.6.32.48/drivers/net/sis190.c linux-2.6.32.48/drivers/net/sis190.c
37099--- linux-2.6.32.48/drivers/net/sis190.c 2011-11-08 19:02:43.000000000 -0500
37100+++ linux-2.6.32.48/drivers/net/sis190.c 2011-11-18 18:01:55.000000000 -0500
37101@@ -1598,7 +1598,7 @@ static int __devinit sis190_get_mac_addr
37102 static int __devinit sis190_get_mac_addr_from_apc(struct pci_dev *pdev,
37103 struct net_device *dev)
37104 {
37105- static const u16 __devinitdata ids[] = { 0x0965, 0x0966, 0x0968 };
37106+ static const u16 __devinitconst ids[] = { 0x0965, 0x0966, 0x0968 };
37107 struct sis190_private *tp = netdev_priv(dev);
37108 struct pci_dev *isa_bridge;
37109 u8 reg, tmp8;
37110diff -urNp linux-2.6.32.48/drivers/net/sundance.c linux-2.6.32.48/drivers/net/sundance.c
37111--- linux-2.6.32.48/drivers/net/sundance.c 2011-11-08 19:02:43.000000000 -0500
37112+++ linux-2.6.32.48/drivers/net/sundance.c 2011-11-18 18:01:55.000000000 -0500
37113@@ -225,7 +225,7 @@ enum {
37114 struct pci_id_info {
37115 const char *name;
37116 };
37117-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
37118+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
37119 {"D-Link DFE-550TX FAST Ethernet Adapter"},
37120 {"D-Link DFE-550FX 100Mbps Fiber-optics Adapter"},
37121 {"D-Link DFE-580TX 4 port Server Adapter"},
37122diff -urNp linux-2.6.32.48/drivers/net/tg3.h linux-2.6.32.48/drivers/net/tg3.h
37123--- linux-2.6.32.48/drivers/net/tg3.h 2011-11-08 19:02:43.000000000 -0500
37124+++ linux-2.6.32.48/drivers/net/tg3.h 2011-11-15 19:59:43.000000000 -0500
37125@@ -95,6 +95,7 @@
37126 #define CHIPREV_ID_5750_A0 0x4000
37127 #define CHIPREV_ID_5750_A1 0x4001
37128 #define CHIPREV_ID_5750_A3 0x4003
37129+#define CHIPREV_ID_5750_C1 0x4201
37130 #define CHIPREV_ID_5750_C2 0x4202
37131 #define CHIPREV_ID_5752_A0_HW 0x5000
37132 #define CHIPREV_ID_5752_A0 0x6000
37133diff -urNp linux-2.6.32.48/drivers/net/tokenring/abyss.c linux-2.6.32.48/drivers/net/tokenring/abyss.c
37134--- linux-2.6.32.48/drivers/net/tokenring/abyss.c 2011-11-08 19:02:43.000000000 -0500
37135+++ linux-2.6.32.48/drivers/net/tokenring/abyss.c 2011-11-15 19:59:43.000000000 -0500
37136@@ -451,10 +451,12 @@ static struct pci_driver abyss_driver =
37137
37138 static int __init abyss_init (void)
37139 {
37140- abyss_netdev_ops = tms380tr_netdev_ops;
37141+ pax_open_kernel();
37142+ memcpy((void *)&abyss_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37143
37144- abyss_netdev_ops.ndo_open = abyss_open;
37145- abyss_netdev_ops.ndo_stop = abyss_close;
37146+ *(void **)&abyss_netdev_ops.ndo_open = abyss_open;
37147+ *(void **)&abyss_netdev_ops.ndo_stop = abyss_close;
37148+ pax_close_kernel();
37149
37150 return pci_register_driver(&abyss_driver);
37151 }
37152diff -urNp linux-2.6.32.48/drivers/net/tokenring/madgemc.c linux-2.6.32.48/drivers/net/tokenring/madgemc.c
37153--- linux-2.6.32.48/drivers/net/tokenring/madgemc.c 2011-11-08 19:02:43.000000000 -0500
37154+++ linux-2.6.32.48/drivers/net/tokenring/madgemc.c 2011-11-15 19:59:43.000000000 -0500
37155@@ -755,9 +755,11 @@ static struct mca_driver madgemc_driver
37156
37157 static int __init madgemc_init (void)
37158 {
37159- madgemc_netdev_ops = tms380tr_netdev_ops;
37160- madgemc_netdev_ops.ndo_open = madgemc_open;
37161- madgemc_netdev_ops.ndo_stop = madgemc_close;
37162+ pax_open_kernel();
37163+ memcpy((void *)&madgemc_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37164+ *(void **)&madgemc_netdev_ops.ndo_open = madgemc_open;
37165+ *(void **)&madgemc_netdev_ops.ndo_stop = madgemc_close;
37166+ pax_close_kernel();
37167
37168 return mca_register_driver (&madgemc_driver);
37169 }
37170diff -urNp linux-2.6.32.48/drivers/net/tokenring/proteon.c linux-2.6.32.48/drivers/net/tokenring/proteon.c
37171--- linux-2.6.32.48/drivers/net/tokenring/proteon.c 2011-11-08 19:02:43.000000000 -0500
37172+++ linux-2.6.32.48/drivers/net/tokenring/proteon.c 2011-11-15 19:59:43.000000000 -0500
37173@@ -353,9 +353,11 @@ static int __init proteon_init(void)
37174 struct platform_device *pdev;
37175 int i, num = 0, err = 0;
37176
37177- proteon_netdev_ops = tms380tr_netdev_ops;
37178- proteon_netdev_ops.ndo_open = proteon_open;
37179- proteon_netdev_ops.ndo_stop = tms380tr_close;
37180+ pax_open_kernel();
37181+ memcpy((void *)&proteon_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37182+ *(void **)&proteon_netdev_ops.ndo_open = proteon_open;
37183+ *(void **)&proteon_netdev_ops.ndo_stop = tms380tr_close;
37184+ pax_close_kernel();
37185
37186 err = platform_driver_register(&proteon_driver);
37187 if (err)
37188diff -urNp linux-2.6.32.48/drivers/net/tokenring/skisa.c linux-2.6.32.48/drivers/net/tokenring/skisa.c
37189--- linux-2.6.32.48/drivers/net/tokenring/skisa.c 2011-11-08 19:02:43.000000000 -0500
37190+++ linux-2.6.32.48/drivers/net/tokenring/skisa.c 2011-11-15 19:59:43.000000000 -0500
37191@@ -363,9 +363,11 @@ static int __init sk_isa_init(void)
37192 struct platform_device *pdev;
37193 int i, num = 0, err = 0;
37194
37195- sk_isa_netdev_ops = tms380tr_netdev_ops;
37196- sk_isa_netdev_ops.ndo_open = sk_isa_open;
37197- sk_isa_netdev_ops.ndo_stop = tms380tr_close;
37198+ pax_open_kernel();
37199+ memcpy((void *)&sk_isa_netdev_ops, &tms380tr_netdev_ops, sizeof(tms380tr_netdev_ops));
37200+ *(void **)&sk_isa_netdev_ops.ndo_open = sk_isa_open;
37201+ *(void **)&sk_isa_netdev_ops.ndo_stop = tms380tr_close;
37202+ pax_close_kernel();
37203
37204 err = platform_driver_register(&sk_isa_driver);
37205 if (err)
37206diff -urNp linux-2.6.32.48/drivers/net/tulip/de2104x.c linux-2.6.32.48/drivers/net/tulip/de2104x.c
37207--- linux-2.6.32.48/drivers/net/tulip/de2104x.c 2011-11-08 19:02:43.000000000 -0500
37208+++ linux-2.6.32.48/drivers/net/tulip/de2104x.c 2011-11-15 19:59:43.000000000 -0500
37209@@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
37210 struct de_srom_info_leaf *il;
37211 void *bufp;
37212
37213+ pax_track_stack();
37214+
37215 /* download entire eeprom */
37216 for (i = 0; i < DE_EEPROM_WORDS; i++)
37217 ((__le16 *)ee_data)[i] =
37218diff -urNp linux-2.6.32.48/drivers/net/tulip/de4x5.c linux-2.6.32.48/drivers/net/tulip/de4x5.c
37219--- linux-2.6.32.48/drivers/net/tulip/de4x5.c 2011-11-08 19:02:43.000000000 -0500
37220+++ linux-2.6.32.48/drivers/net/tulip/de4x5.c 2011-11-15 19:59:43.000000000 -0500
37221@@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
37222 for (i=0; i<ETH_ALEN; i++) {
37223 tmp.addr[i] = dev->dev_addr[i];
37224 }
37225- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
37226+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
37227 break;
37228
37229 case DE4X5_SET_HWADDR: /* Set the hardware address */
37230@@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
37231 spin_lock_irqsave(&lp->lock, flags);
37232 memcpy(&statbuf, &lp->pktStats, ioc->len);
37233 spin_unlock_irqrestore(&lp->lock, flags);
37234- if (copy_to_user(ioc->data, &statbuf, ioc->len))
37235+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
37236 return -EFAULT;
37237 break;
37238 }
37239diff -urNp linux-2.6.32.48/drivers/net/tulip/eeprom.c linux-2.6.32.48/drivers/net/tulip/eeprom.c
37240--- linux-2.6.32.48/drivers/net/tulip/eeprom.c 2011-11-08 19:02:43.000000000 -0500
37241+++ linux-2.6.32.48/drivers/net/tulip/eeprom.c 2011-11-18 18:01:55.000000000 -0500
37242@@ -80,7 +80,7 @@ static struct eeprom_fixup eeprom_fixups
37243 {NULL}};
37244
37245
37246-static const char *block_name[] __devinitdata = {
37247+static const char *block_name[] __devinitconst = {
37248 "21140 non-MII",
37249 "21140 MII PHY",
37250 "21142 Serial PHY",
37251diff -urNp linux-2.6.32.48/drivers/net/tulip/winbond-840.c linux-2.6.32.48/drivers/net/tulip/winbond-840.c
37252--- linux-2.6.32.48/drivers/net/tulip/winbond-840.c 2011-11-08 19:02:43.000000000 -0500
37253+++ linux-2.6.32.48/drivers/net/tulip/winbond-840.c 2011-11-18 18:01:55.000000000 -0500
37254@@ -235,7 +235,7 @@ struct pci_id_info {
37255 int drv_flags; /* Driver use, intended as capability flags. */
37256 };
37257
37258-static const struct pci_id_info pci_id_tbl[] __devinitdata = {
37259+static const struct pci_id_info pci_id_tbl[] __devinitconst = {
37260 { /* Sometime a Level-One switch card. */
37261 "Winbond W89c840", CanHaveMII | HasBrokenTx | FDXOnNoMII},
37262 { "Winbond W89c840", CanHaveMII | HasBrokenTx},
37263diff -urNp linux-2.6.32.48/drivers/net/usb/hso.c linux-2.6.32.48/drivers/net/usb/hso.c
37264--- linux-2.6.32.48/drivers/net/usb/hso.c 2011-11-08 19:02:43.000000000 -0500
37265+++ linux-2.6.32.48/drivers/net/usb/hso.c 2011-11-15 19:59:43.000000000 -0500
37266@@ -71,7 +71,7 @@
37267 #include <asm/byteorder.h>
37268 #include <linux/serial_core.h>
37269 #include <linux/serial.h>
37270-
37271+#include <asm/local.h>
37272
37273 #define DRIVER_VERSION "1.2"
37274 #define MOD_AUTHOR "Option Wireless"
37275@@ -258,7 +258,7 @@ struct hso_serial {
37276
37277 /* from usb_serial_port */
37278 struct tty_struct *tty;
37279- int open_count;
37280+ local_t open_count;
37281 spinlock_t serial_lock;
37282
37283 int (*write_data) (struct hso_serial *serial);
37284@@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
37285 struct urb *urb;
37286
37287 urb = serial->rx_urb[0];
37288- if (serial->open_count > 0) {
37289+ if (local_read(&serial->open_count) > 0) {
37290 count = put_rxbuf_data(urb, serial);
37291 if (count == -1)
37292 return;
37293@@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
37294 DUMP1(urb->transfer_buffer, urb->actual_length);
37295
37296 /* Anyone listening? */
37297- if (serial->open_count == 0)
37298+ if (local_read(&serial->open_count) == 0)
37299 return;
37300
37301 if (status == 0) {
37302@@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
37303 spin_unlock_irq(&serial->serial_lock);
37304
37305 /* check for port already opened, if not set the termios */
37306- serial->open_count++;
37307- if (serial->open_count == 1) {
37308+ if (local_inc_return(&serial->open_count) == 1) {
37309 tty->low_latency = 1;
37310 serial->rx_state = RX_IDLE;
37311 /* Force default termio settings */
37312@@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
37313 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
37314 if (result) {
37315 hso_stop_serial_device(serial->parent);
37316- serial->open_count--;
37317+ local_dec(&serial->open_count);
37318 kref_put(&serial->parent->ref, hso_serial_ref_free);
37319 }
37320 } else {
37321@@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
37322
37323 /* reset the rts and dtr */
37324 /* do the actual close */
37325- serial->open_count--;
37326+ local_dec(&serial->open_count);
37327
37328- if (serial->open_count <= 0) {
37329- serial->open_count = 0;
37330+ if (local_read(&serial->open_count) <= 0) {
37331+ local_set(&serial->open_count, 0);
37332 spin_lock_irq(&serial->serial_lock);
37333 if (serial->tty == tty) {
37334 serial->tty->driver_data = NULL;
37335@@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
37336
37337 /* the actual setup */
37338 spin_lock_irqsave(&serial->serial_lock, flags);
37339- if (serial->open_count)
37340+ if (local_read(&serial->open_count))
37341 _hso_serial_set_termios(tty, old);
37342 else
37343 tty->termios = old;
37344@@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
37345 /* Start all serial ports */
37346 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
37347 if (serial_table[i] && (serial_table[i]->interface == iface)) {
37348- if (dev2ser(serial_table[i])->open_count) {
37349+ if (local_read(&dev2ser(serial_table[i])->open_count)) {
37350 result =
37351 hso_start_serial_device(serial_table[i], GFP_NOIO);
37352 hso_kick_transmit(dev2ser(serial_table[i]));
37353diff -urNp linux-2.6.32.48/drivers/net/vxge/vxge-config.h linux-2.6.32.48/drivers/net/vxge/vxge-config.h
37354--- linux-2.6.32.48/drivers/net/vxge/vxge-config.h 2011-11-08 19:02:43.000000000 -0500
37355+++ linux-2.6.32.48/drivers/net/vxge/vxge-config.h 2011-11-15 19:59:43.000000000 -0500
37356@@ -474,7 +474,7 @@ struct vxge_hw_uld_cbs {
37357 void (*link_down)(struct __vxge_hw_device *devh);
37358 void (*crit_err)(struct __vxge_hw_device *devh,
37359 enum vxge_hw_event type, u64 ext_data);
37360-};
37361+} __no_const;
37362
37363 /*
37364 * struct __vxge_hw_blockpool_entry - Block private data structure
37365diff -urNp linux-2.6.32.48/drivers/net/vxge/vxge-main.c linux-2.6.32.48/drivers/net/vxge/vxge-main.c
37366--- linux-2.6.32.48/drivers/net/vxge/vxge-main.c 2011-11-08 19:02:43.000000000 -0500
37367+++ linux-2.6.32.48/drivers/net/vxge/vxge-main.c 2011-11-15 19:59:43.000000000 -0500
37368@@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
37369 struct sk_buff *completed[NR_SKB_COMPLETED];
37370 int more;
37371
37372+ pax_track_stack();
37373+
37374 do {
37375 more = 0;
37376 skb_ptr = completed;
37377@@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
37378 u8 mtable[256] = {0}; /* CPU to vpath mapping */
37379 int index;
37380
37381+ pax_track_stack();
37382+
37383 /*
37384 * Filling
37385 * - itable with bucket numbers
37386diff -urNp linux-2.6.32.48/drivers/net/vxge/vxge-traffic.h linux-2.6.32.48/drivers/net/vxge/vxge-traffic.h
37387--- linux-2.6.32.48/drivers/net/vxge/vxge-traffic.h 2011-11-08 19:02:43.000000000 -0500
37388+++ linux-2.6.32.48/drivers/net/vxge/vxge-traffic.h 2011-11-15 19:59:43.000000000 -0500
37389@@ -2123,7 +2123,7 @@ struct vxge_hw_mempool_cbs {
37390 struct vxge_hw_mempool_dma *dma_object,
37391 u32 index,
37392 u32 is_last);
37393-};
37394+} __no_const;
37395
37396 void
37397 __vxge_hw_mempool_destroy(
37398diff -urNp linux-2.6.32.48/drivers/net/wan/cycx_x25.c linux-2.6.32.48/drivers/net/wan/cycx_x25.c
37399--- linux-2.6.32.48/drivers/net/wan/cycx_x25.c 2011-11-08 19:02:43.000000000 -0500
37400+++ linux-2.6.32.48/drivers/net/wan/cycx_x25.c 2011-11-15 19:59:43.000000000 -0500
37401@@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
37402 unsigned char hex[1024],
37403 * phex = hex;
37404
37405+ pax_track_stack();
37406+
37407 if (len >= (sizeof(hex) / 2))
37408 len = (sizeof(hex) / 2) - 1;
37409
37410diff -urNp linux-2.6.32.48/drivers/net/wan/hdlc_x25.c linux-2.6.32.48/drivers/net/wan/hdlc_x25.c
37411--- linux-2.6.32.48/drivers/net/wan/hdlc_x25.c 2011-11-08 19:02:43.000000000 -0500
37412+++ linux-2.6.32.48/drivers/net/wan/hdlc_x25.c 2011-11-15 19:59:43.000000000 -0500
37413@@ -136,16 +136,16 @@ static netdev_tx_t x25_xmit(struct sk_bu
37414
37415 static int x25_open(struct net_device *dev)
37416 {
37417- struct lapb_register_struct cb;
37418+ static struct lapb_register_struct cb = {
37419+ .connect_confirmation = x25_connected,
37420+ .connect_indication = x25_connected,
37421+ .disconnect_confirmation = x25_disconnected,
37422+ .disconnect_indication = x25_disconnected,
37423+ .data_indication = x25_data_indication,
37424+ .data_transmit = x25_data_transmit
37425+ };
37426 int result;
37427
37428- cb.connect_confirmation = x25_connected;
37429- cb.connect_indication = x25_connected;
37430- cb.disconnect_confirmation = x25_disconnected;
37431- cb.disconnect_indication = x25_disconnected;
37432- cb.data_indication = x25_data_indication;
37433- cb.data_transmit = x25_data_transmit;
37434-
37435 result = lapb_register(dev, &cb);
37436 if (result != LAPB_OK)
37437 return result;
37438diff -urNp linux-2.6.32.48/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.48/drivers/net/wimax/i2400m/usb-fw.c
37439--- linux-2.6.32.48/drivers/net/wimax/i2400m/usb-fw.c 2011-11-08 19:02:43.000000000 -0500
37440+++ linux-2.6.32.48/drivers/net/wimax/i2400m/usb-fw.c 2011-11-15 19:59:43.000000000 -0500
37441@@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
37442 int do_autopm = 1;
37443 DECLARE_COMPLETION_ONSTACK(notif_completion);
37444
37445+ pax_track_stack();
37446+
37447 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
37448 i2400m, ack, ack_size);
37449 BUG_ON(_ack == i2400m->bm_ack_buf);
37450diff -urNp linux-2.6.32.48/drivers/net/wireless/airo.c linux-2.6.32.48/drivers/net/wireless/airo.c
37451--- linux-2.6.32.48/drivers/net/wireless/airo.c 2011-11-08 19:02:43.000000000 -0500
37452+++ linux-2.6.32.48/drivers/net/wireless/airo.c 2011-11-15 19:59:43.000000000 -0500
37453@@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
37454 BSSListElement * loop_net;
37455 BSSListElement * tmp_net;
37456
37457+ pax_track_stack();
37458+
37459 /* Blow away current list of scan results */
37460 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
37461 list_move_tail (&loop_net->list, &ai->network_free_list);
37462@@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
37463 WepKeyRid wkr;
37464 int rc;
37465
37466+ pax_track_stack();
37467+
37468 memset( &mySsid, 0, sizeof( mySsid ) );
37469 kfree (ai->flash);
37470 ai->flash = NULL;
37471@@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
37472 __le32 *vals = stats.vals;
37473 int len;
37474
37475+ pax_track_stack();
37476+
37477 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
37478 return -ENOMEM;
37479 data = (struct proc_data *)file->private_data;
37480@@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
37481 /* If doLoseSync is not 1, we won't do a Lose Sync */
37482 int doLoseSync = -1;
37483
37484+ pax_track_stack();
37485+
37486 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
37487 return -ENOMEM;
37488 data = (struct proc_data *)file->private_data;
37489@@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
37490 int i;
37491 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
37492
37493+ pax_track_stack();
37494+
37495 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
37496 if (!qual)
37497 return -ENOMEM;
37498@@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
37499 CapabilityRid cap_rid;
37500 __le32 *vals = stats_rid.vals;
37501
37502+ pax_track_stack();
37503+
37504 /* Get stats out of the card */
37505 clear_bit(JOB_WSTATS, &local->jobs);
37506 if (local->power.event) {
37507diff -urNp linux-2.6.32.48/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.48/drivers/net/wireless/ath/ath5k/debug.c
37508--- linux-2.6.32.48/drivers/net/wireless/ath/ath5k/debug.c 2011-11-08 19:02:43.000000000 -0500
37509+++ linux-2.6.32.48/drivers/net/wireless/ath/ath5k/debug.c 2011-11-15 19:59:43.000000000 -0500
37510@@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
37511 unsigned int v;
37512 u64 tsf;
37513
37514+ pax_track_stack();
37515+
37516 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
37517 len += snprintf(buf+len, sizeof(buf)-len,
37518 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
37519@@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
37520 unsigned int len = 0;
37521 unsigned int i;
37522
37523+ pax_track_stack();
37524+
37525 len += snprintf(buf+len, sizeof(buf)-len,
37526 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
37527
37528diff -urNp linux-2.6.32.48/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.48/drivers/net/wireless/ath/ath9k/debug.c
37529--- linux-2.6.32.48/drivers/net/wireless/ath/ath9k/debug.c 2011-11-08 19:02:43.000000000 -0500
37530+++ linux-2.6.32.48/drivers/net/wireless/ath/ath9k/debug.c 2011-11-15 19:59:43.000000000 -0500
37531@@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
37532 char buf[512];
37533 unsigned int len = 0;
37534
37535+ pax_track_stack();
37536+
37537 len += snprintf(buf + len, sizeof(buf) - len,
37538 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
37539 len += snprintf(buf + len, sizeof(buf) - len,
37540@@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
37541 int i;
37542 u8 addr[ETH_ALEN];
37543
37544+ pax_track_stack();
37545+
37546 len += snprintf(buf + len, sizeof(buf) - len,
37547 "primary: %s (%s chan=%d ht=%d)\n",
37548 wiphy_name(sc->pri_wiphy->hw->wiphy),
37549diff -urNp linux-2.6.32.48/drivers/net/wireless/b43/debugfs.c linux-2.6.32.48/drivers/net/wireless/b43/debugfs.c
37550--- linux-2.6.32.48/drivers/net/wireless/b43/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37551+++ linux-2.6.32.48/drivers/net/wireless/b43/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37552@@ -43,7 +43,7 @@ static struct dentry *rootdir;
37553 struct b43_debugfs_fops {
37554 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
37555 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
37556- struct file_operations fops;
37557+ const struct file_operations fops;
37558 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
37559 size_t file_struct_offset;
37560 };
37561diff -urNp linux-2.6.32.48/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.48/drivers/net/wireless/b43legacy/debugfs.c
37562--- linux-2.6.32.48/drivers/net/wireless/b43legacy/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37563+++ linux-2.6.32.48/drivers/net/wireless/b43legacy/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37564@@ -44,7 +44,7 @@ static struct dentry *rootdir;
37565 struct b43legacy_debugfs_fops {
37566 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
37567 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
37568- struct file_operations fops;
37569+ const struct file_operations fops;
37570 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
37571 size_t file_struct_offset;
37572 /* Take wl->irq_lock before calling read/write? */
37573diff -urNp linux-2.6.32.48/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.48/drivers/net/wireless/ipw2x00/ipw2100.c
37574--- linux-2.6.32.48/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-08 19:02:43.000000000 -0500
37575+++ linux-2.6.32.48/drivers/net/wireless/ipw2x00/ipw2100.c 2011-11-15 19:59:43.000000000 -0500
37576@@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
37577 int err;
37578 DECLARE_SSID_BUF(ssid);
37579
37580+ pax_track_stack();
37581+
37582 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
37583
37584 if (ssid_len)
37585@@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
37586 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
37587 int err;
37588
37589+ pax_track_stack();
37590+
37591 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
37592 idx, keylen, len);
37593
37594diff -urNp linux-2.6.32.48/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.48/drivers/net/wireless/ipw2x00/libipw_rx.c
37595--- linux-2.6.32.48/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-08 19:02:43.000000000 -0500
37596+++ linux-2.6.32.48/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-11-15 19:59:43.000000000 -0500
37597@@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
37598 unsigned long flags;
37599 DECLARE_SSID_BUF(ssid);
37600
37601+ pax_track_stack();
37602+
37603 LIBIPW_DEBUG_SCAN("'%s' (%pM"
37604 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
37605 print_ssid(ssid, info_element->data, info_element->len),
37606diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-1000.c
37607--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-11-08 19:02:43.000000000 -0500
37608+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-11-15 19:59:43.000000000 -0500
37609@@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
37610 },
37611 };
37612
37613-static struct iwl_ops iwl1000_ops = {
37614+static const struct iwl_ops iwl1000_ops = {
37615 .ucode = &iwl5000_ucode,
37616 .lib = &iwl1000_lib,
37617 .hcmd = &iwl5000_hcmd,
37618diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl3945-base.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl3945-base.c
37619--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-11-08 19:02:43.000000000 -0500
37620+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl3945-base.c 2011-11-15 19:59:43.000000000 -0500
37621@@ -3927,7 +3927,9 @@ static int iwl3945_pci_probe(struct pci_
37622 */
37623 if (iwl3945_mod_params.disable_hw_scan) {
37624 IWL_DEBUG_INFO(priv, "Disabling hw_scan\n");
37625- iwl3945_hw_ops.hw_scan = NULL;
37626+ pax_open_kernel();
37627+ *(void **)&iwl3945_hw_ops.hw_scan = NULL;
37628+ pax_close_kernel();
37629 }
37630
37631
37632diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-3945.c
37633--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-11-08 19:02:43.000000000 -0500
37634+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-11-15 19:59:43.000000000 -0500
37635@@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
37636 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
37637 };
37638
37639-static struct iwl_ops iwl3945_ops = {
37640+static const struct iwl_ops iwl3945_ops = {
37641 .ucode = &iwl3945_ucode,
37642 .lib = &iwl3945_lib,
37643 .hcmd = &iwl3945_hcmd,
37644diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-4965.c
37645--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-11-08 19:02:43.000000000 -0500
37646+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-11-15 19:59:43.000000000 -0500
37647@@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
37648 },
37649 };
37650
37651-static struct iwl_ops iwl4965_ops = {
37652+static const struct iwl_ops iwl4965_ops = {
37653 .ucode = &iwl4965_ucode,
37654 .lib = &iwl4965_lib,
37655 .hcmd = &iwl4965_hcmd,
37656diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-5000.c
37657--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-11-08 19:02:43.000000000 -0500
37658+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-11-15 19:59:43.000000000 -0500
37659@@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
37660 },
37661 };
37662
37663-struct iwl_ops iwl5000_ops = {
37664+const struct iwl_ops iwl5000_ops = {
37665 .ucode = &iwl5000_ucode,
37666 .lib = &iwl5000_lib,
37667 .hcmd = &iwl5000_hcmd,
37668 .utils = &iwl5000_hcmd_utils,
37669 };
37670
37671-static struct iwl_ops iwl5150_ops = {
37672+static const struct iwl_ops iwl5150_ops = {
37673 .ucode = &iwl5000_ucode,
37674 .lib = &iwl5150_lib,
37675 .hcmd = &iwl5000_hcmd,
37676diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-6000.c
37677--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-11-08 19:02:43.000000000 -0500
37678+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-11-15 19:59:43.000000000 -0500
37679@@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
37680 .calc_rssi = iwl5000_calc_rssi,
37681 };
37682
37683-static struct iwl_ops iwl6000_ops = {
37684+static const struct iwl_ops iwl6000_ops = {
37685 .ucode = &iwl5000_ucode,
37686 .lib = &iwl6000_lib,
37687 .hcmd = &iwl5000_hcmd,
37688diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn.c
37689--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-11-08 19:02:43.000000000 -0500
37690+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn.c 2011-11-15 19:59:43.000000000 -0500
37691@@ -2911,7 +2911,9 @@ static int iwl_pci_probe(struct pci_dev
37692 if (iwl_debug_level & IWL_DL_INFO)
37693 dev_printk(KERN_DEBUG, &(pdev->dev),
37694 "Disabling hw_scan\n");
37695- iwl_hw_ops.hw_scan = NULL;
37696+ pax_open_kernel();
37697+ *(void **)&iwl_hw_ops.hw_scan = NULL;
37698+ pax_close_kernel();
37699 }
37700
37701 hw = iwl_alloc_all(cfg, &iwl_hw_ops);
37702diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
37703--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-08 19:02:43.000000000 -0500
37704+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-11-15 19:59:43.000000000 -0500
37705@@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
37706 u8 active_index = 0;
37707 s32 tpt = 0;
37708
37709+ pax_track_stack();
37710+
37711 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
37712
37713 if (!ieee80211_is_data(hdr->frame_control) ||
37714@@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
37715 u8 valid_tx_ant = 0;
37716 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
37717
37718+ pax_track_stack();
37719+
37720 /* Override starting rate (index 0) if needed for debug purposes */
37721 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
37722
37723diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debugfs.c
37724--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-08 19:02:43.000000000 -0500
37725+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-11-15 19:59:43.000000000 -0500
37726@@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
37727 int pos = 0;
37728 const size_t bufsz = sizeof(buf);
37729
37730+ pax_track_stack();
37731+
37732 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
37733 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
37734 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
37735@@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
37736 const size_t bufsz = sizeof(buf);
37737 ssize_t ret;
37738
37739+ pax_track_stack();
37740+
37741 for (i = 0; i < AC_NUM; i++) {
37742 pos += scnprintf(buf + pos, bufsz - pos,
37743 "\tcw_min\tcw_max\taifsn\ttxop\n");
37744diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debug.h
37745--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-08 19:02:43.000000000 -0500
37746+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-11-15 19:59:43.000000000 -0500
37747@@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
37748 #endif
37749
37750 #else
37751-#define IWL_DEBUG(__priv, level, fmt, args...)
37752-#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
37753+#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
37754+#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
37755 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
37756 void *p, u32 len)
37757 {}
37758diff -urNp linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-dev.h
37759--- linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-11-08 19:02:43.000000000 -0500
37760+++ linux-2.6.32.48/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-11-15 19:59:43.000000000 -0500
37761@@ -68,7 +68,7 @@ struct iwl_tx_queue;
37762
37763 /* shared structures from iwl-5000.c */
37764 extern struct iwl_mod_params iwl50_mod_params;
37765-extern struct iwl_ops iwl5000_ops;
37766+extern const struct iwl_ops iwl5000_ops;
37767 extern struct iwl_ucode_ops iwl5000_ucode;
37768 extern struct iwl_lib_ops iwl5000_lib;
37769 extern struct iwl_hcmd_ops iwl5000_hcmd;
37770diff -urNp linux-2.6.32.48/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.48/drivers/net/wireless/iwmc3200wifi/debugfs.c
37771--- linux-2.6.32.48/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37772+++ linux-2.6.32.48/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37773@@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
37774 int buf_len = 512;
37775 size_t len = 0;
37776
37777+ pax_track_stack();
37778+
37779 if (*ppos != 0)
37780 return 0;
37781 if (count < sizeof(buf))
37782diff -urNp linux-2.6.32.48/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.48/drivers/net/wireless/libertas/debugfs.c
37783--- linux-2.6.32.48/drivers/net/wireless/libertas/debugfs.c 2011-11-08 19:02:43.000000000 -0500
37784+++ linux-2.6.32.48/drivers/net/wireless/libertas/debugfs.c 2011-11-15 19:59:43.000000000 -0500
37785@@ -708,7 +708,7 @@ out_unlock:
37786 struct lbs_debugfs_files {
37787 const char *name;
37788 int perm;
37789- struct file_operations fops;
37790+ const struct file_operations fops;
37791 };
37792
37793 static const struct lbs_debugfs_files debugfs_files[] = {
37794diff -urNp linux-2.6.32.48/drivers/net/wireless/rndis_wlan.c linux-2.6.32.48/drivers/net/wireless/rndis_wlan.c
37795--- linux-2.6.32.48/drivers/net/wireless/rndis_wlan.c 2011-11-08 19:02:43.000000000 -0500
37796+++ linux-2.6.32.48/drivers/net/wireless/rndis_wlan.c 2011-11-15 19:59:43.000000000 -0500
37797@@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
37798
37799 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
37800
37801- if (rts_threshold < 0 || rts_threshold > 2347)
37802+ if (rts_threshold > 2347)
37803 rts_threshold = 2347;
37804
37805 tmp = cpu_to_le32(rts_threshold);
37806diff -urNp linux-2.6.32.48/drivers/oprofile/buffer_sync.c linux-2.6.32.48/drivers/oprofile/buffer_sync.c
37807--- linux-2.6.32.48/drivers/oprofile/buffer_sync.c 2011-11-08 19:02:43.000000000 -0500
37808+++ linux-2.6.32.48/drivers/oprofile/buffer_sync.c 2011-11-15 19:59:43.000000000 -0500
37809@@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
37810 if (cookie == NO_COOKIE)
37811 offset = pc;
37812 if (cookie == INVALID_COOKIE) {
37813- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
37814+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
37815 offset = pc;
37816 }
37817 if (cookie != last_cookie) {
37818@@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
37819 /* add userspace sample */
37820
37821 if (!mm) {
37822- atomic_inc(&oprofile_stats.sample_lost_no_mm);
37823+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
37824 return 0;
37825 }
37826
37827 cookie = lookup_dcookie(mm, s->eip, &offset);
37828
37829 if (cookie == INVALID_COOKIE) {
37830- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
37831+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
37832 return 0;
37833 }
37834
37835@@ -561,7 +561,7 @@ void sync_buffer(int cpu)
37836 /* ignore backtraces if failed to add a sample */
37837 if (state == sb_bt_start) {
37838 state = sb_bt_ignore;
37839- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
37840+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
37841 }
37842 }
37843 release_mm(mm);
37844diff -urNp linux-2.6.32.48/drivers/oprofile/event_buffer.c linux-2.6.32.48/drivers/oprofile/event_buffer.c
37845--- linux-2.6.32.48/drivers/oprofile/event_buffer.c 2011-11-08 19:02:43.000000000 -0500
37846+++ linux-2.6.32.48/drivers/oprofile/event_buffer.c 2011-11-15 19:59:43.000000000 -0500
37847@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
37848 }
37849
37850 if (buffer_pos == buffer_size) {
37851- atomic_inc(&oprofile_stats.event_lost_overflow);
37852+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
37853 return;
37854 }
37855
37856diff -urNp linux-2.6.32.48/drivers/oprofile/oprof.c linux-2.6.32.48/drivers/oprofile/oprof.c
37857--- linux-2.6.32.48/drivers/oprofile/oprof.c 2011-11-08 19:02:43.000000000 -0500
37858+++ linux-2.6.32.48/drivers/oprofile/oprof.c 2011-11-15 19:59:43.000000000 -0500
37859@@ -110,7 +110,7 @@ static void switch_worker(struct work_st
37860 if (oprofile_ops.switch_events())
37861 return;
37862
37863- atomic_inc(&oprofile_stats.multiplex_counter);
37864+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
37865 start_switch_worker();
37866 }
37867
37868diff -urNp linux-2.6.32.48/drivers/oprofile/oprofilefs.c linux-2.6.32.48/drivers/oprofile/oprofilefs.c
37869--- linux-2.6.32.48/drivers/oprofile/oprofilefs.c 2011-11-08 19:02:43.000000000 -0500
37870+++ linux-2.6.32.48/drivers/oprofile/oprofilefs.c 2011-11-15 19:59:43.000000000 -0500
37871@@ -187,7 +187,7 @@ static const struct file_operations atom
37872
37873
37874 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
37875- char const *name, atomic_t *val)
37876+ char const *name, atomic_unchecked_t *val)
37877 {
37878 struct dentry *d = __oprofilefs_create_file(sb, root, name,
37879 &atomic_ro_fops, 0444);
37880diff -urNp linux-2.6.32.48/drivers/oprofile/oprofile_stats.c linux-2.6.32.48/drivers/oprofile/oprofile_stats.c
37881--- linux-2.6.32.48/drivers/oprofile/oprofile_stats.c 2011-11-08 19:02:43.000000000 -0500
37882+++ linux-2.6.32.48/drivers/oprofile/oprofile_stats.c 2011-11-15 19:59:43.000000000 -0500
37883@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
37884 cpu_buf->sample_invalid_eip = 0;
37885 }
37886
37887- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
37888- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
37889- atomic_set(&oprofile_stats.event_lost_overflow, 0);
37890- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
37891- atomic_set(&oprofile_stats.multiplex_counter, 0);
37892+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
37893+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
37894+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
37895+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
37896+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
37897 }
37898
37899
37900diff -urNp linux-2.6.32.48/drivers/oprofile/oprofile_stats.h linux-2.6.32.48/drivers/oprofile/oprofile_stats.h
37901--- linux-2.6.32.48/drivers/oprofile/oprofile_stats.h 2011-11-08 19:02:43.000000000 -0500
37902+++ linux-2.6.32.48/drivers/oprofile/oprofile_stats.h 2011-11-15 19:59:43.000000000 -0500
37903@@ -13,11 +13,11 @@
37904 #include <asm/atomic.h>
37905
37906 struct oprofile_stat_struct {
37907- atomic_t sample_lost_no_mm;
37908- atomic_t sample_lost_no_mapping;
37909- atomic_t bt_lost_no_mapping;
37910- atomic_t event_lost_overflow;
37911- atomic_t multiplex_counter;
37912+ atomic_unchecked_t sample_lost_no_mm;
37913+ atomic_unchecked_t sample_lost_no_mapping;
37914+ atomic_unchecked_t bt_lost_no_mapping;
37915+ atomic_unchecked_t event_lost_overflow;
37916+ atomic_unchecked_t multiplex_counter;
37917 };
37918
37919 extern struct oprofile_stat_struct oprofile_stats;
37920diff -urNp linux-2.6.32.48/drivers/parisc/pdc_stable.c linux-2.6.32.48/drivers/parisc/pdc_stable.c
37921--- linux-2.6.32.48/drivers/parisc/pdc_stable.c 2011-11-08 19:02:43.000000000 -0500
37922+++ linux-2.6.32.48/drivers/parisc/pdc_stable.c 2011-11-15 19:59:43.000000000 -0500
37923@@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
37924 return ret;
37925 }
37926
37927-static struct sysfs_ops pdcspath_attr_ops = {
37928+static const struct sysfs_ops pdcspath_attr_ops = {
37929 .show = pdcspath_attr_show,
37930 .store = pdcspath_attr_store,
37931 };
37932diff -urNp linux-2.6.32.48/drivers/parport/procfs.c linux-2.6.32.48/drivers/parport/procfs.c
37933--- linux-2.6.32.48/drivers/parport/procfs.c 2011-11-08 19:02:43.000000000 -0500
37934+++ linux-2.6.32.48/drivers/parport/procfs.c 2011-11-15 19:59:43.000000000 -0500
37935@@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
37936
37937 *ppos += len;
37938
37939- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
37940+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
37941 }
37942
37943 #ifdef CONFIG_PARPORT_1284
37944@@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
37945
37946 *ppos += len;
37947
37948- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
37949+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
37950 }
37951 #endif /* IEEE1284.3 support. */
37952
37953diff -urNp linux-2.6.32.48/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.48/drivers/pci/hotplug/acpiphp_glue.c
37954--- linux-2.6.32.48/drivers/pci/hotplug/acpiphp_glue.c 2011-11-08 19:02:43.000000000 -0500
37955+++ linux-2.6.32.48/drivers/pci/hotplug/acpiphp_glue.c 2011-11-15 19:59:43.000000000 -0500
37956@@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
37957 }
37958
37959
37960-static struct acpi_dock_ops acpiphp_dock_ops = {
37961+static const struct acpi_dock_ops acpiphp_dock_ops = {
37962 .handler = handle_hotplug_event_func,
37963 };
37964
37965diff -urNp linux-2.6.32.48/drivers/pci/hotplug/cpci_hotplug.h linux-2.6.32.48/drivers/pci/hotplug/cpci_hotplug.h
37966--- linux-2.6.32.48/drivers/pci/hotplug/cpci_hotplug.h 2011-11-08 19:02:43.000000000 -0500
37967+++ linux-2.6.32.48/drivers/pci/hotplug/cpci_hotplug.h 2011-11-15 19:59:43.000000000 -0500
37968@@ -59,7 +59,7 @@ struct cpci_hp_controller_ops {
37969 int (*hardware_test) (struct slot* slot, u32 value);
37970 u8 (*get_power) (struct slot* slot);
37971 int (*set_power) (struct slot* slot, int value);
37972-};
37973+} __no_const;
37974
37975 struct cpci_hp_controller {
37976 unsigned int irq;
37977diff -urNp linux-2.6.32.48/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.48/drivers/pci/hotplug/cpqphp_nvram.c
37978--- linux-2.6.32.48/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-08 19:02:43.000000000 -0500
37979+++ linux-2.6.32.48/drivers/pci/hotplug/cpqphp_nvram.c 2011-11-15 19:59:43.000000000 -0500
37980@@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
37981
37982 void compaq_nvram_init (void __iomem *rom_start)
37983 {
37984+
37985+#ifndef CONFIG_PAX_KERNEXEC
37986 if (rom_start) {
37987 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
37988 }
37989+#endif
37990+
37991 dbg("int15 entry = %p\n", compaq_int15_entry_point);
37992
37993 /* initialize our int15 lock */
37994diff -urNp linux-2.6.32.48/drivers/pci/hotplug/fakephp.c linux-2.6.32.48/drivers/pci/hotplug/fakephp.c
37995--- linux-2.6.32.48/drivers/pci/hotplug/fakephp.c 2011-11-08 19:02:43.000000000 -0500
37996+++ linux-2.6.32.48/drivers/pci/hotplug/fakephp.c 2011-11-15 19:59:43.000000000 -0500
37997@@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
37998 }
37999
38000 static struct kobj_type legacy_ktype = {
38001- .sysfs_ops = &(struct sysfs_ops){
38002+ .sysfs_ops = &(const struct sysfs_ops){
38003 .store = legacy_store, .show = legacy_show
38004 },
38005 .release = &legacy_release,
38006diff -urNp linux-2.6.32.48/drivers/pci/intel-iommu.c linux-2.6.32.48/drivers/pci/intel-iommu.c
38007--- linux-2.6.32.48/drivers/pci/intel-iommu.c 2011-11-08 19:02:43.000000000 -0500
38008+++ linux-2.6.32.48/drivers/pci/intel-iommu.c 2011-11-15 19:59:43.000000000 -0500
38009@@ -2643,7 +2643,7 @@ error:
38010 return 0;
38011 }
38012
38013-static dma_addr_t intel_map_page(struct device *dev, struct page *page,
38014+dma_addr_t intel_map_page(struct device *dev, struct page *page,
38015 unsigned long offset, size_t size,
38016 enum dma_data_direction dir,
38017 struct dma_attrs *attrs)
38018@@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
38019 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
38020 }
38021
38022-static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
38023+void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
38024 size_t size, enum dma_data_direction dir,
38025 struct dma_attrs *attrs)
38026 {
38027@@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
38028 }
38029 }
38030
38031-static void *intel_alloc_coherent(struct device *hwdev, size_t size,
38032+void *intel_alloc_coherent(struct device *hwdev, size_t size,
38033 dma_addr_t *dma_handle, gfp_t flags)
38034 {
38035 void *vaddr;
38036@@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
38037 return NULL;
38038 }
38039
38040-static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
38041+void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
38042 dma_addr_t dma_handle)
38043 {
38044 int order;
38045@@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
38046 free_pages((unsigned long)vaddr, order);
38047 }
38048
38049-static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
38050+void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
38051 int nelems, enum dma_data_direction dir,
38052 struct dma_attrs *attrs)
38053 {
38054@@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
38055 return nelems;
38056 }
38057
38058-static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
38059+int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
38060 enum dma_data_direction dir, struct dma_attrs *attrs)
38061 {
38062 int i;
38063@@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
38064 return nelems;
38065 }
38066
38067-static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
38068+int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
38069 {
38070 return !dma_addr;
38071 }
38072
38073-struct dma_map_ops intel_dma_ops = {
38074+const struct dma_map_ops intel_dma_ops = {
38075 .alloc_coherent = intel_alloc_coherent,
38076 .free_coherent = intel_free_coherent,
38077 .map_sg = intel_map_sg,
38078diff -urNp linux-2.6.32.48/drivers/pci/pcie/aspm.c linux-2.6.32.48/drivers/pci/pcie/aspm.c
38079--- linux-2.6.32.48/drivers/pci/pcie/aspm.c 2011-11-08 19:02:43.000000000 -0500
38080+++ linux-2.6.32.48/drivers/pci/pcie/aspm.c 2011-11-15 19:59:43.000000000 -0500
38081@@ -27,9 +27,9 @@
38082 #define MODULE_PARAM_PREFIX "pcie_aspm."
38083
38084 /* Note: those are not register definitions */
38085-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
38086-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
38087-#define ASPM_STATE_L1 (4) /* L1 state */
38088+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
38089+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
38090+#define ASPM_STATE_L1 (4U) /* L1 state */
38091 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
38092 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
38093
38094diff -urNp linux-2.6.32.48/drivers/pci/probe.c linux-2.6.32.48/drivers/pci/probe.c
38095--- linux-2.6.32.48/drivers/pci/probe.c 2011-11-08 19:02:43.000000000 -0500
38096+++ linux-2.6.32.48/drivers/pci/probe.c 2011-11-15 19:59:43.000000000 -0500
38097@@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
38098 return ret;
38099 }
38100
38101-static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
38102+static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
38103 struct device_attribute *attr,
38104 char *buf)
38105 {
38106 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
38107 }
38108
38109-static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
38110+static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
38111 struct device_attribute *attr,
38112 char *buf)
38113 {
38114diff -urNp linux-2.6.32.48/drivers/pci/proc.c linux-2.6.32.48/drivers/pci/proc.c
38115--- linux-2.6.32.48/drivers/pci/proc.c 2011-11-08 19:02:43.000000000 -0500
38116+++ linux-2.6.32.48/drivers/pci/proc.c 2011-11-15 19:59:43.000000000 -0500
38117@@ -480,7 +480,16 @@ static const struct file_operations proc
38118 static int __init pci_proc_init(void)
38119 {
38120 struct pci_dev *dev = NULL;
38121+
38122+#ifdef CONFIG_GRKERNSEC_PROC_ADD
38123+#ifdef CONFIG_GRKERNSEC_PROC_USER
38124+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
38125+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38126+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
38127+#endif
38128+#else
38129 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
38130+#endif
38131 proc_create("devices", 0, proc_bus_pci_dir,
38132 &proc_bus_pci_dev_operations);
38133 proc_initialized = 1;
38134diff -urNp linux-2.6.32.48/drivers/pci/slot.c linux-2.6.32.48/drivers/pci/slot.c
38135--- linux-2.6.32.48/drivers/pci/slot.c 2011-11-08 19:02:43.000000000 -0500
38136+++ linux-2.6.32.48/drivers/pci/slot.c 2011-11-15 19:59:43.000000000 -0500
38137@@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
38138 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
38139 }
38140
38141-static struct sysfs_ops pci_slot_sysfs_ops = {
38142+static const struct sysfs_ops pci_slot_sysfs_ops = {
38143 .show = pci_slot_attr_show,
38144 .store = pci_slot_attr_store,
38145 };
38146diff -urNp linux-2.6.32.48/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.48/drivers/pcmcia/pcmcia_ioctl.c
38147--- linux-2.6.32.48/drivers/pcmcia/pcmcia_ioctl.c 2011-11-08 19:02:43.000000000 -0500
38148+++ linux-2.6.32.48/drivers/pcmcia/pcmcia_ioctl.c 2011-11-15 19:59:43.000000000 -0500
38149@@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
38150 return -EFAULT;
38151 }
38152 }
38153- buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
38154+ buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
38155 if (!buf)
38156 return -ENOMEM;
38157
38158diff -urNp linux-2.6.32.48/drivers/platform/x86/acer-wmi.c linux-2.6.32.48/drivers/platform/x86/acer-wmi.c
38159--- linux-2.6.32.48/drivers/platform/x86/acer-wmi.c 2011-11-08 19:02:43.000000000 -0500
38160+++ linux-2.6.32.48/drivers/platform/x86/acer-wmi.c 2011-11-15 19:59:43.000000000 -0500
38161@@ -918,7 +918,7 @@ static int update_bl_status(struct backl
38162 return 0;
38163 }
38164
38165-static struct backlight_ops acer_bl_ops = {
38166+static const struct backlight_ops acer_bl_ops = {
38167 .get_brightness = read_brightness,
38168 .update_status = update_bl_status,
38169 };
38170diff -urNp linux-2.6.32.48/drivers/platform/x86/asus_acpi.c linux-2.6.32.48/drivers/platform/x86/asus_acpi.c
38171--- linux-2.6.32.48/drivers/platform/x86/asus_acpi.c 2011-11-08 19:02:43.000000000 -0500
38172+++ linux-2.6.32.48/drivers/platform/x86/asus_acpi.c 2011-11-15 19:59:43.000000000 -0500
38173@@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
38174 return 0;
38175 }
38176
38177-static struct backlight_ops asus_backlight_data = {
38178+static const struct backlight_ops asus_backlight_data = {
38179 .get_brightness = read_brightness,
38180 .update_status = set_brightness_status,
38181 };
38182diff -urNp linux-2.6.32.48/drivers/platform/x86/asus-laptop.c linux-2.6.32.48/drivers/platform/x86/asus-laptop.c
38183--- linux-2.6.32.48/drivers/platform/x86/asus-laptop.c 2011-11-08 19:02:43.000000000 -0500
38184+++ linux-2.6.32.48/drivers/platform/x86/asus-laptop.c 2011-11-15 19:59:43.000000000 -0500
38185@@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
38186 */
38187 static int read_brightness(struct backlight_device *bd);
38188 static int update_bl_status(struct backlight_device *bd);
38189-static struct backlight_ops asusbl_ops = {
38190+static const struct backlight_ops asusbl_ops = {
38191 .get_brightness = read_brightness,
38192 .update_status = update_bl_status,
38193 };
38194diff -urNp linux-2.6.32.48/drivers/platform/x86/compal-laptop.c linux-2.6.32.48/drivers/platform/x86/compal-laptop.c
38195--- linux-2.6.32.48/drivers/platform/x86/compal-laptop.c 2011-11-08 19:02:43.000000000 -0500
38196+++ linux-2.6.32.48/drivers/platform/x86/compal-laptop.c 2011-11-15 19:59:43.000000000 -0500
38197@@ -163,7 +163,7 @@ static int bl_update_status(struct backl
38198 return set_lcd_level(b->props.brightness);
38199 }
38200
38201-static struct backlight_ops compalbl_ops = {
38202+static const struct backlight_ops compalbl_ops = {
38203 .get_brightness = bl_get_brightness,
38204 .update_status = bl_update_status,
38205 };
38206diff -urNp linux-2.6.32.48/drivers/platform/x86/dell-laptop.c linux-2.6.32.48/drivers/platform/x86/dell-laptop.c
38207--- linux-2.6.32.48/drivers/platform/x86/dell-laptop.c 2011-11-08 19:02:43.000000000 -0500
38208+++ linux-2.6.32.48/drivers/platform/x86/dell-laptop.c 2011-11-15 19:59:43.000000000 -0500
38209@@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
38210 return buffer.output[1];
38211 }
38212
38213-static struct backlight_ops dell_ops = {
38214+static const struct backlight_ops dell_ops = {
38215 .get_brightness = dell_get_intensity,
38216 .update_status = dell_send_intensity,
38217 };
38218diff -urNp linux-2.6.32.48/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.48/drivers/platform/x86/eeepc-laptop.c
38219--- linux-2.6.32.48/drivers/platform/x86/eeepc-laptop.c 2011-11-08 19:02:43.000000000 -0500
38220+++ linux-2.6.32.48/drivers/platform/x86/eeepc-laptop.c 2011-11-15 19:59:43.000000000 -0500
38221@@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
38222 */
38223 static int read_brightness(struct backlight_device *bd);
38224 static int update_bl_status(struct backlight_device *bd);
38225-static struct backlight_ops eeepcbl_ops = {
38226+static const struct backlight_ops eeepcbl_ops = {
38227 .get_brightness = read_brightness,
38228 .update_status = update_bl_status,
38229 };
38230diff -urNp linux-2.6.32.48/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.48/drivers/platform/x86/fujitsu-laptop.c
38231--- linux-2.6.32.48/drivers/platform/x86/fujitsu-laptop.c 2011-11-08 19:02:43.000000000 -0500
38232+++ linux-2.6.32.48/drivers/platform/x86/fujitsu-laptop.c 2011-11-15 19:59:43.000000000 -0500
38233@@ -436,7 +436,7 @@ static int bl_update_status(struct backl
38234 return ret;
38235 }
38236
38237-static struct backlight_ops fujitsubl_ops = {
38238+static const struct backlight_ops fujitsubl_ops = {
38239 .get_brightness = bl_get_brightness,
38240 .update_status = bl_update_status,
38241 };
38242diff -urNp linux-2.6.32.48/drivers/platform/x86/msi-laptop.c linux-2.6.32.48/drivers/platform/x86/msi-laptop.c
38243--- linux-2.6.32.48/drivers/platform/x86/msi-laptop.c 2011-11-08 19:02:43.000000000 -0500
38244+++ linux-2.6.32.48/drivers/platform/x86/msi-laptop.c 2011-11-15 19:59:43.000000000 -0500
38245@@ -161,7 +161,7 @@ static int bl_update_status(struct backl
38246 return set_lcd_level(b->props.brightness);
38247 }
38248
38249-static struct backlight_ops msibl_ops = {
38250+static const struct backlight_ops msibl_ops = {
38251 .get_brightness = bl_get_brightness,
38252 .update_status = bl_update_status,
38253 };
38254diff -urNp linux-2.6.32.48/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.48/drivers/platform/x86/panasonic-laptop.c
38255--- linux-2.6.32.48/drivers/platform/x86/panasonic-laptop.c 2011-11-08 19:02:43.000000000 -0500
38256+++ linux-2.6.32.48/drivers/platform/x86/panasonic-laptop.c 2011-11-15 19:59:43.000000000 -0500
38257@@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
38258 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
38259 }
38260
38261-static struct backlight_ops pcc_backlight_ops = {
38262+static const struct backlight_ops pcc_backlight_ops = {
38263 .get_brightness = bl_get,
38264 .update_status = bl_set_status,
38265 };
38266diff -urNp linux-2.6.32.48/drivers/platform/x86/sony-laptop.c linux-2.6.32.48/drivers/platform/x86/sony-laptop.c
38267--- linux-2.6.32.48/drivers/platform/x86/sony-laptop.c 2011-11-08 19:02:43.000000000 -0500
38268+++ linux-2.6.32.48/drivers/platform/x86/sony-laptop.c 2011-11-15 19:59:43.000000000 -0500
38269@@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
38270 }
38271
38272 static struct backlight_device *sony_backlight_device;
38273-static struct backlight_ops sony_backlight_ops = {
38274+static const struct backlight_ops sony_backlight_ops = {
38275 .update_status = sony_backlight_update_status,
38276 .get_brightness = sony_backlight_get_brightness,
38277 };
38278diff -urNp linux-2.6.32.48/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.48/drivers/platform/x86/thinkpad_acpi.c
38279--- linux-2.6.32.48/drivers/platform/x86/thinkpad_acpi.c 2011-11-08 19:02:43.000000000 -0500
38280+++ linux-2.6.32.48/drivers/platform/x86/thinkpad_acpi.c 2011-11-15 19:59:43.000000000 -0500
38281@@ -2139,7 +2139,7 @@ static int hotkey_mask_get(void)
38282 return 0;
38283 }
38284
38285-void static hotkey_mask_warn_incomplete_mask(void)
38286+static void hotkey_mask_warn_incomplete_mask(void)
38287 {
38288 /* log only what the user can fix... */
38289 const u32 wantedmask = hotkey_driver_mask &
38290@@ -6125,7 +6125,7 @@ static void tpacpi_brightness_notify_cha
38291 BACKLIGHT_UPDATE_HOTKEY);
38292 }
38293
38294-static struct backlight_ops ibm_backlight_data = {
38295+static const struct backlight_ops ibm_backlight_data = {
38296 .get_brightness = brightness_get,
38297 .update_status = brightness_update_status,
38298 };
38299diff -urNp linux-2.6.32.48/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.48/drivers/platform/x86/toshiba_acpi.c
38300--- linux-2.6.32.48/drivers/platform/x86/toshiba_acpi.c 2011-11-08 19:02:43.000000000 -0500
38301+++ linux-2.6.32.48/drivers/platform/x86/toshiba_acpi.c 2011-11-15 19:59:43.000000000 -0500
38302@@ -671,7 +671,7 @@ static acpi_status remove_device(void)
38303 return AE_OK;
38304 }
38305
38306-static struct backlight_ops toshiba_backlight_data = {
38307+static const struct backlight_ops toshiba_backlight_data = {
38308 .get_brightness = get_lcd,
38309 .update_status = set_lcd_status,
38310 };
38311diff -urNp linux-2.6.32.48/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.48/drivers/pnp/pnpbios/bioscalls.c
38312--- linux-2.6.32.48/drivers/pnp/pnpbios/bioscalls.c 2011-11-08 19:02:43.000000000 -0500
38313+++ linux-2.6.32.48/drivers/pnp/pnpbios/bioscalls.c 2011-11-15 19:59:43.000000000 -0500
38314@@ -60,7 +60,7 @@ do { \
38315 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
38316 } while(0)
38317
38318-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
38319+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
38320 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
38321
38322 /*
38323@@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
38324
38325 cpu = get_cpu();
38326 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
38327+
38328+ pax_open_kernel();
38329 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
38330+ pax_close_kernel();
38331
38332 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
38333 spin_lock_irqsave(&pnp_bios_lock, flags);
38334@@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
38335 :"memory");
38336 spin_unlock_irqrestore(&pnp_bios_lock, flags);
38337
38338+ pax_open_kernel();
38339 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
38340+ pax_close_kernel();
38341+
38342 put_cpu();
38343
38344 /* If we get here and this is set then the PnP BIOS faulted on us. */
38345@@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
38346 return status;
38347 }
38348
38349-void pnpbios_calls_init(union pnp_bios_install_struct *header)
38350+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
38351 {
38352 int i;
38353
38354@@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
38355 pnp_bios_callpoint.offset = header->fields.pm16offset;
38356 pnp_bios_callpoint.segment = PNP_CS16;
38357
38358+ pax_open_kernel();
38359+
38360 for_each_possible_cpu(i) {
38361 struct desc_struct *gdt = get_cpu_gdt_table(i);
38362 if (!gdt)
38363@@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
38364 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
38365 (unsigned long)__va(header->fields.pm16dseg));
38366 }
38367+
38368+ pax_close_kernel();
38369 }
38370diff -urNp linux-2.6.32.48/drivers/pnp/resource.c linux-2.6.32.48/drivers/pnp/resource.c
38371--- linux-2.6.32.48/drivers/pnp/resource.c 2011-11-08 19:02:43.000000000 -0500
38372+++ linux-2.6.32.48/drivers/pnp/resource.c 2011-11-15 19:59:43.000000000 -0500
38373@@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
38374 return 1;
38375
38376 /* check if the resource is valid */
38377- if (*irq < 0 || *irq > 15)
38378+ if (*irq > 15)
38379 return 0;
38380
38381 /* check if the resource is reserved */
38382@@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
38383 return 1;
38384
38385 /* check if the resource is valid */
38386- if (*dma < 0 || *dma == 4 || *dma > 7)
38387+ if (*dma == 4 || *dma > 7)
38388 return 0;
38389
38390 /* check if the resource is reserved */
38391diff -urNp linux-2.6.32.48/drivers/power/bq27x00_battery.c linux-2.6.32.48/drivers/power/bq27x00_battery.c
38392--- linux-2.6.32.48/drivers/power/bq27x00_battery.c 2011-11-08 19:02:43.000000000 -0500
38393+++ linux-2.6.32.48/drivers/power/bq27x00_battery.c 2011-11-15 19:59:43.000000000 -0500
38394@@ -44,7 +44,7 @@ struct bq27x00_device_info;
38395 struct bq27x00_access_methods {
38396 int (*read)(u8 reg, int *rt_value, int b_single,
38397 struct bq27x00_device_info *di);
38398-};
38399+} __no_const;
38400
38401 struct bq27x00_device_info {
38402 struct device *dev;
38403diff -urNp linux-2.6.32.48/drivers/rtc/rtc-dev.c linux-2.6.32.48/drivers/rtc/rtc-dev.c
38404--- linux-2.6.32.48/drivers/rtc/rtc-dev.c 2011-11-08 19:02:43.000000000 -0500
38405+++ linux-2.6.32.48/drivers/rtc/rtc-dev.c 2011-11-15 19:59:43.000000000 -0500
38406@@ -14,6 +14,7 @@
38407 #include <linux/module.h>
38408 #include <linux/rtc.h>
38409 #include <linux/sched.h>
38410+#include <linux/grsecurity.h>
38411 #include "rtc-core.h"
38412
38413 static dev_t rtc_devt;
38414@@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
38415 if (copy_from_user(&tm, uarg, sizeof(tm)))
38416 return -EFAULT;
38417
38418+ gr_log_timechange();
38419+
38420 return rtc_set_time(rtc, &tm);
38421
38422 case RTC_PIE_ON:
38423diff -urNp linux-2.6.32.48/drivers/s390/cio/qdio_perf.c linux-2.6.32.48/drivers/s390/cio/qdio_perf.c
38424--- linux-2.6.32.48/drivers/s390/cio/qdio_perf.c 2011-11-08 19:02:43.000000000 -0500
38425+++ linux-2.6.32.48/drivers/s390/cio/qdio_perf.c 2011-11-15 19:59:43.000000000 -0500
38426@@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
38427 static int qdio_perf_proc_show(struct seq_file *m, void *v)
38428 {
38429 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
38430- (long)atomic_long_read(&perf_stats.qdio_int));
38431+ (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
38432 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
38433- (long)atomic_long_read(&perf_stats.pci_int));
38434+ (long)atomic_long_read_unchecked(&perf_stats.pci_int));
38435 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
38436- (long)atomic_long_read(&perf_stats.thin_int));
38437+ (long)atomic_long_read_unchecked(&perf_stats.thin_int));
38438 seq_printf(m, "\n");
38439 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
38440- (long)atomic_long_read(&perf_stats.tasklet_inbound));
38441+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
38442 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
38443- (long)atomic_long_read(&perf_stats.tasklet_outbound));
38444+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
38445 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
38446- (long)atomic_long_read(&perf_stats.tasklet_thinint),
38447- (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
38448+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
38449+ (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
38450 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
38451- (long)atomic_long_read(&perf_stats.thinint_inbound),
38452- (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
38453+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
38454+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
38455 seq_printf(m, "\n");
38456 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
38457- (long)atomic_long_read(&perf_stats.siga_in));
38458+ (long)atomic_long_read_unchecked(&perf_stats.siga_in));
38459 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
38460- (long)atomic_long_read(&perf_stats.siga_out));
38461+ (long)atomic_long_read_unchecked(&perf_stats.siga_out));
38462 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
38463- (long)atomic_long_read(&perf_stats.siga_sync));
38464+ (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
38465 seq_printf(m, "\n");
38466 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
38467- (long)atomic_long_read(&perf_stats.inbound_handler));
38468+ (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
38469 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
38470- (long)atomic_long_read(&perf_stats.outbound_handler));
38471+ (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
38472 seq_printf(m, "\n");
38473 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
38474- (long)atomic_long_read(&perf_stats.fast_requeue));
38475+ (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
38476 seq_printf(m, "Number of outbound target full condition\t: %li\n",
38477- (long)atomic_long_read(&perf_stats.outbound_target_full));
38478+ (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
38479 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
38480- (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
38481+ (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
38482 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
38483- (long)atomic_long_read(&perf_stats.debug_stop_polling));
38484+ (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
38485 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
38486- (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
38487+ (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
38488 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
38489- (long)atomic_long_read(&perf_stats.debug_eqbs_all),
38490- (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
38491+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
38492+ (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
38493 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
38494- (long)atomic_long_read(&perf_stats.debug_sqbs_all),
38495- (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
38496+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
38497+ (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
38498 seq_printf(m, "\n");
38499 return 0;
38500 }
38501diff -urNp linux-2.6.32.48/drivers/s390/cio/qdio_perf.h linux-2.6.32.48/drivers/s390/cio/qdio_perf.h
38502--- linux-2.6.32.48/drivers/s390/cio/qdio_perf.h 2011-11-08 19:02:43.000000000 -0500
38503+++ linux-2.6.32.48/drivers/s390/cio/qdio_perf.h 2011-11-15 19:59:43.000000000 -0500
38504@@ -13,46 +13,46 @@
38505
38506 struct qdio_perf_stats {
38507 /* interrupt handler calls */
38508- atomic_long_t qdio_int;
38509- atomic_long_t pci_int;
38510- atomic_long_t thin_int;
38511+ atomic_long_unchecked_t qdio_int;
38512+ atomic_long_unchecked_t pci_int;
38513+ atomic_long_unchecked_t thin_int;
38514
38515 /* tasklet runs */
38516- atomic_long_t tasklet_inbound;
38517- atomic_long_t tasklet_outbound;
38518- atomic_long_t tasklet_thinint;
38519- atomic_long_t tasklet_thinint_loop;
38520- atomic_long_t thinint_inbound;
38521- atomic_long_t thinint_inbound_loop;
38522- atomic_long_t thinint_inbound_loop2;
38523+ atomic_long_unchecked_t tasklet_inbound;
38524+ atomic_long_unchecked_t tasklet_outbound;
38525+ atomic_long_unchecked_t tasklet_thinint;
38526+ atomic_long_unchecked_t tasklet_thinint_loop;
38527+ atomic_long_unchecked_t thinint_inbound;
38528+ atomic_long_unchecked_t thinint_inbound_loop;
38529+ atomic_long_unchecked_t thinint_inbound_loop2;
38530
38531 /* signal adapter calls */
38532- atomic_long_t siga_out;
38533- atomic_long_t siga_in;
38534- atomic_long_t siga_sync;
38535+ atomic_long_unchecked_t siga_out;
38536+ atomic_long_unchecked_t siga_in;
38537+ atomic_long_unchecked_t siga_sync;
38538
38539 /* misc */
38540- atomic_long_t inbound_handler;
38541- atomic_long_t outbound_handler;
38542- atomic_long_t fast_requeue;
38543- atomic_long_t outbound_target_full;
38544+ atomic_long_unchecked_t inbound_handler;
38545+ atomic_long_unchecked_t outbound_handler;
38546+ atomic_long_unchecked_t fast_requeue;
38547+ atomic_long_unchecked_t outbound_target_full;
38548
38549 /* for debugging */
38550- atomic_long_t debug_tl_out_timer;
38551- atomic_long_t debug_stop_polling;
38552- atomic_long_t debug_eqbs_all;
38553- atomic_long_t debug_eqbs_incomplete;
38554- atomic_long_t debug_sqbs_all;
38555- atomic_long_t debug_sqbs_incomplete;
38556+ atomic_long_unchecked_t debug_tl_out_timer;
38557+ atomic_long_unchecked_t debug_stop_polling;
38558+ atomic_long_unchecked_t debug_eqbs_all;
38559+ atomic_long_unchecked_t debug_eqbs_incomplete;
38560+ atomic_long_unchecked_t debug_sqbs_all;
38561+ atomic_long_unchecked_t debug_sqbs_incomplete;
38562 };
38563
38564 extern struct qdio_perf_stats perf_stats;
38565 extern int qdio_performance_stats;
38566
38567-static inline void qdio_perf_stat_inc(atomic_long_t *count)
38568+static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
38569 {
38570 if (qdio_performance_stats)
38571- atomic_long_inc(count);
38572+ atomic_long_inc_unchecked(count);
38573 }
38574
38575 int qdio_setup_perf_stats(void);
38576diff -urNp linux-2.6.32.48/drivers/scsi/aacraid/aacraid.h linux-2.6.32.48/drivers/scsi/aacraid/aacraid.h
38577--- linux-2.6.32.48/drivers/scsi/aacraid/aacraid.h 2011-11-08 19:02:43.000000000 -0500
38578+++ linux-2.6.32.48/drivers/scsi/aacraid/aacraid.h 2011-11-15 19:59:43.000000000 -0500
38579@@ -471,7 +471,7 @@ struct adapter_ops
38580 int (*adapter_scsi)(struct fib * fib, struct scsi_cmnd * cmd);
38581 /* Administrative operations */
38582 int (*adapter_comm)(struct aac_dev * dev, int comm);
38583-};
38584+} __no_const;
38585
38586 /*
38587 * Define which interrupt handler needs to be installed
38588diff -urNp linux-2.6.32.48/drivers/scsi/aacraid/commctrl.c linux-2.6.32.48/drivers/scsi/aacraid/commctrl.c
38589--- linux-2.6.32.48/drivers/scsi/aacraid/commctrl.c 2011-11-08 19:02:43.000000000 -0500
38590+++ linux-2.6.32.48/drivers/scsi/aacraid/commctrl.c 2011-11-15 19:59:43.000000000 -0500
38591@@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
38592 u32 actual_fibsize64, actual_fibsize = 0;
38593 int i;
38594
38595+ pax_track_stack();
38596
38597 if (dev->in_reset) {
38598 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
38599diff -urNp linux-2.6.32.48/drivers/scsi/aacraid/linit.c linux-2.6.32.48/drivers/scsi/aacraid/linit.c
38600--- linux-2.6.32.48/drivers/scsi/aacraid/linit.c 2011-11-08 19:02:43.000000000 -0500
38601+++ linux-2.6.32.48/drivers/scsi/aacraid/linit.c 2011-11-18 18:01:55.000000000 -0500
38602@@ -91,7 +91,7 @@ static DECLARE_PCI_DEVICE_TABLE(aac_pci_
38603 #elif defined(__devinitconst)
38604 static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
38605 #else
38606-static const struct pci_device_id aac_pci_tbl[] __devinitdata = {
38607+static const struct pci_device_id aac_pci_tbl[] __devinitconst = {
38608 #endif
38609 { 0x1028, 0x0001, 0x1028, 0x0001, 0, 0, 0 }, /* PERC 2/Si (Iguana/PERC2Si) */
38610 { 0x1028, 0x0002, 0x1028, 0x0002, 0, 0, 1 }, /* PERC 3/Di (Opal/PERC3Di) */
38611diff -urNp linux-2.6.32.48/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.48/drivers/scsi/aic94xx/aic94xx_init.c
38612--- linux-2.6.32.48/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-08 19:02:43.000000000 -0500
38613+++ linux-2.6.32.48/drivers/scsi/aic94xx/aic94xx_init.c 2011-11-18 18:01:55.000000000 -0500
38614@@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
38615 flash_error_table[i].reason);
38616 }
38617
38618-static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
38619+static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
38620 asd_show_update_bios, asd_store_update_bios);
38621
38622 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
38623@@ -1011,7 +1011,7 @@ static struct sas_domain_function_templa
38624 .lldd_control_phy = asd_control_phy,
38625 };
38626
38627-static const struct pci_device_id aic94xx_pci_table[] __devinitdata = {
38628+static const struct pci_device_id aic94xx_pci_table[] __devinitconst = {
38629 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x410),0, 0, 1},
38630 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x412),0, 0, 1},
38631 {PCI_DEVICE(PCI_VENDOR_ID_ADAPTEC2, 0x416),0, 0, 1},
38632diff -urNp linux-2.6.32.48/drivers/scsi/bfa/bfa_iocfc.h linux-2.6.32.48/drivers/scsi/bfa/bfa_iocfc.h
38633--- linux-2.6.32.48/drivers/scsi/bfa/bfa_iocfc.h 2011-11-08 19:02:43.000000000 -0500
38634+++ linux-2.6.32.48/drivers/scsi/bfa/bfa_iocfc.h 2011-11-15 19:59:43.000000000 -0500
38635@@ -61,7 +61,7 @@ struct bfa_hwif_s {
38636 void (*hw_isr_mode_set)(struct bfa_s *bfa, bfa_boolean_t msix);
38637 void (*hw_msix_getvecs)(struct bfa_s *bfa, u32 *vecmap,
38638 u32 *nvecs, u32 *maxvec);
38639-};
38640+} __no_const;
38641 typedef void (*bfa_cb_iocfc_t) (void *cbarg, enum bfa_status status);
38642
38643 struct bfa_iocfc_s {
38644diff -urNp linux-2.6.32.48/drivers/scsi/bfa/bfa_ioc.h linux-2.6.32.48/drivers/scsi/bfa/bfa_ioc.h
38645--- linux-2.6.32.48/drivers/scsi/bfa/bfa_ioc.h 2011-11-08 19:02:43.000000000 -0500
38646+++ linux-2.6.32.48/drivers/scsi/bfa/bfa_ioc.h 2011-11-15 19:59:43.000000000 -0500
38647@@ -127,7 +127,7 @@ struct bfa_ioc_cbfn_s {
38648 bfa_ioc_disable_cbfn_t disable_cbfn;
38649 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
38650 bfa_ioc_reset_cbfn_t reset_cbfn;
38651-};
38652+} __no_const;
38653
38654 /**
38655 * Heartbeat failure notification queue element.
38656diff -urNp linux-2.6.32.48/drivers/scsi/BusLogic.c linux-2.6.32.48/drivers/scsi/BusLogic.c
38657--- linux-2.6.32.48/drivers/scsi/BusLogic.c 2011-11-08 19:02:43.000000000 -0500
38658+++ linux-2.6.32.48/drivers/scsi/BusLogic.c 2011-11-15 19:59:43.000000000 -0500
38659@@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
38660 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
38661 *PrototypeHostAdapter)
38662 {
38663+ pax_track_stack();
38664+
38665 /*
38666 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
38667 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
38668diff -urNp linux-2.6.32.48/drivers/scsi/dpt_i2o.c linux-2.6.32.48/drivers/scsi/dpt_i2o.c
38669--- linux-2.6.32.48/drivers/scsi/dpt_i2o.c 2011-11-08 19:02:43.000000000 -0500
38670+++ linux-2.6.32.48/drivers/scsi/dpt_i2o.c 2011-11-15 19:59:43.000000000 -0500
38671@@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
38672 dma_addr_t addr;
38673 ulong flags = 0;
38674
38675+ pax_track_stack();
38676+
38677 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
38678 // get user msg size in u32s
38679 if(get_user(size, &user_msg[0])){
38680@@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
38681 s32 rcode;
38682 dma_addr_t addr;
38683
38684+ pax_track_stack();
38685+
38686 memset(msg, 0 , sizeof(msg));
38687 len = scsi_bufflen(cmd);
38688 direction = 0x00000000;
38689diff -urNp linux-2.6.32.48/drivers/scsi/eata.c linux-2.6.32.48/drivers/scsi/eata.c
38690--- linux-2.6.32.48/drivers/scsi/eata.c 2011-11-08 19:02:43.000000000 -0500
38691+++ linux-2.6.32.48/drivers/scsi/eata.c 2011-11-15 19:59:43.000000000 -0500
38692@@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
38693 struct hostdata *ha;
38694 char name[16];
38695
38696+ pax_track_stack();
38697+
38698 sprintf(name, "%s%d", driver_name, j);
38699
38700 if (!request_region(port_base, REGION_SIZE, driver_name)) {
38701diff -urNp linux-2.6.32.48/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.48/drivers/scsi/fcoe/libfcoe.c
38702--- linux-2.6.32.48/drivers/scsi/fcoe/libfcoe.c 2011-11-08 19:02:43.000000000 -0500
38703+++ linux-2.6.32.48/drivers/scsi/fcoe/libfcoe.c 2011-11-15 19:59:43.000000000 -0500
38704@@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
38705 size_t rlen;
38706 size_t dlen;
38707
38708+ pax_track_stack();
38709+
38710 fiph = (struct fip_header *)skb->data;
38711 sub = fiph->fip_subcode;
38712 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
38713diff -urNp linux-2.6.32.48/drivers/scsi/fnic/fnic_main.c linux-2.6.32.48/drivers/scsi/fnic/fnic_main.c
38714--- linux-2.6.32.48/drivers/scsi/fnic/fnic_main.c 2011-11-08 19:02:43.000000000 -0500
38715+++ linux-2.6.32.48/drivers/scsi/fnic/fnic_main.c 2011-11-15 19:59:43.000000000 -0500
38716@@ -669,7 +669,7 @@ static int __devinit fnic_probe(struct p
38717 /* Start local port initiatialization */
38718
38719 lp->link_up = 0;
38720- lp->tt = fnic_transport_template;
38721+ memcpy((void *)&lp->tt, &fnic_transport_template, sizeof(fnic_transport_template));
38722
38723 lp->max_retry_count = fnic->config.flogi_retries;
38724 lp->max_rport_retry_count = fnic->config.plogi_retries;
38725diff -urNp linux-2.6.32.48/drivers/scsi/gdth.c linux-2.6.32.48/drivers/scsi/gdth.c
38726--- linux-2.6.32.48/drivers/scsi/gdth.c 2011-11-08 19:02:43.000000000 -0500
38727+++ linux-2.6.32.48/drivers/scsi/gdth.c 2011-11-15 19:59:43.000000000 -0500
38728@@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
38729 ulong flags;
38730 gdth_ha_str *ha;
38731
38732+ pax_track_stack();
38733+
38734 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
38735 return -EFAULT;
38736 ha = gdth_find_ha(ldrv.ionode);
38737@@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
38738 gdth_ha_str *ha;
38739 int rval;
38740
38741+ pax_track_stack();
38742+
38743 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
38744 res.number >= MAX_HDRIVES)
38745 return -EFAULT;
38746@@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
38747 gdth_ha_str *ha;
38748 int rval;
38749
38750+ pax_track_stack();
38751+
38752 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
38753 return -EFAULT;
38754 ha = gdth_find_ha(gen.ionode);
38755@@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
38756 int i;
38757 gdth_cmd_str gdtcmd;
38758 char cmnd[MAX_COMMAND_SIZE];
38759+
38760+ pax_track_stack();
38761+
38762 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
38763
38764 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
38765diff -urNp linux-2.6.32.48/drivers/scsi/gdth_proc.c linux-2.6.32.48/drivers/scsi/gdth_proc.c
38766--- linux-2.6.32.48/drivers/scsi/gdth_proc.c 2011-11-08 19:02:43.000000000 -0500
38767+++ linux-2.6.32.48/drivers/scsi/gdth_proc.c 2011-11-15 19:59:43.000000000 -0500
38768@@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
38769 ulong64 paddr;
38770
38771 char cmnd[MAX_COMMAND_SIZE];
38772+
38773+ pax_track_stack();
38774+
38775 memset(cmnd, 0xff, 12);
38776 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
38777
38778@@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
38779 gdth_hget_str *phg;
38780 char cmnd[MAX_COMMAND_SIZE];
38781
38782+ pax_track_stack();
38783+
38784 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
38785 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
38786 if (!gdtcmd || !estr)
38787diff -urNp linux-2.6.32.48/drivers/scsi/hosts.c linux-2.6.32.48/drivers/scsi/hosts.c
38788--- linux-2.6.32.48/drivers/scsi/hosts.c 2011-11-08 19:02:43.000000000 -0500
38789+++ linux-2.6.32.48/drivers/scsi/hosts.c 2011-11-15 19:59:43.000000000 -0500
38790@@ -40,7 +40,7 @@
38791 #include "scsi_logging.h"
38792
38793
38794-static atomic_t scsi_host_next_hn; /* host_no for next new host */
38795+static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
38796
38797
38798 static void scsi_host_cls_release(struct device *dev)
38799@@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
38800 * subtract one because we increment first then return, but we need to
38801 * know what the next host number was before increment
38802 */
38803- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
38804+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
38805 shost->dma_channel = 0xff;
38806
38807 /* These three are default values which can be overridden */
38808diff -urNp linux-2.6.32.48/drivers/scsi/ipr.c linux-2.6.32.48/drivers/scsi/ipr.c
38809--- linux-2.6.32.48/drivers/scsi/ipr.c 2011-11-08 19:02:43.000000000 -0500
38810+++ linux-2.6.32.48/drivers/scsi/ipr.c 2011-11-15 19:59:43.000000000 -0500
38811@@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
38812 return true;
38813 }
38814
38815-static struct ata_port_operations ipr_sata_ops = {
38816+static const struct ata_port_operations ipr_sata_ops = {
38817 .phy_reset = ipr_ata_phy_reset,
38818 .hardreset = ipr_sata_reset,
38819 .post_internal_cmd = ipr_ata_post_internal,
38820diff -urNp linux-2.6.32.48/drivers/scsi/ips.h linux-2.6.32.48/drivers/scsi/ips.h
38821--- linux-2.6.32.48/drivers/scsi/ips.h 2011-11-08 19:02:43.000000000 -0500
38822+++ linux-2.6.32.48/drivers/scsi/ips.h 2011-11-15 19:59:43.000000000 -0500
38823@@ -1027,7 +1027,7 @@ typedef struct {
38824 int (*intr)(struct ips_ha *);
38825 void (*enableint)(struct ips_ha *);
38826 uint32_t (*statupd)(struct ips_ha *);
38827-} ips_hw_func_t;
38828+} __no_const ips_hw_func_t;
38829
38830 typedef struct ips_ha {
38831 uint8_t ha_id[IPS_MAX_CHANNELS+1];
38832diff -urNp linux-2.6.32.48/drivers/scsi/libfc/fc_exch.c linux-2.6.32.48/drivers/scsi/libfc/fc_exch.c
38833--- linux-2.6.32.48/drivers/scsi/libfc/fc_exch.c 2011-11-08 19:02:43.000000000 -0500
38834+++ linux-2.6.32.48/drivers/scsi/libfc/fc_exch.c 2011-11-15 19:59:43.000000000 -0500
38835@@ -86,12 +86,12 @@ struct fc_exch_mgr {
38836 * all together if not used XXX
38837 */
38838 struct {
38839- atomic_t no_free_exch;
38840- atomic_t no_free_exch_xid;
38841- atomic_t xid_not_found;
38842- atomic_t xid_busy;
38843- atomic_t seq_not_found;
38844- atomic_t non_bls_resp;
38845+ atomic_unchecked_t no_free_exch;
38846+ atomic_unchecked_t no_free_exch_xid;
38847+ atomic_unchecked_t xid_not_found;
38848+ atomic_unchecked_t xid_busy;
38849+ atomic_unchecked_t seq_not_found;
38850+ atomic_unchecked_t non_bls_resp;
38851 } stats;
38852 };
38853 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
38854@@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
38855 /* allocate memory for exchange */
38856 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
38857 if (!ep) {
38858- atomic_inc(&mp->stats.no_free_exch);
38859+ atomic_inc_unchecked(&mp->stats.no_free_exch);
38860 goto out;
38861 }
38862 memset(ep, 0, sizeof(*ep));
38863@@ -557,7 +557,7 @@ out:
38864 return ep;
38865 err:
38866 spin_unlock_bh(&pool->lock);
38867- atomic_inc(&mp->stats.no_free_exch_xid);
38868+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
38869 mempool_free(ep, mp->ep_pool);
38870 return NULL;
38871 }
38872@@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38873 xid = ntohs(fh->fh_ox_id); /* we originated exch */
38874 ep = fc_exch_find(mp, xid);
38875 if (!ep) {
38876- atomic_inc(&mp->stats.xid_not_found);
38877+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38878 reject = FC_RJT_OX_ID;
38879 goto out;
38880 }
38881@@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38882 ep = fc_exch_find(mp, xid);
38883 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
38884 if (ep) {
38885- atomic_inc(&mp->stats.xid_busy);
38886+ atomic_inc_unchecked(&mp->stats.xid_busy);
38887 reject = FC_RJT_RX_ID;
38888 goto rel;
38889 }
38890@@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38891 }
38892 xid = ep->xid; /* get our XID */
38893 } else if (!ep) {
38894- atomic_inc(&mp->stats.xid_not_found);
38895+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38896 reject = FC_RJT_RX_ID; /* XID not found */
38897 goto out;
38898 }
38899@@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
38900 } else {
38901 sp = &ep->seq;
38902 if (sp->id != fh->fh_seq_id) {
38903- atomic_inc(&mp->stats.seq_not_found);
38904+ atomic_inc_unchecked(&mp->stats.seq_not_found);
38905 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
38906 goto rel;
38907 }
38908@@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
38909
38910 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
38911 if (!ep) {
38912- atomic_inc(&mp->stats.xid_not_found);
38913+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38914 goto out;
38915 }
38916 if (ep->esb_stat & ESB_ST_COMPLETE) {
38917- atomic_inc(&mp->stats.xid_not_found);
38918+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38919 goto out;
38920 }
38921 if (ep->rxid == FC_XID_UNKNOWN)
38922 ep->rxid = ntohs(fh->fh_rx_id);
38923 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
38924- atomic_inc(&mp->stats.xid_not_found);
38925+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38926 goto rel;
38927 }
38928 if (ep->did != ntoh24(fh->fh_s_id) &&
38929 ep->did != FC_FID_FLOGI) {
38930- atomic_inc(&mp->stats.xid_not_found);
38931+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38932 goto rel;
38933 }
38934 sof = fr_sof(fp);
38935@@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
38936 } else {
38937 sp = &ep->seq;
38938 if (sp->id != fh->fh_seq_id) {
38939- atomic_inc(&mp->stats.seq_not_found);
38940+ atomic_inc_unchecked(&mp->stats.seq_not_found);
38941 goto rel;
38942 }
38943 }
38944@@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
38945 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
38946
38947 if (!sp)
38948- atomic_inc(&mp->stats.xid_not_found);
38949+ atomic_inc_unchecked(&mp->stats.xid_not_found);
38950 else
38951- atomic_inc(&mp->stats.non_bls_resp);
38952+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
38953
38954 fc_frame_free(fp);
38955 }
38956diff -urNp linux-2.6.32.48/drivers/scsi/libsas/sas_ata.c linux-2.6.32.48/drivers/scsi/libsas/sas_ata.c
38957--- linux-2.6.32.48/drivers/scsi/libsas/sas_ata.c 2011-11-08 19:02:43.000000000 -0500
38958+++ linux-2.6.32.48/drivers/scsi/libsas/sas_ata.c 2011-11-15 19:59:43.000000000 -0500
38959@@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
38960 }
38961 }
38962
38963-static struct ata_port_operations sas_sata_ops = {
38964+static const struct ata_port_operations sas_sata_ops = {
38965 .phy_reset = sas_ata_phy_reset,
38966 .post_internal_cmd = sas_ata_post_internal,
38967 .qc_defer = ata_std_qc_defer,
38968diff -urNp linux-2.6.32.48/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.48/drivers/scsi/lpfc/lpfc_debugfs.c
38969--- linux-2.6.32.48/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-08 19:02:43.000000000 -0500
38970+++ linux-2.6.32.48/drivers/scsi/lpfc/lpfc_debugfs.c 2011-11-15 19:59:43.000000000 -0500
38971@@ -124,7 +124,7 @@ struct lpfc_debug {
38972 int len;
38973 };
38974
38975-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38976+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
38977 static unsigned long lpfc_debugfs_start_time = 0L;
38978
38979 /**
38980@@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
38981 lpfc_debugfs_enable = 0;
38982
38983 len = 0;
38984- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
38985+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
38986 (lpfc_debugfs_max_disc_trc - 1);
38987 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
38988 dtp = vport->disc_trc + i;
38989@@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
38990 lpfc_debugfs_enable = 0;
38991
38992 len = 0;
38993- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
38994+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
38995 (lpfc_debugfs_max_slow_ring_trc - 1);
38996 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
38997 dtp = phba->slow_ring_trc + i;
38998@@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
38999 uint32_t *ptr;
39000 char buffer[1024];
39001
39002+ pax_track_stack();
39003+
39004 off = 0;
39005 spin_lock_irq(&phba->hbalock);
39006
39007@@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
39008 !vport || !vport->disc_trc)
39009 return;
39010
39011- index = atomic_inc_return(&vport->disc_trc_cnt) &
39012+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
39013 (lpfc_debugfs_max_disc_trc - 1);
39014 dtp = vport->disc_trc + index;
39015 dtp->fmt = fmt;
39016 dtp->data1 = data1;
39017 dtp->data2 = data2;
39018 dtp->data3 = data3;
39019- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
39020+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
39021 dtp->jif = jiffies;
39022 #endif
39023 return;
39024@@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
39025 !phba || !phba->slow_ring_trc)
39026 return;
39027
39028- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
39029+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
39030 (lpfc_debugfs_max_slow_ring_trc - 1);
39031 dtp = phba->slow_ring_trc + index;
39032 dtp->fmt = fmt;
39033 dtp->data1 = data1;
39034 dtp->data2 = data2;
39035 dtp->data3 = data3;
39036- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
39037+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
39038 dtp->jif = jiffies;
39039 #endif
39040 return;
39041@@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
39042 "slow_ring buffer\n");
39043 goto debug_failed;
39044 }
39045- atomic_set(&phba->slow_ring_trc_cnt, 0);
39046+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
39047 memset(phba->slow_ring_trc, 0,
39048 (sizeof(struct lpfc_debugfs_trc) *
39049 lpfc_debugfs_max_slow_ring_trc));
39050@@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
39051 "buffer\n");
39052 goto debug_failed;
39053 }
39054- atomic_set(&vport->disc_trc_cnt, 0);
39055+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
39056
39057 snprintf(name, sizeof(name), "discovery_trace");
39058 vport->debug_disc_trc =
39059diff -urNp linux-2.6.32.48/drivers/scsi/lpfc/lpfc.h linux-2.6.32.48/drivers/scsi/lpfc/lpfc.h
39060--- linux-2.6.32.48/drivers/scsi/lpfc/lpfc.h 2011-11-08 19:02:43.000000000 -0500
39061+++ linux-2.6.32.48/drivers/scsi/lpfc/lpfc.h 2011-11-15 19:59:43.000000000 -0500
39062@@ -400,7 +400,7 @@ struct lpfc_vport {
39063 struct dentry *debug_nodelist;
39064 struct dentry *vport_debugfs_root;
39065 struct lpfc_debugfs_trc *disc_trc;
39066- atomic_t disc_trc_cnt;
39067+ atomic_unchecked_t disc_trc_cnt;
39068 #endif
39069 uint8_t stat_data_enabled;
39070 uint8_t stat_data_blocked;
39071@@ -725,8 +725,8 @@ struct lpfc_hba {
39072 struct timer_list fabric_block_timer;
39073 unsigned long bit_flags;
39074 #define FABRIC_COMANDS_BLOCKED 0
39075- atomic_t num_rsrc_err;
39076- atomic_t num_cmd_success;
39077+ atomic_unchecked_t num_rsrc_err;
39078+ atomic_unchecked_t num_cmd_success;
39079 unsigned long last_rsrc_error_time;
39080 unsigned long last_ramp_down_time;
39081 unsigned long last_ramp_up_time;
39082@@ -740,7 +740,7 @@ struct lpfc_hba {
39083 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
39084 struct dentry *debug_slow_ring_trc;
39085 struct lpfc_debugfs_trc *slow_ring_trc;
39086- atomic_t slow_ring_trc_cnt;
39087+ atomic_unchecked_t slow_ring_trc_cnt;
39088 #endif
39089
39090 /* Used for deferred freeing of ELS data buffers */
39091diff -urNp linux-2.6.32.48/drivers/scsi/lpfc/lpfc_init.c linux-2.6.32.48/drivers/scsi/lpfc/lpfc_init.c
39092--- linux-2.6.32.48/drivers/scsi/lpfc/lpfc_init.c 2011-11-08 19:02:43.000000000 -0500
39093+++ linux-2.6.32.48/drivers/scsi/lpfc/lpfc_init.c 2011-11-15 19:59:43.000000000 -0500
39094@@ -8021,8 +8021,10 @@ lpfc_init(void)
39095 printk(LPFC_COPYRIGHT "\n");
39096
39097 if (lpfc_enable_npiv) {
39098- lpfc_transport_functions.vport_create = lpfc_vport_create;
39099- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
39100+ pax_open_kernel();
39101+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
39102+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
39103+ pax_close_kernel();
39104 }
39105 lpfc_transport_template =
39106 fc_attach_transport(&lpfc_transport_functions);
39107diff -urNp linux-2.6.32.48/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.48/drivers/scsi/lpfc/lpfc_scsi.c
39108--- linux-2.6.32.48/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-08 19:02:43.000000000 -0500
39109+++ linux-2.6.32.48/drivers/scsi/lpfc/lpfc_scsi.c 2011-11-15 19:59:43.000000000 -0500
39110@@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
39111 uint32_t evt_posted;
39112
39113 spin_lock_irqsave(&phba->hbalock, flags);
39114- atomic_inc(&phba->num_rsrc_err);
39115+ atomic_inc_unchecked(&phba->num_rsrc_err);
39116 phba->last_rsrc_error_time = jiffies;
39117
39118 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
39119@@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
39120 unsigned long flags;
39121 struct lpfc_hba *phba = vport->phba;
39122 uint32_t evt_posted;
39123- atomic_inc(&phba->num_cmd_success);
39124+ atomic_inc_unchecked(&phba->num_cmd_success);
39125
39126 if (vport->cfg_lun_queue_depth <= queue_depth)
39127 return;
39128@@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39129 int i;
39130 struct lpfc_rport_data *rdata;
39131
39132- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
39133- num_cmd_success = atomic_read(&phba->num_cmd_success);
39134+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
39135+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
39136
39137 vports = lpfc_create_vport_work_array(phba);
39138 if (vports != NULL)
39139@@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
39140 }
39141 }
39142 lpfc_destroy_vport_work_array(phba, vports);
39143- atomic_set(&phba->num_rsrc_err, 0);
39144- atomic_set(&phba->num_cmd_success, 0);
39145+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
39146+ atomic_set_unchecked(&phba->num_cmd_success, 0);
39147 }
39148
39149 /**
39150@@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
39151 }
39152 }
39153 lpfc_destroy_vport_work_array(phba, vports);
39154- atomic_set(&phba->num_rsrc_err, 0);
39155- atomic_set(&phba->num_cmd_success, 0);
39156+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
39157+ atomic_set_unchecked(&phba->num_cmd_success, 0);
39158 }
39159
39160 /**
39161diff -urNp linux-2.6.32.48/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.48/drivers/scsi/megaraid/megaraid_mbox.c
39162--- linux-2.6.32.48/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-08 19:02:43.000000000 -0500
39163+++ linux-2.6.32.48/drivers/scsi/megaraid/megaraid_mbox.c 2011-11-15 19:59:43.000000000 -0500
39164@@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
39165 int rval;
39166 int i;
39167
39168+ pax_track_stack();
39169+
39170 // Allocate memory for the base list of scb for management module.
39171 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
39172
39173diff -urNp linux-2.6.32.48/drivers/scsi/osd/osd_initiator.c linux-2.6.32.48/drivers/scsi/osd/osd_initiator.c
39174--- linux-2.6.32.48/drivers/scsi/osd/osd_initiator.c 2011-11-08 19:02:43.000000000 -0500
39175+++ linux-2.6.32.48/drivers/scsi/osd/osd_initiator.c 2011-11-15 19:59:43.000000000 -0500
39176@@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
39177 int nelem = ARRAY_SIZE(get_attrs), a = 0;
39178 int ret;
39179
39180+ pax_track_stack();
39181+
39182 or = osd_start_request(od, GFP_KERNEL);
39183 if (!or)
39184 return -ENOMEM;
39185diff -urNp linux-2.6.32.48/drivers/scsi/pmcraid.c linux-2.6.32.48/drivers/scsi/pmcraid.c
39186--- linux-2.6.32.48/drivers/scsi/pmcraid.c 2011-11-08 19:02:43.000000000 -0500
39187+++ linux-2.6.32.48/drivers/scsi/pmcraid.c 2011-11-15 19:59:43.000000000 -0500
39188@@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
39189 res->scsi_dev = scsi_dev;
39190 scsi_dev->hostdata = res;
39191 res->change_detected = 0;
39192- atomic_set(&res->read_failures, 0);
39193- atomic_set(&res->write_failures, 0);
39194+ atomic_set_unchecked(&res->read_failures, 0);
39195+ atomic_set_unchecked(&res->write_failures, 0);
39196 rc = 0;
39197 }
39198 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
39199@@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
39200
39201 /* If this was a SCSI read/write command keep count of errors */
39202 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
39203- atomic_inc(&res->read_failures);
39204+ atomic_inc_unchecked(&res->read_failures);
39205 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
39206- atomic_inc(&res->write_failures);
39207+ atomic_inc_unchecked(&res->write_failures);
39208
39209 if (!RES_IS_GSCSI(res->cfg_entry) &&
39210 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
39211@@ -4116,7 +4116,7 @@ static void pmcraid_worker_function(stru
39212
39213 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
39214 /* add resources only after host is added into system */
39215- if (!atomic_read(&pinstance->expose_resources))
39216+ if (!atomic_read_unchecked(&pinstance->expose_resources))
39217 return;
39218
39219 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
39220@@ -4850,7 +4850,7 @@ static int __devinit pmcraid_init_instan
39221 init_waitqueue_head(&pinstance->reset_wait_q);
39222
39223 atomic_set(&pinstance->outstanding_cmds, 0);
39224- atomic_set(&pinstance->expose_resources, 0);
39225+ atomic_set_unchecked(&pinstance->expose_resources, 0);
39226
39227 INIT_LIST_HEAD(&pinstance->free_res_q);
39228 INIT_LIST_HEAD(&pinstance->used_res_q);
39229@@ -5502,7 +5502,7 @@ static int __devinit pmcraid_probe(
39230 /* Schedule worker thread to handle CCN and take care of adding and
39231 * removing devices to OS
39232 */
39233- atomic_set(&pinstance->expose_resources, 1);
39234+ atomic_set_unchecked(&pinstance->expose_resources, 1);
39235 schedule_work(&pinstance->worker_q);
39236 return rc;
39237
39238diff -urNp linux-2.6.32.48/drivers/scsi/pmcraid.h linux-2.6.32.48/drivers/scsi/pmcraid.h
39239--- linux-2.6.32.48/drivers/scsi/pmcraid.h 2011-11-08 19:02:43.000000000 -0500
39240+++ linux-2.6.32.48/drivers/scsi/pmcraid.h 2011-11-15 19:59:43.000000000 -0500
39241@@ -690,7 +690,7 @@ struct pmcraid_instance {
39242 atomic_t outstanding_cmds;
39243
39244 /* should add/delete resources to mid-layer now ?*/
39245- atomic_t expose_resources;
39246+ atomic_unchecked_t expose_resources;
39247
39248 /* Tasklet to handle deferred processing */
39249 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
39250@@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
39251 struct list_head queue; /* link to "to be exposed" resources */
39252 struct pmcraid_config_table_entry cfg_entry;
39253 struct scsi_device *scsi_dev; /* Link scsi_device structure */
39254- atomic_t read_failures; /* count of failed READ commands */
39255- atomic_t write_failures; /* count of failed WRITE commands */
39256+ atomic_unchecked_t read_failures; /* count of failed READ commands */
39257+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
39258
39259 /* To indicate add/delete/modify during CCN */
39260 u8 change_detected;
39261diff -urNp linux-2.6.32.48/drivers/scsi/qla2xxx/qla_def.h linux-2.6.32.48/drivers/scsi/qla2xxx/qla_def.h
39262--- linux-2.6.32.48/drivers/scsi/qla2xxx/qla_def.h 2011-11-08 19:02:43.000000000 -0500
39263+++ linux-2.6.32.48/drivers/scsi/qla2xxx/qla_def.h 2011-11-15 19:59:43.000000000 -0500
39264@@ -2089,7 +2089,7 @@ struct isp_operations {
39265
39266 int (*get_flash_version) (struct scsi_qla_host *, void *);
39267 int (*start_scsi) (srb_t *);
39268-};
39269+} __no_const;
39270
39271 /* MSI-X Support *************************************************************/
39272
39273diff -urNp linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_def.h
39274--- linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_def.h 2011-11-08 19:02:43.000000000 -0500
39275+++ linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_def.h 2011-11-15 19:59:43.000000000 -0500
39276@@ -240,7 +240,7 @@ struct ddb_entry {
39277 atomic_t retry_relogin_timer; /* Min Time between relogins
39278 * (4000 only) */
39279 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
39280- atomic_t relogin_retry_count; /* Num of times relogin has been
39281+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
39282 * retried */
39283
39284 uint16_t port;
39285diff -urNp linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_init.c
39286--- linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_init.c 2011-11-08 19:02:43.000000000 -0500
39287+++ linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_init.c 2011-11-15 19:59:43.000000000 -0500
39288@@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
39289 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
39290 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
39291 atomic_set(&ddb_entry->relogin_timer, 0);
39292- atomic_set(&ddb_entry->relogin_retry_count, 0);
39293+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39294 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39295 list_add_tail(&ddb_entry->list, &ha->ddb_list);
39296 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
39297@@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
39298 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
39299 atomic_set(&ddb_entry->port_down_timer,
39300 ha->port_down_retry_count);
39301- atomic_set(&ddb_entry->relogin_retry_count, 0);
39302+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
39303 atomic_set(&ddb_entry->relogin_timer, 0);
39304 clear_bit(DF_RELOGIN, &ddb_entry->flags);
39305 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
39306diff -urNp linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_os.c
39307--- linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_os.c 2011-11-08 19:02:43.000000000 -0500
39308+++ linux-2.6.32.48/drivers/scsi/qla4xxx/ql4_os.c 2011-11-15 19:59:43.000000000 -0500
39309@@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
39310 ddb_entry->fw_ddb_device_state ==
39311 DDB_DS_SESSION_FAILED) {
39312 /* Reset retry relogin timer */
39313- atomic_inc(&ddb_entry->relogin_retry_count);
39314+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
39315 DEBUG2(printk("scsi%ld: index[%d] relogin"
39316 " timed out-retrying"
39317 " relogin (%d)\n",
39318 ha->host_no,
39319 ddb_entry->fw_ddb_index,
39320- atomic_read(&ddb_entry->
39321+ atomic_read_unchecked(&ddb_entry->
39322 relogin_retry_count))
39323 );
39324 start_dpc++;
39325diff -urNp linux-2.6.32.48/drivers/scsi/scsi.c linux-2.6.32.48/drivers/scsi/scsi.c
39326--- linux-2.6.32.48/drivers/scsi/scsi.c 2011-11-08 19:02:43.000000000 -0500
39327+++ linux-2.6.32.48/drivers/scsi/scsi.c 2011-11-15 19:59:43.000000000 -0500
39328@@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
39329 unsigned long timeout;
39330 int rtn = 0;
39331
39332- atomic_inc(&cmd->device->iorequest_cnt);
39333+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39334
39335 /* check if the device is still usable */
39336 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
39337diff -urNp linux-2.6.32.48/drivers/scsi/scsi_debug.c linux-2.6.32.48/drivers/scsi/scsi_debug.c
39338--- linux-2.6.32.48/drivers/scsi/scsi_debug.c 2011-11-08 19:02:43.000000000 -0500
39339+++ linux-2.6.32.48/drivers/scsi/scsi_debug.c 2011-11-15 19:59:43.000000000 -0500
39340@@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
39341 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
39342 unsigned char *cmd = (unsigned char *)scp->cmnd;
39343
39344+ pax_track_stack();
39345+
39346 if ((errsts = check_readiness(scp, 1, devip)))
39347 return errsts;
39348 memset(arr, 0, sizeof(arr));
39349@@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
39350 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
39351 unsigned char *cmd = (unsigned char *)scp->cmnd;
39352
39353+ pax_track_stack();
39354+
39355 if ((errsts = check_readiness(scp, 1, devip)))
39356 return errsts;
39357 memset(arr, 0, sizeof(arr));
39358diff -urNp linux-2.6.32.48/drivers/scsi/scsi_lib.c linux-2.6.32.48/drivers/scsi/scsi_lib.c
39359--- linux-2.6.32.48/drivers/scsi/scsi_lib.c 2011-11-08 19:02:43.000000000 -0500
39360+++ linux-2.6.32.48/drivers/scsi/scsi_lib.c 2011-11-15 19:59:43.000000000 -0500
39361@@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
39362
39363 scsi_init_cmd_errh(cmd);
39364 cmd->result = DID_NO_CONNECT << 16;
39365- atomic_inc(&cmd->device->iorequest_cnt);
39366+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
39367
39368 /*
39369 * SCSI request completion path will do scsi_device_unbusy(),
39370@@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
39371 */
39372 cmd->serial_number = 0;
39373
39374- atomic_inc(&cmd->device->iodone_cnt);
39375+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
39376 if (cmd->result)
39377- atomic_inc(&cmd->device->ioerr_cnt);
39378+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
39379
39380 disposition = scsi_decide_disposition(cmd);
39381 if (disposition != SUCCESS &&
39382diff -urNp linux-2.6.32.48/drivers/scsi/scsi_sysfs.c linux-2.6.32.48/drivers/scsi/scsi_sysfs.c
39383--- linux-2.6.32.48/drivers/scsi/scsi_sysfs.c 2011-11-08 19:02:43.000000000 -0500
39384+++ linux-2.6.32.48/drivers/scsi/scsi_sysfs.c 2011-11-15 19:59:43.000000000 -0500
39385@@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
39386 char *buf) \
39387 { \
39388 struct scsi_device *sdev = to_scsi_device(dev); \
39389- unsigned long long count = atomic_read(&sdev->field); \
39390+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
39391 return snprintf(buf, 20, "0x%llx\n", count); \
39392 } \
39393 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
39394diff -urNp linux-2.6.32.48/drivers/scsi/scsi_tgt_lib.c linux-2.6.32.48/drivers/scsi/scsi_tgt_lib.c
39395--- linux-2.6.32.48/drivers/scsi/scsi_tgt_lib.c 2011-11-08 19:02:43.000000000 -0500
39396+++ linux-2.6.32.48/drivers/scsi/scsi_tgt_lib.c 2011-11-15 19:59:43.000000000 -0500
39397@@ -362,7 +362,7 @@ static int scsi_map_user_pages(struct sc
39398 int err;
39399
39400 dprintk("%lx %u\n", uaddr, len);
39401- err = blk_rq_map_user(q, rq, NULL, (void *)uaddr, len, GFP_KERNEL);
39402+ err = blk_rq_map_user(q, rq, NULL, (void __user *)uaddr, len, GFP_KERNEL);
39403 if (err) {
39404 /*
39405 * TODO: need to fixup sg_tablesize, max_segment_size,
39406diff -urNp linux-2.6.32.48/drivers/scsi/scsi_transport_fc.c linux-2.6.32.48/drivers/scsi/scsi_transport_fc.c
39407--- linux-2.6.32.48/drivers/scsi/scsi_transport_fc.c 2011-11-08 19:02:43.000000000 -0500
39408+++ linux-2.6.32.48/drivers/scsi/scsi_transport_fc.c 2011-11-15 19:59:43.000000000 -0500
39409@@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
39410 * Netlink Infrastructure
39411 */
39412
39413-static atomic_t fc_event_seq;
39414+static atomic_unchecked_t fc_event_seq;
39415
39416 /**
39417 * fc_get_event_number - Obtain the next sequential FC event number
39418@@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
39419 u32
39420 fc_get_event_number(void)
39421 {
39422- return atomic_add_return(1, &fc_event_seq);
39423+ return atomic_add_return_unchecked(1, &fc_event_seq);
39424 }
39425 EXPORT_SYMBOL(fc_get_event_number);
39426
39427@@ -641,7 +641,7 @@ static __init int fc_transport_init(void
39428 {
39429 int error;
39430
39431- atomic_set(&fc_event_seq, 0);
39432+ atomic_set_unchecked(&fc_event_seq, 0);
39433
39434 error = transport_class_register(&fc_host_class);
39435 if (error)
39436diff -urNp linux-2.6.32.48/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.48/drivers/scsi/scsi_transport_iscsi.c
39437--- linux-2.6.32.48/drivers/scsi/scsi_transport_iscsi.c 2011-11-08 19:02:43.000000000 -0500
39438+++ linux-2.6.32.48/drivers/scsi/scsi_transport_iscsi.c 2011-11-15 19:59:43.000000000 -0500
39439@@ -81,7 +81,7 @@ struct iscsi_internal {
39440 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
39441 };
39442
39443-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
39444+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
39445 static struct workqueue_struct *iscsi_eh_timer_workq;
39446
39447 /*
39448@@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
39449 int err;
39450
39451 ihost = shost->shost_data;
39452- session->sid = atomic_add_return(1, &iscsi_session_nr);
39453+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
39454
39455 if (id == ISCSI_MAX_TARGET) {
39456 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
39457@@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
39458 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
39459 ISCSI_TRANSPORT_VERSION);
39460
39461- atomic_set(&iscsi_session_nr, 0);
39462+ atomic_set_unchecked(&iscsi_session_nr, 0);
39463
39464 err = class_register(&iscsi_transport_class);
39465 if (err)
39466diff -urNp linux-2.6.32.48/drivers/scsi/scsi_transport_srp.c linux-2.6.32.48/drivers/scsi/scsi_transport_srp.c
39467--- linux-2.6.32.48/drivers/scsi/scsi_transport_srp.c 2011-11-08 19:02:43.000000000 -0500
39468+++ linux-2.6.32.48/drivers/scsi/scsi_transport_srp.c 2011-11-15 19:59:43.000000000 -0500
39469@@ -33,7 +33,7 @@
39470 #include "scsi_transport_srp_internal.h"
39471
39472 struct srp_host_attrs {
39473- atomic_t next_port_id;
39474+ atomic_unchecked_t next_port_id;
39475 };
39476 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
39477
39478@@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
39479 struct Scsi_Host *shost = dev_to_shost(dev);
39480 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
39481
39482- atomic_set(&srp_host->next_port_id, 0);
39483+ atomic_set_unchecked(&srp_host->next_port_id, 0);
39484 return 0;
39485 }
39486
39487@@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
39488 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
39489 rport->roles = ids->roles;
39490
39491- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
39492+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
39493 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
39494
39495 transport_setup_device(&rport->dev);
39496diff -urNp linux-2.6.32.48/drivers/scsi/sg.c linux-2.6.32.48/drivers/scsi/sg.c
39497--- linux-2.6.32.48/drivers/scsi/sg.c 2011-11-08 19:02:43.000000000 -0500
39498+++ linux-2.6.32.48/drivers/scsi/sg.c 2011-11-15 19:59:43.000000000 -0500
39499@@ -1064,7 +1064,7 @@ sg_ioctl(struct inode *inode, struct fil
39500 sdp->disk->disk_name,
39501 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
39502 NULL,
39503- (char *)arg);
39504+ (char __user *)arg);
39505 case BLKTRACESTART:
39506 return blk_trace_startstop(sdp->device->request_queue, 1);
39507 case BLKTRACESTOP:
39508@@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
39509 const struct file_operations * fops;
39510 };
39511
39512-static struct sg_proc_leaf sg_proc_leaf_arr[] = {
39513+static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
39514 {"allow_dio", &adio_fops},
39515 {"debug", &debug_fops},
39516 {"def_reserved_size", &dressz_fops},
39517@@ -2307,7 +2307,7 @@ sg_proc_init(void)
39518 {
39519 int k, mask;
39520 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
39521- struct sg_proc_leaf * leaf;
39522+ const struct sg_proc_leaf * leaf;
39523
39524 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
39525 if (!sg_proc_sgp)
39526diff -urNp linux-2.6.32.48/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.48/drivers/scsi/sym53c8xx_2/sym_glue.c
39527--- linux-2.6.32.48/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-08 19:02:43.000000000 -0500
39528+++ linux-2.6.32.48/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-11-15 19:59:43.000000000 -0500
39529@@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
39530 int do_iounmap = 0;
39531 int do_disable_device = 1;
39532
39533+ pax_track_stack();
39534+
39535 memset(&sym_dev, 0, sizeof(sym_dev));
39536 memset(&nvram, 0, sizeof(nvram));
39537 sym_dev.pdev = pdev;
39538diff -urNp linux-2.6.32.48/drivers/serial/kgdboc.c linux-2.6.32.48/drivers/serial/kgdboc.c
39539--- linux-2.6.32.48/drivers/serial/kgdboc.c 2011-11-08 19:02:43.000000000 -0500
39540+++ linux-2.6.32.48/drivers/serial/kgdboc.c 2011-11-15 19:59:43.000000000 -0500
39541@@ -18,7 +18,7 @@
39542
39543 #define MAX_CONFIG_LEN 40
39544
39545-static struct kgdb_io kgdboc_io_ops;
39546+static const struct kgdb_io kgdboc_io_ops;
39547
39548 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
39549 static int configured = -1;
39550@@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
39551 module_put(THIS_MODULE);
39552 }
39553
39554-static struct kgdb_io kgdboc_io_ops = {
39555+static const struct kgdb_io kgdboc_io_ops = {
39556 .name = "kgdboc",
39557 .read_char = kgdboc_get_char,
39558 .write_char = kgdboc_put_char,
39559diff -urNp linux-2.6.32.48/drivers/spi/spi.c linux-2.6.32.48/drivers/spi/spi.c
39560--- linux-2.6.32.48/drivers/spi/spi.c 2011-11-08 19:02:43.000000000 -0500
39561+++ linux-2.6.32.48/drivers/spi/spi.c 2011-11-15 19:59:43.000000000 -0500
39562@@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
39563 EXPORT_SYMBOL_GPL(spi_sync);
39564
39565 /* portable code must never pass more than 32 bytes */
39566-#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
39567+#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
39568
39569 static u8 *buf;
39570
39571diff -urNp linux-2.6.32.48/drivers/staging/android/binder.c linux-2.6.32.48/drivers/staging/android/binder.c
39572--- linux-2.6.32.48/drivers/staging/android/binder.c 2011-11-08 19:02:43.000000000 -0500
39573+++ linux-2.6.32.48/drivers/staging/android/binder.c 2011-11-15 19:59:43.000000000 -0500
39574@@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
39575 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
39576 }
39577
39578-static struct vm_operations_struct binder_vm_ops = {
39579+static const struct vm_operations_struct binder_vm_ops = {
39580 .open = binder_vma_open,
39581 .close = binder_vma_close,
39582 };
39583diff -urNp linux-2.6.32.48/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.48/drivers/staging/b3dfg/b3dfg.c
39584--- linux-2.6.32.48/drivers/staging/b3dfg/b3dfg.c 2011-11-08 19:02:43.000000000 -0500
39585+++ linux-2.6.32.48/drivers/staging/b3dfg/b3dfg.c 2011-11-15 19:59:43.000000000 -0500
39586@@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
39587 return VM_FAULT_NOPAGE;
39588 }
39589
39590-static struct vm_operations_struct b3dfg_vm_ops = {
39591+static const struct vm_operations_struct b3dfg_vm_ops = {
39592 .fault = b3dfg_vma_fault,
39593 };
39594
39595@@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
39596 return r;
39597 }
39598
39599-static struct file_operations b3dfg_fops = {
39600+static const struct file_operations b3dfg_fops = {
39601 .owner = THIS_MODULE,
39602 .open = b3dfg_open,
39603 .release = b3dfg_release,
39604diff -urNp linux-2.6.32.48/drivers/staging/comedi/comedi_fops.c linux-2.6.32.48/drivers/staging/comedi/comedi_fops.c
39605--- linux-2.6.32.48/drivers/staging/comedi/comedi_fops.c 2011-11-08 19:02:43.000000000 -0500
39606+++ linux-2.6.32.48/drivers/staging/comedi/comedi_fops.c 2011-11-15 19:59:43.000000000 -0500
39607@@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
39608 mutex_unlock(&dev->mutex);
39609 }
39610
39611-static struct vm_operations_struct comedi_vm_ops = {
39612+static const struct vm_operations_struct comedi_vm_ops = {
39613 .close = comedi_unmap,
39614 };
39615
39616diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.48/drivers/staging/dream/qdsp5/adsp_driver.c
39617--- linux-2.6.32.48/drivers/staging/dream/qdsp5/adsp_driver.c 2011-11-08 19:02:43.000000000 -0500
39618+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/adsp_driver.c 2011-11-15 19:59:43.000000000 -0500
39619@@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
39620 static dev_t adsp_devno;
39621 static struct class *adsp_class;
39622
39623-static struct file_operations adsp_fops = {
39624+static const struct file_operations adsp_fops = {
39625 .owner = THIS_MODULE,
39626 .open = adsp_open,
39627 .unlocked_ioctl = adsp_ioctl,
39628diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_aac.c
39629--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_aac.c 2011-11-08 19:02:43.000000000 -0500
39630+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_aac.c 2011-11-15 19:59:43.000000000 -0500
39631@@ -1022,7 +1022,7 @@ done:
39632 return rc;
39633 }
39634
39635-static struct file_operations audio_aac_fops = {
39636+static const struct file_operations audio_aac_fops = {
39637 .owner = THIS_MODULE,
39638 .open = audio_open,
39639 .release = audio_release,
39640diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_amrnb.c
39641--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-11-08 19:02:43.000000000 -0500
39642+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-11-15 19:59:43.000000000 -0500
39643@@ -833,7 +833,7 @@ done:
39644 return rc;
39645 }
39646
39647-static struct file_operations audio_amrnb_fops = {
39648+static const struct file_operations audio_amrnb_fops = {
39649 .owner = THIS_MODULE,
39650 .open = audamrnb_open,
39651 .release = audamrnb_release,
39652diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_evrc.c
39653--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_evrc.c 2011-11-08 19:02:43.000000000 -0500
39654+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_evrc.c 2011-11-15 19:59:43.000000000 -0500
39655@@ -805,7 +805,7 @@ dma_fail:
39656 return rc;
39657 }
39658
39659-static struct file_operations audio_evrc_fops = {
39660+static const struct file_operations audio_evrc_fops = {
39661 .owner = THIS_MODULE,
39662 .open = audevrc_open,
39663 .release = audevrc_release,
39664diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_in.c
39665--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_in.c 2011-11-08 19:02:43.000000000 -0500
39666+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_in.c 2011-11-15 19:59:43.000000000 -0500
39667@@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
39668 return 0;
39669 }
39670
39671-static struct file_operations audio_fops = {
39672+static const struct file_operations audio_fops = {
39673 .owner = THIS_MODULE,
39674 .open = audio_in_open,
39675 .release = audio_in_release,
39676@@ -922,7 +922,7 @@ static struct file_operations audio_fops
39677 .unlocked_ioctl = audio_in_ioctl,
39678 };
39679
39680-static struct file_operations audpre_fops = {
39681+static const struct file_operations audpre_fops = {
39682 .owner = THIS_MODULE,
39683 .open = audpre_open,
39684 .unlocked_ioctl = audpre_ioctl,
39685diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_mp3.c
39686--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_mp3.c 2011-11-08 19:02:43.000000000 -0500
39687+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_mp3.c 2011-11-15 19:59:43.000000000 -0500
39688@@ -941,7 +941,7 @@ done:
39689 return rc;
39690 }
39691
39692-static struct file_operations audio_mp3_fops = {
39693+static const struct file_operations audio_mp3_fops = {
39694 .owner = THIS_MODULE,
39695 .open = audio_open,
39696 .release = audio_release,
39697diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_out.c
39698--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_out.c 2011-11-08 19:02:43.000000000 -0500
39699+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_out.c 2011-11-15 19:59:43.000000000 -0500
39700@@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
39701 return 0;
39702 }
39703
39704-static struct file_operations audio_fops = {
39705+static const struct file_operations audio_fops = {
39706 .owner = THIS_MODULE,
39707 .open = audio_open,
39708 .release = audio_release,
39709@@ -819,7 +819,7 @@ static struct file_operations audio_fops
39710 .unlocked_ioctl = audio_ioctl,
39711 };
39712
39713-static struct file_operations audpp_fops = {
39714+static const struct file_operations audpp_fops = {
39715 .owner = THIS_MODULE,
39716 .open = audpp_open,
39717 .unlocked_ioctl = audpp_ioctl,
39718diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_qcelp.c
39719--- linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-11-08 19:02:43.000000000 -0500
39720+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-11-15 19:59:43.000000000 -0500
39721@@ -816,7 +816,7 @@ err:
39722 return rc;
39723 }
39724
39725-static struct file_operations audio_qcelp_fops = {
39726+static const struct file_operations audio_qcelp_fops = {
39727 .owner = THIS_MODULE,
39728 .open = audqcelp_open,
39729 .release = audqcelp_release,
39730diff -urNp linux-2.6.32.48/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.48/drivers/staging/dream/qdsp5/snd.c
39731--- linux-2.6.32.48/drivers/staging/dream/qdsp5/snd.c 2011-11-08 19:02:43.000000000 -0500
39732+++ linux-2.6.32.48/drivers/staging/dream/qdsp5/snd.c 2011-11-15 19:59:43.000000000 -0500
39733@@ -242,7 +242,7 @@ err:
39734 return rc;
39735 }
39736
39737-static struct file_operations snd_fops = {
39738+static const struct file_operations snd_fops = {
39739 .owner = THIS_MODULE,
39740 .open = snd_open,
39741 .release = snd_release,
39742diff -urNp linux-2.6.32.48/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.48/drivers/staging/dream/smd/smd_qmi.c
39743--- linux-2.6.32.48/drivers/staging/dream/smd/smd_qmi.c 2011-11-08 19:02:43.000000000 -0500
39744+++ linux-2.6.32.48/drivers/staging/dream/smd/smd_qmi.c 2011-11-15 19:59:43.000000000 -0500
39745@@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
39746 return 0;
39747 }
39748
39749-static struct file_operations qmi_fops = {
39750+static const struct file_operations qmi_fops = {
39751 .owner = THIS_MODULE,
39752 .read = qmi_read,
39753 .write = qmi_write,
39754diff -urNp linux-2.6.32.48/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.48/drivers/staging/dream/smd/smd_rpcrouter_device.c
39755--- linux-2.6.32.48/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-11-08 19:02:43.000000000 -0500
39756+++ linux-2.6.32.48/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-11-15 19:59:43.000000000 -0500
39757@@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
39758 return rc;
39759 }
39760
39761-static struct file_operations rpcrouter_server_fops = {
39762+static const struct file_operations rpcrouter_server_fops = {
39763 .owner = THIS_MODULE,
39764 .open = rpcrouter_open,
39765 .release = rpcrouter_release,
39766@@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
39767 .unlocked_ioctl = rpcrouter_ioctl,
39768 };
39769
39770-static struct file_operations rpcrouter_router_fops = {
39771+static const struct file_operations rpcrouter_router_fops = {
39772 .owner = THIS_MODULE,
39773 .open = rpcrouter_open,
39774 .release = rpcrouter_release,
39775diff -urNp linux-2.6.32.48/drivers/staging/dst/dcore.c linux-2.6.32.48/drivers/staging/dst/dcore.c
39776--- linux-2.6.32.48/drivers/staging/dst/dcore.c 2011-11-08 19:02:43.000000000 -0500
39777+++ linux-2.6.32.48/drivers/staging/dst/dcore.c 2011-11-15 19:59:43.000000000 -0500
39778@@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
39779 return 0;
39780 }
39781
39782-static struct block_device_operations dst_blk_ops = {
39783+static const struct block_device_operations dst_blk_ops = {
39784 .open = dst_bdev_open,
39785 .release = dst_bdev_release,
39786 .owner = THIS_MODULE,
39787@@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
39788 n->size = ctl->size;
39789
39790 atomic_set(&n->refcnt, 1);
39791- atomic_long_set(&n->gen, 0);
39792+ atomic_long_set_unchecked(&n->gen, 0);
39793 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
39794
39795 err = dst_node_sysfs_init(n);
39796diff -urNp linux-2.6.32.48/drivers/staging/dst/trans.c linux-2.6.32.48/drivers/staging/dst/trans.c
39797--- linux-2.6.32.48/drivers/staging/dst/trans.c 2011-11-08 19:02:43.000000000 -0500
39798+++ linux-2.6.32.48/drivers/staging/dst/trans.c 2011-11-15 19:59:43.000000000 -0500
39799@@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
39800 t->error = 0;
39801 t->retries = 0;
39802 atomic_set(&t->refcnt, 1);
39803- t->gen = atomic_long_inc_return(&n->gen);
39804+ t->gen = atomic_long_inc_return_unchecked(&n->gen);
39805
39806 t->enc = bio_data_dir(bio);
39807 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
39808diff -urNp linux-2.6.32.48/drivers/staging/et131x/et1310_tx.c linux-2.6.32.48/drivers/staging/et131x/et1310_tx.c
39809--- linux-2.6.32.48/drivers/staging/et131x/et1310_tx.c 2011-11-08 19:02:43.000000000 -0500
39810+++ linux-2.6.32.48/drivers/staging/et131x/et1310_tx.c 2011-11-15 19:59:43.000000000 -0500
39811@@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
39812 struct net_device_stats *stats = &etdev->net_stats;
39813
39814 if (pMpTcb->Flags & fMP_DEST_BROAD)
39815- atomic_inc(&etdev->Stats.brdcstxmt);
39816+ atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
39817 else if (pMpTcb->Flags & fMP_DEST_MULTI)
39818- atomic_inc(&etdev->Stats.multixmt);
39819+ atomic_inc_unchecked(&etdev->Stats.multixmt);
39820 else
39821- atomic_inc(&etdev->Stats.unixmt);
39822+ atomic_inc_unchecked(&etdev->Stats.unixmt);
39823
39824 if (pMpTcb->Packet) {
39825 stats->tx_bytes += pMpTcb->Packet->len;
39826diff -urNp linux-2.6.32.48/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.48/drivers/staging/et131x/et131x_adapter.h
39827--- linux-2.6.32.48/drivers/staging/et131x/et131x_adapter.h 2011-11-08 19:02:43.000000000 -0500
39828+++ linux-2.6.32.48/drivers/staging/et131x/et131x_adapter.h 2011-11-15 19:59:43.000000000 -0500
39829@@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
39830 * operations
39831 */
39832 u32 unircv; /* # multicast packets received */
39833- atomic_t unixmt; /* # multicast packets for Tx */
39834+ atomic_unchecked_t unixmt; /* # multicast packets for Tx */
39835 u32 multircv; /* # multicast packets received */
39836- atomic_t multixmt; /* # multicast packets for Tx */
39837+ atomic_unchecked_t multixmt; /* # multicast packets for Tx */
39838 u32 brdcstrcv; /* # broadcast packets received */
39839- atomic_t brdcstxmt; /* # broadcast packets for Tx */
39840+ atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
39841 u32 norcvbuf; /* # Rx packets discarded */
39842 u32 noxmtbuf; /* # Tx packets discarded */
39843
39844diff -urNp linux-2.6.32.48/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.48/drivers/staging/go7007/go7007-v4l2.c
39845--- linux-2.6.32.48/drivers/staging/go7007/go7007-v4l2.c 2011-11-08 19:02:43.000000000 -0500
39846+++ linux-2.6.32.48/drivers/staging/go7007/go7007-v4l2.c 2011-11-15 19:59:43.000000000 -0500
39847@@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
39848 return 0;
39849 }
39850
39851-static struct vm_operations_struct go7007_vm_ops = {
39852+static const struct vm_operations_struct go7007_vm_ops = {
39853 .open = go7007_vm_open,
39854 .close = go7007_vm_close,
39855 .fault = go7007_vm_fault,
39856diff -urNp linux-2.6.32.48/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.48/drivers/staging/hv/blkvsc_drv.c
39857--- linux-2.6.32.48/drivers/staging/hv/blkvsc_drv.c 2011-11-08 19:02:43.000000000 -0500
39858+++ linux-2.6.32.48/drivers/staging/hv/blkvsc_drv.c 2011-11-15 19:59:43.000000000 -0500
39859@@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
39860 /* The one and only one */
39861 static struct blkvsc_driver_context g_blkvsc_drv;
39862
39863-static struct block_device_operations block_ops = {
39864+static const struct block_device_operations block_ops = {
39865 .owner = THIS_MODULE,
39866 .open = blkvsc_open,
39867 .release = blkvsc_release,
39868diff -urNp linux-2.6.32.48/drivers/staging/hv/Channel.c linux-2.6.32.48/drivers/staging/hv/Channel.c
39869--- linux-2.6.32.48/drivers/staging/hv/Channel.c 2011-11-08 19:02:43.000000000 -0500
39870+++ linux-2.6.32.48/drivers/staging/hv/Channel.c 2011-11-15 19:59:43.000000000 -0500
39871@@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
39872
39873 DPRINT_ENTER(VMBUS);
39874
39875- nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
39876- atomic_inc(&gVmbusConnection.NextGpadlHandle);
39877+ nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
39878+ atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
39879
39880 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
39881 ASSERT(msgInfo != NULL);
39882diff -urNp linux-2.6.32.48/drivers/staging/hv/Hv.c linux-2.6.32.48/drivers/staging/hv/Hv.c
39883--- linux-2.6.32.48/drivers/staging/hv/Hv.c 2011-11-08 19:02:43.000000000 -0500
39884+++ linux-2.6.32.48/drivers/staging/hv/Hv.c 2011-11-15 19:59:43.000000000 -0500
39885@@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
39886 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
39887 u32 outputAddressHi = outputAddress >> 32;
39888 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
39889- volatile void *hypercallPage = gHvContext.HypercallPage;
39890+ volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
39891
39892 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
39893 Control, Input, Output);
39894diff -urNp linux-2.6.32.48/drivers/staging/hv/VmbusApi.h linux-2.6.32.48/drivers/staging/hv/VmbusApi.h
39895--- linux-2.6.32.48/drivers/staging/hv/VmbusApi.h 2011-11-08 19:02:43.000000000 -0500
39896+++ linux-2.6.32.48/drivers/staging/hv/VmbusApi.h 2011-11-15 19:59:43.000000000 -0500
39897@@ -109,7 +109,7 @@ struct vmbus_channel_interface {
39898 u32 *GpadlHandle);
39899 int (*TeardownGpadl)(struct hv_device *device, u32 GpadlHandle);
39900 void (*GetInfo)(struct hv_device *dev, struct hv_device_info *devinfo);
39901-};
39902+} __no_const;
39903
39904 /* Base driver object */
39905 struct hv_driver {
39906diff -urNp linux-2.6.32.48/drivers/staging/hv/vmbus_drv.c linux-2.6.32.48/drivers/staging/hv/vmbus_drv.c
39907--- linux-2.6.32.48/drivers/staging/hv/vmbus_drv.c 2011-11-08 19:02:43.000000000 -0500
39908+++ linux-2.6.32.48/drivers/staging/hv/vmbus_drv.c 2011-11-15 19:59:43.000000000 -0500
39909@@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
39910 to_device_context(root_device_obj);
39911 struct device_context *child_device_ctx =
39912 to_device_context(child_device_obj);
39913- static atomic_t device_num = ATOMIC_INIT(0);
39914+ static atomic_unchecked_t device_num = ATOMIC_INIT(0);
39915
39916 DPRINT_ENTER(VMBUS_DRV);
39917
39918@@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
39919
39920 /* Set the device name. Otherwise, device_register() will fail. */
39921 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
39922- atomic_inc_return(&device_num));
39923+ atomic_inc_return_unchecked(&device_num));
39924
39925 /* The new device belongs to this bus */
39926 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
39927diff -urNp linux-2.6.32.48/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.48/drivers/staging/hv/VmbusPrivate.h
39928--- linux-2.6.32.48/drivers/staging/hv/VmbusPrivate.h 2011-11-08 19:02:43.000000000 -0500
39929+++ linux-2.6.32.48/drivers/staging/hv/VmbusPrivate.h 2011-11-15 19:59:43.000000000 -0500
39930@@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
39931 struct VMBUS_CONNECTION {
39932 enum VMBUS_CONNECT_STATE ConnectState;
39933
39934- atomic_t NextGpadlHandle;
39935+ atomic_unchecked_t NextGpadlHandle;
39936
39937 /*
39938 * Represents channel interrupts. Each bit position represents a
39939diff -urNp linux-2.6.32.48/drivers/staging/iio/ring_generic.h linux-2.6.32.48/drivers/staging/iio/ring_generic.h
39940--- linux-2.6.32.48/drivers/staging/iio/ring_generic.h 2011-11-08 19:02:43.000000000 -0500
39941+++ linux-2.6.32.48/drivers/staging/iio/ring_generic.h 2011-11-15 19:59:43.000000000 -0500
39942@@ -87,7 +87,7 @@ struct iio_ring_access_funcs {
39943
39944 int (*is_enabled)(struct iio_ring_buffer *ring);
39945 int (*enable)(struct iio_ring_buffer *ring);
39946-};
39947+} __no_const;
39948
39949 /**
39950 * struct iio_ring_buffer - general ring buffer structure
39951diff -urNp linux-2.6.32.48/drivers/staging/octeon/ethernet.c linux-2.6.32.48/drivers/staging/octeon/ethernet.c
39952--- linux-2.6.32.48/drivers/staging/octeon/ethernet.c 2011-11-08 19:02:43.000000000 -0500
39953+++ linux-2.6.32.48/drivers/staging/octeon/ethernet.c 2011-11-15 19:59:43.000000000 -0500
39954@@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
39955 * since the RX tasklet also increments it.
39956 */
39957 #ifdef CONFIG_64BIT
39958- atomic64_add(rx_status.dropped_packets,
39959- (atomic64_t *)&priv->stats.rx_dropped);
39960+ atomic64_add_unchecked(rx_status.dropped_packets,
39961+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
39962 #else
39963- atomic_add(rx_status.dropped_packets,
39964- (atomic_t *)&priv->stats.rx_dropped);
39965+ atomic_add_unchecked(rx_status.dropped_packets,
39966+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
39967 #endif
39968 }
39969
39970diff -urNp linux-2.6.32.48/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.48/drivers/staging/octeon/ethernet-rx.c
39971--- linux-2.6.32.48/drivers/staging/octeon/ethernet-rx.c 2011-11-08 19:02:43.000000000 -0500
39972+++ linux-2.6.32.48/drivers/staging/octeon/ethernet-rx.c 2011-11-15 19:59:43.000000000 -0500
39973@@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
39974 /* Increment RX stats for virtual ports */
39975 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
39976 #ifdef CONFIG_64BIT
39977- atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
39978- atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
39979+ atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
39980+ atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
39981 #else
39982- atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
39983- atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
39984+ atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
39985+ atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
39986 #endif
39987 }
39988 netif_receive_skb(skb);
39989@@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
39990 dev->name);
39991 */
39992 #ifdef CONFIG_64BIT
39993- atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
39994+ atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
39995 #else
39996- atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
39997+ atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
39998 #endif
39999 dev_kfree_skb_irq(skb);
40000 }
40001diff -urNp linux-2.6.32.48/drivers/staging/otus/80211core/pub_zfi.h linux-2.6.32.48/drivers/staging/otus/80211core/pub_zfi.h
40002--- linux-2.6.32.48/drivers/staging/otus/80211core/pub_zfi.h 2011-11-08 19:02:43.000000000 -0500
40003+++ linux-2.6.32.48/drivers/staging/otus/80211core/pub_zfi.h 2011-11-18 18:01:55.000000000 -0500
40004@@ -531,7 +531,7 @@ struct zsCbFuncTbl
40005 u8_t (*zfcbClassifyTxPacket)(zdev_t* dev, zbuf_t* buf);
40006
40007 void (*zfcbHwWatchDogNotify)(zdev_t* dev);
40008-};
40009+} __no_const;
40010
40011 extern void zfZeroMemory(u8_t* va, u16_t length);
40012 #define ZM_INIT_CB_FUNC_TABLE(p) zfZeroMemory((u8_t *)p, sizeof(struct zsCbFuncTbl));
40013diff -urNp linux-2.6.32.48/drivers/staging/panel/panel.c linux-2.6.32.48/drivers/staging/panel/panel.c
40014--- linux-2.6.32.48/drivers/staging/panel/panel.c 2011-11-08 19:02:43.000000000 -0500
40015+++ linux-2.6.32.48/drivers/staging/panel/panel.c 2011-11-15 19:59:43.000000000 -0500
40016@@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
40017 return 0;
40018 }
40019
40020-static struct file_operations lcd_fops = {
40021+static const struct file_operations lcd_fops = {
40022 .write = lcd_write,
40023 .open = lcd_open,
40024 .release = lcd_release,
40025@@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
40026 return 0;
40027 }
40028
40029-static struct file_operations keypad_fops = {
40030+static const struct file_operations keypad_fops = {
40031 .read = keypad_read, /* read */
40032 .open = keypad_open, /* open */
40033 .release = keypad_release, /* close */
40034diff -urNp linux-2.6.32.48/drivers/staging/phison/phison.c linux-2.6.32.48/drivers/staging/phison/phison.c
40035--- linux-2.6.32.48/drivers/staging/phison/phison.c 2011-11-08 19:02:43.000000000 -0500
40036+++ linux-2.6.32.48/drivers/staging/phison/phison.c 2011-11-15 19:59:43.000000000 -0500
40037@@ -43,7 +43,7 @@ static struct scsi_host_template phison_
40038 ATA_BMDMA_SHT(DRV_NAME),
40039 };
40040
40041-static struct ata_port_operations phison_ops = {
40042+static const struct ata_port_operations phison_ops = {
40043 .inherits = &ata_bmdma_port_ops,
40044 .prereset = phison_pre_reset,
40045 };
40046diff -urNp linux-2.6.32.48/drivers/staging/poch/poch.c linux-2.6.32.48/drivers/staging/poch/poch.c
40047--- linux-2.6.32.48/drivers/staging/poch/poch.c 2011-11-08 19:02:43.000000000 -0500
40048+++ linux-2.6.32.48/drivers/staging/poch/poch.c 2011-11-15 19:59:43.000000000 -0500
40049@@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
40050 return 0;
40051 }
40052
40053-static struct file_operations poch_fops = {
40054+static const struct file_operations poch_fops = {
40055 .owner = THIS_MODULE,
40056 .open = poch_open,
40057 .release = poch_release,
40058diff -urNp linux-2.6.32.48/drivers/staging/pohmelfs/inode.c linux-2.6.32.48/drivers/staging/pohmelfs/inode.c
40059--- linux-2.6.32.48/drivers/staging/pohmelfs/inode.c 2011-11-08 19:02:43.000000000 -0500
40060+++ linux-2.6.32.48/drivers/staging/pohmelfs/inode.c 2011-11-15 19:59:43.000000000 -0500
40061@@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
40062 mutex_init(&psb->mcache_lock);
40063 psb->mcache_root = RB_ROOT;
40064 psb->mcache_timeout = msecs_to_jiffies(5000);
40065- atomic_long_set(&psb->mcache_gen, 0);
40066+ atomic_long_set_unchecked(&psb->mcache_gen, 0);
40067
40068 psb->trans_max_pages = 100;
40069
40070@@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
40071 INIT_LIST_HEAD(&psb->crypto_ready_list);
40072 INIT_LIST_HEAD(&psb->crypto_active_list);
40073
40074- atomic_set(&psb->trans_gen, 1);
40075+ atomic_set_unchecked(&psb->trans_gen, 1);
40076 atomic_long_set(&psb->total_inodes, 0);
40077
40078 mutex_init(&psb->state_lock);
40079diff -urNp linux-2.6.32.48/drivers/staging/pohmelfs/mcache.c linux-2.6.32.48/drivers/staging/pohmelfs/mcache.c
40080--- linux-2.6.32.48/drivers/staging/pohmelfs/mcache.c 2011-11-08 19:02:43.000000000 -0500
40081+++ linux-2.6.32.48/drivers/staging/pohmelfs/mcache.c 2011-11-15 19:59:43.000000000 -0500
40082@@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
40083 m->data = data;
40084 m->start = start;
40085 m->size = size;
40086- m->gen = atomic_long_inc_return(&psb->mcache_gen);
40087+ m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
40088
40089 mutex_lock(&psb->mcache_lock);
40090 err = pohmelfs_mcache_insert(psb, m);
40091diff -urNp linux-2.6.32.48/drivers/staging/pohmelfs/netfs.h linux-2.6.32.48/drivers/staging/pohmelfs/netfs.h
40092--- linux-2.6.32.48/drivers/staging/pohmelfs/netfs.h 2011-11-08 19:02:43.000000000 -0500
40093+++ linux-2.6.32.48/drivers/staging/pohmelfs/netfs.h 2011-11-15 19:59:43.000000000 -0500
40094@@ -570,14 +570,14 @@ struct pohmelfs_config;
40095 struct pohmelfs_sb {
40096 struct rb_root mcache_root;
40097 struct mutex mcache_lock;
40098- atomic_long_t mcache_gen;
40099+ atomic_long_unchecked_t mcache_gen;
40100 unsigned long mcache_timeout;
40101
40102 unsigned int idx;
40103
40104 unsigned int trans_retries;
40105
40106- atomic_t trans_gen;
40107+ atomic_unchecked_t trans_gen;
40108
40109 unsigned int crypto_attached_size;
40110 unsigned int crypto_align_size;
40111diff -urNp linux-2.6.32.48/drivers/staging/pohmelfs/trans.c linux-2.6.32.48/drivers/staging/pohmelfs/trans.c
40112--- linux-2.6.32.48/drivers/staging/pohmelfs/trans.c 2011-11-08 19:02:43.000000000 -0500
40113+++ linux-2.6.32.48/drivers/staging/pohmelfs/trans.c 2011-11-15 19:59:43.000000000 -0500
40114@@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
40115 int err;
40116 struct netfs_cmd *cmd = t->iovec.iov_base;
40117
40118- t->gen = atomic_inc_return(&psb->trans_gen);
40119+ t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
40120
40121 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
40122 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
40123diff -urNp linux-2.6.32.48/drivers/staging/sep/sep_driver.c linux-2.6.32.48/drivers/staging/sep/sep_driver.c
40124--- linux-2.6.32.48/drivers/staging/sep/sep_driver.c 2011-11-08 19:02:43.000000000 -0500
40125+++ linux-2.6.32.48/drivers/staging/sep/sep_driver.c 2011-11-15 19:59:43.000000000 -0500
40126@@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
40127 static dev_t sep_devno;
40128
40129 /* the files operations structure of the driver */
40130-static struct file_operations sep_file_operations = {
40131+static const struct file_operations sep_file_operations = {
40132 .owner = THIS_MODULE,
40133 .ioctl = sep_ioctl,
40134 .poll = sep_poll,
40135diff -urNp linux-2.6.32.48/drivers/staging/usbip/usbip_common.h linux-2.6.32.48/drivers/staging/usbip/usbip_common.h
40136--- linux-2.6.32.48/drivers/staging/usbip/usbip_common.h 2011-11-08 19:02:43.000000000 -0500
40137+++ linux-2.6.32.48/drivers/staging/usbip/usbip_common.h 2011-11-15 19:59:43.000000000 -0500
40138@@ -374,7 +374,7 @@ struct usbip_device {
40139 void (*shutdown)(struct usbip_device *);
40140 void (*reset)(struct usbip_device *);
40141 void (*unusable)(struct usbip_device *);
40142- } eh_ops;
40143+ } __no_const eh_ops;
40144 };
40145
40146
40147diff -urNp linux-2.6.32.48/drivers/staging/usbip/vhci.h linux-2.6.32.48/drivers/staging/usbip/vhci.h
40148--- linux-2.6.32.48/drivers/staging/usbip/vhci.h 2011-11-08 19:02:43.000000000 -0500
40149+++ linux-2.6.32.48/drivers/staging/usbip/vhci.h 2011-11-15 19:59:43.000000000 -0500
40150@@ -92,7 +92,7 @@ struct vhci_hcd {
40151 unsigned resuming:1;
40152 unsigned long re_timeout;
40153
40154- atomic_t seqnum;
40155+ atomic_unchecked_t seqnum;
40156
40157 /*
40158 * NOTE:
40159diff -urNp linux-2.6.32.48/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.48/drivers/staging/usbip/vhci_hcd.c
40160--- linux-2.6.32.48/drivers/staging/usbip/vhci_hcd.c 2011-11-08 19:02:43.000000000 -0500
40161+++ linux-2.6.32.48/drivers/staging/usbip/vhci_hcd.c 2011-11-15 19:59:43.000000000 -0500
40162@@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
40163 return;
40164 }
40165
40166- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
40167+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40168 if (priv->seqnum == 0xffff)
40169 usbip_uinfo("seqnum max\n");
40170
40171@@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
40172 return -ENOMEM;
40173 }
40174
40175- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
40176+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
40177 if (unlink->seqnum == 0xffff)
40178 usbip_uinfo("seqnum max\n");
40179
40180@@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
40181 vdev->rhport = rhport;
40182 }
40183
40184- atomic_set(&vhci->seqnum, 0);
40185+ atomic_set_unchecked(&vhci->seqnum, 0);
40186 spin_lock_init(&vhci->lock);
40187
40188
40189diff -urNp linux-2.6.32.48/drivers/staging/usbip/vhci_rx.c linux-2.6.32.48/drivers/staging/usbip/vhci_rx.c
40190--- linux-2.6.32.48/drivers/staging/usbip/vhci_rx.c 2011-11-08 19:02:43.000000000 -0500
40191+++ linux-2.6.32.48/drivers/staging/usbip/vhci_rx.c 2011-11-15 19:59:43.000000000 -0500
40192@@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
40193 usbip_uerr("cannot find a urb of seqnum %u\n",
40194 pdu->base.seqnum);
40195 usbip_uinfo("max seqnum %d\n",
40196- atomic_read(&the_controller->seqnum));
40197+ atomic_read_unchecked(&the_controller->seqnum));
40198 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
40199 return;
40200 }
40201diff -urNp linux-2.6.32.48/drivers/staging/vme/devices/vme_user.c linux-2.6.32.48/drivers/staging/vme/devices/vme_user.c
40202--- linux-2.6.32.48/drivers/staging/vme/devices/vme_user.c 2011-11-08 19:02:43.000000000 -0500
40203+++ linux-2.6.32.48/drivers/staging/vme/devices/vme_user.c 2011-11-15 19:59:43.000000000 -0500
40204@@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
40205 static int __init vme_user_probe(struct device *, int, int);
40206 static int __exit vme_user_remove(struct device *, int, int);
40207
40208-static struct file_operations vme_user_fops = {
40209+static const struct file_operations vme_user_fops = {
40210 .open = vme_user_open,
40211 .release = vme_user_release,
40212 .read = vme_user_read,
40213diff -urNp linux-2.6.32.48/drivers/staging/vt6655/hostap.c linux-2.6.32.48/drivers/staging/vt6655/hostap.c
40214--- linux-2.6.32.48/drivers/staging/vt6655/hostap.c 2011-11-08 19:02:43.000000000 -0500
40215+++ linux-2.6.32.48/drivers/staging/vt6655/hostap.c 2011-11-15 19:59:43.000000000 -0500
40216@@ -84,7 +84,7 @@ static int hostap_enable_hostapd(PSDevic
40217 PSDevice apdev_priv;
40218 struct net_device *dev = pDevice->dev;
40219 int ret;
40220- const struct net_device_ops apdev_netdev_ops = {
40221+ net_device_ops_no_const apdev_netdev_ops = {
40222 .ndo_start_xmit = pDevice->tx_80211,
40223 };
40224
40225diff -urNp linux-2.6.32.48/drivers/staging/vt6656/hostap.c linux-2.6.32.48/drivers/staging/vt6656/hostap.c
40226--- linux-2.6.32.48/drivers/staging/vt6656/hostap.c 2011-11-08 19:02:43.000000000 -0500
40227+++ linux-2.6.32.48/drivers/staging/vt6656/hostap.c 2011-11-15 19:59:43.000000000 -0500
40228@@ -86,7 +86,7 @@ static int hostap_enable_hostapd(PSDevic
40229 PSDevice apdev_priv;
40230 struct net_device *dev = pDevice->dev;
40231 int ret;
40232- const struct net_device_ops apdev_netdev_ops = {
40233+ net_device_ops_no_const apdev_netdev_ops = {
40234 .ndo_start_xmit = pDevice->tx_80211,
40235 };
40236
40237diff -urNp linux-2.6.32.48/drivers/staging/wlan-ng/hfa384x_usb.c linux-2.6.32.48/drivers/staging/wlan-ng/hfa384x_usb.c
40238--- linux-2.6.32.48/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-08 19:02:43.000000000 -0500
40239+++ linux-2.6.32.48/drivers/staging/wlan-ng/hfa384x_usb.c 2011-11-15 19:59:43.000000000 -0500
40240@@ -205,7 +205,7 @@ static void unlocked_usbctlx_complete(hf
40241
40242 struct usbctlx_completor {
40243 int (*complete) (struct usbctlx_completor *);
40244-};
40245+} __no_const;
40246 typedef struct usbctlx_completor usbctlx_completor_t;
40247
40248 static int
40249diff -urNp linux-2.6.32.48/drivers/telephony/ixj.c linux-2.6.32.48/drivers/telephony/ixj.c
40250--- linux-2.6.32.48/drivers/telephony/ixj.c 2011-11-08 19:02:43.000000000 -0500
40251+++ linux-2.6.32.48/drivers/telephony/ixj.c 2011-11-15 19:59:43.000000000 -0500
40252@@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
40253 bool mContinue;
40254 char *pIn, *pOut;
40255
40256+ pax_track_stack();
40257+
40258 if (!SCI_Prepare(j))
40259 return 0;
40260
40261diff -urNp linux-2.6.32.48/drivers/uio/uio.c linux-2.6.32.48/drivers/uio/uio.c
40262--- linux-2.6.32.48/drivers/uio/uio.c 2011-11-08 19:02:43.000000000 -0500
40263+++ linux-2.6.32.48/drivers/uio/uio.c 2011-11-15 19:59:43.000000000 -0500
40264@@ -23,6 +23,7 @@
40265 #include <linux/string.h>
40266 #include <linux/kobject.h>
40267 #include <linux/uio_driver.h>
40268+#include <asm/local.h>
40269
40270 #define UIO_MAX_DEVICES 255
40271
40272@@ -30,10 +31,10 @@ struct uio_device {
40273 struct module *owner;
40274 struct device *dev;
40275 int minor;
40276- atomic_t event;
40277+ atomic_unchecked_t event;
40278 struct fasync_struct *async_queue;
40279 wait_queue_head_t wait;
40280- int vma_count;
40281+ local_t vma_count;
40282 struct uio_info *info;
40283 struct kobject *map_dir;
40284 struct kobject *portio_dir;
40285@@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
40286 return entry->show(mem, buf);
40287 }
40288
40289-static struct sysfs_ops map_sysfs_ops = {
40290+static const struct sysfs_ops map_sysfs_ops = {
40291 .show = map_type_show,
40292 };
40293
40294@@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
40295 return entry->show(port, buf);
40296 }
40297
40298-static struct sysfs_ops portio_sysfs_ops = {
40299+static const struct sysfs_ops portio_sysfs_ops = {
40300 .show = portio_type_show,
40301 };
40302
40303@@ -255,7 +256,7 @@ static ssize_t show_event(struct device
40304 struct uio_device *idev = dev_get_drvdata(dev);
40305 if (idev)
40306 return sprintf(buf, "%u\n",
40307- (unsigned int)atomic_read(&idev->event));
40308+ (unsigned int)atomic_read_unchecked(&idev->event));
40309 else
40310 return -ENODEV;
40311 }
40312@@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
40313 {
40314 struct uio_device *idev = info->uio_dev;
40315
40316- atomic_inc(&idev->event);
40317+ atomic_inc_unchecked(&idev->event);
40318 wake_up_interruptible(&idev->wait);
40319 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
40320 }
40321@@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
40322 }
40323
40324 listener->dev = idev;
40325- listener->event_count = atomic_read(&idev->event);
40326+ listener->event_count = atomic_read_unchecked(&idev->event);
40327 filep->private_data = listener;
40328
40329 if (idev->info->open) {
40330@@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
40331 return -EIO;
40332
40333 poll_wait(filep, &idev->wait, wait);
40334- if (listener->event_count != atomic_read(&idev->event))
40335+ if (listener->event_count != atomic_read_unchecked(&idev->event))
40336 return POLLIN | POLLRDNORM;
40337 return 0;
40338 }
40339@@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
40340 do {
40341 set_current_state(TASK_INTERRUPTIBLE);
40342
40343- event_count = atomic_read(&idev->event);
40344+ event_count = atomic_read_unchecked(&idev->event);
40345 if (event_count != listener->event_count) {
40346 if (copy_to_user(buf, &event_count, count))
40347 retval = -EFAULT;
40348@@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
40349 static void uio_vma_open(struct vm_area_struct *vma)
40350 {
40351 struct uio_device *idev = vma->vm_private_data;
40352- idev->vma_count++;
40353+ local_inc(&idev->vma_count);
40354 }
40355
40356 static void uio_vma_close(struct vm_area_struct *vma)
40357 {
40358 struct uio_device *idev = vma->vm_private_data;
40359- idev->vma_count--;
40360+ local_dec(&idev->vma_count);
40361 }
40362
40363 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
40364@@ -840,7 +841,7 @@ int __uio_register_device(struct module
40365 idev->owner = owner;
40366 idev->info = info;
40367 init_waitqueue_head(&idev->wait);
40368- atomic_set(&idev->event, 0);
40369+ atomic_set_unchecked(&idev->event, 0);
40370
40371 ret = uio_get_minor(idev);
40372 if (ret)
40373diff -urNp linux-2.6.32.48/drivers/usb/atm/usbatm.c linux-2.6.32.48/drivers/usb/atm/usbatm.c
40374--- linux-2.6.32.48/drivers/usb/atm/usbatm.c 2011-11-08 19:02:43.000000000 -0500
40375+++ linux-2.6.32.48/drivers/usb/atm/usbatm.c 2011-11-15 19:59:43.000000000 -0500
40376@@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
40377 if (printk_ratelimit())
40378 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
40379 __func__, vpi, vci);
40380- atomic_inc(&vcc->stats->rx_err);
40381+ atomic_inc_unchecked(&vcc->stats->rx_err);
40382 return;
40383 }
40384
40385@@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
40386 if (length > ATM_MAX_AAL5_PDU) {
40387 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
40388 __func__, length, vcc);
40389- atomic_inc(&vcc->stats->rx_err);
40390+ atomic_inc_unchecked(&vcc->stats->rx_err);
40391 goto out;
40392 }
40393
40394@@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
40395 if (sarb->len < pdu_length) {
40396 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
40397 __func__, pdu_length, sarb->len, vcc);
40398- atomic_inc(&vcc->stats->rx_err);
40399+ atomic_inc_unchecked(&vcc->stats->rx_err);
40400 goto out;
40401 }
40402
40403 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
40404 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
40405 __func__, vcc);
40406- atomic_inc(&vcc->stats->rx_err);
40407+ atomic_inc_unchecked(&vcc->stats->rx_err);
40408 goto out;
40409 }
40410
40411@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
40412 if (printk_ratelimit())
40413 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
40414 __func__, length);
40415- atomic_inc(&vcc->stats->rx_drop);
40416+ atomic_inc_unchecked(&vcc->stats->rx_drop);
40417 goto out;
40418 }
40419
40420@@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
40421
40422 vcc->push(vcc, skb);
40423
40424- atomic_inc(&vcc->stats->rx);
40425+ atomic_inc_unchecked(&vcc->stats->rx);
40426 out:
40427 skb_trim(sarb, 0);
40428 }
40429@@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
40430 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
40431
40432 usbatm_pop(vcc, skb);
40433- atomic_inc(&vcc->stats->tx);
40434+ atomic_inc_unchecked(&vcc->stats->tx);
40435
40436 skb = skb_dequeue(&instance->sndqueue);
40437 }
40438@@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
40439 if (!left--)
40440 return sprintf(page,
40441 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
40442- atomic_read(&atm_dev->stats.aal5.tx),
40443- atomic_read(&atm_dev->stats.aal5.tx_err),
40444- atomic_read(&atm_dev->stats.aal5.rx),
40445- atomic_read(&atm_dev->stats.aal5.rx_err),
40446- atomic_read(&atm_dev->stats.aal5.rx_drop));
40447+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
40448+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
40449+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
40450+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
40451+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
40452
40453 if (!left--) {
40454 if (instance->disconnected)
40455diff -urNp linux-2.6.32.48/drivers/usb/class/cdc-wdm.c linux-2.6.32.48/drivers/usb/class/cdc-wdm.c
40456--- linux-2.6.32.48/drivers/usb/class/cdc-wdm.c 2011-11-08 19:02:43.000000000 -0500
40457+++ linux-2.6.32.48/drivers/usb/class/cdc-wdm.c 2011-11-15 19:59:43.000000000 -0500
40458@@ -314,7 +314,7 @@ static ssize_t wdm_write
40459 if (r < 0)
40460 goto outnp;
40461
40462- if (!file->f_flags && O_NONBLOCK)
40463+ if (!(file->f_flags & O_NONBLOCK))
40464 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
40465 &desc->flags));
40466 else
40467diff -urNp linux-2.6.32.48/drivers/usb/core/hcd.c linux-2.6.32.48/drivers/usb/core/hcd.c
40468--- linux-2.6.32.48/drivers/usb/core/hcd.c 2011-11-08 19:02:43.000000000 -0500
40469+++ linux-2.6.32.48/drivers/usb/core/hcd.c 2011-11-15 19:59:43.000000000 -0500
40470@@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
40471
40472 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
40473
40474-struct usb_mon_operations *mon_ops;
40475+const struct usb_mon_operations *mon_ops;
40476
40477 /*
40478 * The registration is unlocked.
40479@@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
40480 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
40481 */
40482
40483-int usb_mon_register (struct usb_mon_operations *ops)
40484+int usb_mon_register (const struct usb_mon_operations *ops)
40485 {
40486
40487 if (mon_ops)
40488diff -urNp linux-2.6.32.48/drivers/usb/core/hcd.h linux-2.6.32.48/drivers/usb/core/hcd.h
40489--- linux-2.6.32.48/drivers/usb/core/hcd.h 2011-11-08 19:02:43.000000000 -0500
40490+++ linux-2.6.32.48/drivers/usb/core/hcd.h 2011-11-15 19:59:43.000000000 -0500
40491@@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
40492 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
40493
40494 struct usb_mon_operations {
40495- void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
40496- void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
40497- void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
40498+ void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
40499+ void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
40500+ void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
40501 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
40502 };
40503
40504-extern struct usb_mon_operations *mon_ops;
40505+extern const struct usb_mon_operations *mon_ops;
40506
40507 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
40508 {
40509@@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
40510 (*mon_ops->urb_complete)(bus, urb, status);
40511 }
40512
40513-int usb_mon_register(struct usb_mon_operations *ops);
40514+int usb_mon_register(const struct usb_mon_operations *ops);
40515 void usb_mon_deregister(void);
40516
40517 #else
40518diff -urNp linux-2.6.32.48/drivers/usb/core/message.c linux-2.6.32.48/drivers/usb/core/message.c
40519--- linux-2.6.32.48/drivers/usb/core/message.c 2011-11-08 19:02:43.000000000 -0500
40520+++ linux-2.6.32.48/drivers/usb/core/message.c 2011-11-15 19:59:43.000000000 -0500
40521@@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
40522 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
40523 if (buf) {
40524 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
40525- if (len > 0) {
40526- smallbuf = kmalloc(++len, GFP_NOIO);
40527+ if (len++ > 0) {
40528+ smallbuf = kmalloc(len, GFP_NOIO);
40529 if (!smallbuf)
40530 return buf;
40531 memcpy(smallbuf, buf, len);
40532diff -urNp linux-2.6.32.48/drivers/usb/misc/appledisplay.c linux-2.6.32.48/drivers/usb/misc/appledisplay.c
40533--- linux-2.6.32.48/drivers/usb/misc/appledisplay.c 2011-11-08 19:02:43.000000000 -0500
40534+++ linux-2.6.32.48/drivers/usb/misc/appledisplay.c 2011-11-15 19:59:43.000000000 -0500
40535@@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
40536 return pdata->msgdata[1];
40537 }
40538
40539-static struct backlight_ops appledisplay_bl_data = {
40540+static const struct backlight_ops appledisplay_bl_data = {
40541 .get_brightness = appledisplay_bl_get_brightness,
40542 .update_status = appledisplay_bl_update_status,
40543 };
40544diff -urNp linux-2.6.32.48/drivers/usb/mon/mon_main.c linux-2.6.32.48/drivers/usb/mon/mon_main.c
40545--- linux-2.6.32.48/drivers/usb/mon/mon_main.c 2011-11-08 19:02:43.000000000 -0500
40546+++ linux-2.6.32.48/drivers/usb/mon/mon_main.c 2011-11-15 19:59:43.000000000 -0500
40547@@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
40548 /*
40549 * Ops
40550 */
40551-static struct usb_mon_operations mon_ops_0 = {
40552+static const struct usb_mon_operations mon_ops_0 = {
40553 .urb_submit = mon_submit,
40554 .urb_submit_error = mon_submit_error,
40555 .urb_complete = mon_complete,
40556diff -urNp linux-2.6.32.48/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.48/drivers/usb/wusbcore/wa-hc.h
40557--- linux-2.6.32.48/drivers/usb/wusbcore/wa-hc.h 2011-11-08 19:02:43.000000000 -0500
40558+++ linux-2.6.32.48/drivers/usb/wusbcore/wa-hc.h 2011-11-15 19:59:43.000000000 -0500
40559@@ -192,7 +192,7 @@ struct wahc {
40560 struct list_head xfer_delayed_list;
40561 spinlock_t xfer_list_lock;
40562 struct work_struct xfer_work;
40563- atomic_t xfer_id_count;
40564+ atomic_unchecked_t xfer_id_count;
40565 };
40566
40567
40568@@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
40569 INIT_LIST_HEAD(&wa->xfer_delayed_list);
40570 spin_lock_init(&wa->xfer_list_lock);
40571 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
40572- atomic_set(&wa->xfer_id_count, 1);
40573+ atomic_set_unchecked(&wa->xfer_id_count, 1);
40574 }
40575
40576 /**
40577diff -urNp linux-2.6.32.48/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.48/drivers/usb/wusbcore/wa-xfer.c
40578--- linux-2.6.32.48/drivers/usb/wusbcore/wa-xfer.c 2011-11-08 19:02:43.000000000 -0500
40579+++ linux-2.6.32.48/drivers/usb/wusbcore/wa-xfer.c 2011-11-15 19:59:43.000000000 -0500
40580@@ -293,7 +293,7 @@ out:
40581 */
40582 static void wa_xfer_id_init(struct wa_xfer *xfer)
40583 {
40584- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
40585+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
40586 }
40587
40588 /*
40589diff -urNp linux-2.6.32.48/drivers/uwb/wlp/messages.c linux-2.6.32.48/drivers/uwb/wlp/messages.c
40590--- linux-2.6.32.48/drivers/uwb/wlp/messages.c 2011-11-08 19:02:43.000000000 -0500
40591+++ linux-2.6.32.48/drivers/uwb/wlp/messages.c 2011-11-15 19:59:43.000000000 -0500
40592@@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
40593 size_t len = skb->len;
40594 size_t used;
40595 ssize_t result;
40596- struct wlp_nonce enonce, rnonce;
40597+ struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
40598 enum wlp_assc_error assc_err;
40599 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
40600 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
40601diff -urNp linux-2.6.32.48/drivers/uwb/wlp/sysfs.c linux-2.6.32.48/drivers/uwb/wlp/sysfs.c
40602--- linux-2.6.32.48/drivers/uwb/wlp/sysfs.c 2011-11-08 19:02:43.000000000 -0500
40603+++ linux-2.6.32.48/drivers/uwb/wlp/sysfs.c 2011-11-15 19:59:43.000000000 -0500
40604@@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
40605 return ret;
40606 }
40607
40608-static
40609-struct sysfs_ops wss_sysfs_ops = {
40610+static const struct sysfs_ops wss_sysfs_ops = {
40611 .show = wlp_wss_attr_show,
40612 .store = wlp_wss_attr_store,
40613 };
40614diff -urNp linux-2.6.32.48/drivers/video/atmel_lcdfb.c linux-2.6.32.48/drivers/video/atmel_lcdfb.c
40615--- linux-2.6.32.48/drivers/video/atmel_lcdfb.c 2011-11-08 19:02:43.000000000 -0500
40616+++ linux-2.6.32.48/drivers/video/atmel_lcdfb.c 2011-11-15 19:59:43.000000000 -0500
40617@@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
40618 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
40619 }
40620
40621-static struct backlight_ops atmel_lcdc_bl_ops = {
40622+static const struct backlight_ops atmel_lcdc_bl_ops = {
40623 .update_status = atmel_bl_update_status,
40624 .get_brightness = atmel_bl_get_brightness,
40625 };
40626diff -urNp linux-2.6.32.48/drivers/video/aty/aty128fb.c linux-2.6.32.48/drivers/video/aty/aty128fb.c
40627--- linux-2.6.32.48/drivers/video/aty/aty128fb.c 2011-11-08 19:02:43.000000000 -0500
40628+++ linux-2.6.32.48/drivers/video/aty/aty128fb.c 2011-11-18 18:01:55.000000000 -0500
40629@@ -149,7 +149,7 @@ enum {
40630 };
40631
40632 /* Must match above enum */
40633-static const char *r128_family[] __devinitdata = {
40634+static const char *r128_family[] __devinitconst = {
40635 "AGP",
40636 "PCI",
40637 "PRO AGP",
40638@@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
40639 return bd->props.brightness;
40640 }
40641
40642-static struct backlight_ops aty128_bl_data = {
40643+static const struct backlight_ops aty128_bl_data = {
40644 .get_brightness = aty128_bl_get_brightness,
40645 .update_status = aty128_bl_update_status,
40646 };
40647diff -urNp linux-2.6.32.48/drivers/video/aty/atyfb_base.c linux-2.6.32.48/drivers/video/aty/atyfb_base.c
40648--- linux-2.6.32.48/drivers/video/aty/atyfb_base.c 2011-11-08 19:02:43.000000000 -0500
40649+++ linux-2.6.32.48/drivers/video/aty/atyfb_base.c 2011-11-15 19:59:43.000000000 -0500
40650@@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
40651 return bd->props.brightness;
40652 }
40653
40654-static struct backlight_ops aty_bl_data = {
40655+static const struct backlight_ops aty_bl_data = {
40656 .get_brightness = aty_bl_get_brightness,
40657 .update_status = aty_bl_update_status,
40658 };
40659diff -urNp linux-2.6.32.48/drivers/video/aty/radeon_backlight.c linux-2.6.32.48/drivers/video/aty/radeon_backlight.c
40660--- linux-2.6.32.48/drivers/video/aty/radeon_backlight.c 2011-11-08 19:02:43.000000000 -0500
40661+++ linux-2.6.32.48/drivers/video/aty/radeon_backlight.c 2011-11-15 19:59:43.000000000 -0500
40662@@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
40663 return bd->props.brightness;
40664 }
40665
40666-static struct backlight_ops radeon_bl_data = {
40667+static const struct backlight_ops radeon_bl_data = {
40668 .get_brightness = radeon_bl_get_brightness,
40669 .update_status = radeon_bl_update_status,
40670 };
40671diff -urNp linux-2.6.32.48/drivers/video/backlight/adp5520_bl.c linux-2.6.32.48/drivers/video/backlight/adp5520_bl.c
40672--- linux-2.6.32.48/drivers/video/backlight/adp5520_bl.c 2011-11-08 19:02:43.000000000 -0500
40673+++ linux-2.6.32.48/drivers/video/backlight/adp5520_bl.c 2011-11-15 19:59:43.000000000 -0500
40674@@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
40675 return error ? data->current_brightness : reg_val;
40676 }
40677
40678-static struct backlight_ops adp5520_bl_ops = {
40679+static const struct backlight_ops adp5520_bl_ops = {
40680 .update_status = adp5520_bl_update_status,
40681 .get_brightness = adp5520_bl_get_brightness,
40682 };
40683diff -urNp linux-2.6.32.48/drivers/video/backlight/adx_bl.c linux-2.6.32.48/drivers/video/backlight/adx_bl.c
40684--- linux-2.6.32.48/drivers/video/backlight/adx_bl.c 2011-11-08 19:02:43.000000000 -0500
40685+++ linux-2.6.32.48/drivers/video/backlight/adx_bl.c 2011-11-15 19:59:43.000000000 -0500
40686@@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
40687 return 1;
40688 }
40689
40690-static struct backlight_ops adx_backlight_ops = {
40691+static const struct backlight_ops adx_backlight_ops = {
40692 .options = 0,
40693 .update_status = adx_backlight_update_status,
40694 .get_brightness = adx_backlight_get_brightness,
40695diff -urNp linux-2.6.32.48/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.48/drivers/video/backlight/atmel-pwm-bl.c
40696--- linux-2.6.32.48/drivers/video/backlight/atmel-pwm-bl.c 2011-11-08 19:02:43.000000000 -0500
40697+++ linux-2.6.32.48/drivers/video/backlight/atmel-pwm-bl.c 2011-11-15 19:59:43.000000000 -0500
40698@@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
40699 return pwm_channel_enable(&pwmbl->pwmc);
40700 }
40701
40702-static struct backlight_ops atmel_pwm_bl_ops = {
40703+static const struct backlight_ops atmel_pwm_bl_ops = {
40704 .get_brightness = atmel_pwm_bl_get_intensity,
40705 .update_status = atmel_pwm_bl_set_intensity,
40706 };
40707diff -urNp linux-2.6.32.48/drivers/video/backlight/backlight.c linux-2.6.32.48/drivers/video/backlight/backlight.c
40708--- linux-2.6.32.48/drivers/video/backlight/backlight.c 2011-11-08 19:02:43.000000000 -0500
40709+++ linux-2.6.32.48/drivers/video/backlight/backlight.c 2011-11-15 19:59:43.000000000 -0500
40710@@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
40711 * ERR_PTR() or a pointer to the newly allocated device.
40712 */
40713 struct backlight_device *backlight_device_register(const char *name,
40714- struct device *parent, void *devdata, struct backlight_ops *ops)
40715+ struct device *parent, void *devdata, const struct backlight_ops *ops)
40716 {
40717 struct backlight_device *new_bd;
40718 int rc;
40719diff -urNp linux-2.6.32.48/drivers/video/backlight/corgi_lcd.c linux-2.6.32.48/drivers/video/backlight/corgi_lcd.c
40720--- linux-2.6.32.48/drivers/video/backlight/corgi_lcd.c 2011-11-08 19:02:43.000000000 -0500
40721+++ linux-2.6.32.48/drivers/video/backlight/corgi_lcd.c 2011-11-15 19:59:43.000000000 -0500
40722@@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
40723 }
40724 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
40725
40726-static struct backlight_ops corgi_bl_ops = {
40727+static const struct backlight_ops corgi_bl_ops = {
40728 .get_brightness = corgi_bl_get_intensity,
40729 .update_status = corgi_bl_update_status,
40730 };
40731diff -urNp linux-2.6.32.48/drivers/video/backlight/cr_bllcd.c linux-2.6.32.48/drivers/video/backlight/cr_bllcd.c
40732--- linux-2.6.32.48/drivers/video/backlight/cr_bllcd.c 2011-11-08 19:02:43.000000000 -0500
40733+++ linux-2.6.32.48/drivers/video/backlight/cr_bllcd.c 2011-11-15 19:59:43.000000000 -0500
40734@@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
40735 return intensity;
40736 }
40737
40738-static struct backlight_ops cr_backlight_ops = {
40739+static const struct backlight_ops cr_backlight_ops = {
40740 .get_brightness = cr_backlight_get_intensity,
40741 .update_status = cr_backlight_set_intensity,
40742 };
40743diff -urNp linux-2.6.32.48/drivers/video/backlight/da903x_bl.c linux-2.6.32.48/drivers/video/backlight/da903x_bl.c
40744--- linux-2.6.32.48/drivers/video/backlight/da903x_bl.c 2011-11-08 19:02:43.000000000 -0500
40745+++ linux-2.6.32.48/drivers/video/backlight/da903x_bl.c 2011-11-15 19:59:43.000000000 -0500
40746@@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
40747 return data->current_brightness;
40748 }
40749
40750-static struct backlight_ops da903x_backlight_ops = {
40751+static const struct backlight_ops da903x_backlight_ops = {
40752 .update_status = da903x_backlight_update_status,
40753 .get_brightness = da903x_backlight_get_brightness,
40754 };
40755diff -urNp linux-2.6.32.48/drivers/video/backlight/generic_bl.c linux-2.6.32.48/drivers/video/backlight/generic_bl.c
40756--- linux-2.6.32.48/drivers/video/backlight/generic_bl.c 2011-11-08 19:02:43.000000000 -0500
40757+++ linux-2.6.32.48/drivers/video/backlight/generic_bl.c 2011-11-15 19:59:43.000000000 -0500
40758@@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
40759 }
40760 EXPORT_SYMBOL(corgibl_limit_intensity);
40761
40762-static struct backlight_ops genericbl_ops = {
40763+static const struct backlight_ops genericbl_ops = {
40764 .options = BL_CORE_SUSPENDRESUME,
40765 .get_brightness = genericbl_get_intensity,
40766 .update_status = genericbl_send_intensity,
40767diff -urNp linux-2.6.32.48/drivers/video/backlight/hp680_bl.c linux-2.6.32.48/drivers/video/backlight/hp680_bl.c
40768--- linux-2.6.32.48/drivers/video/backlight/hp680_bl.c 2011-11-08 19:02:43.000000000 -0500
40769+++ linux-2.6.32.48/drivers/video/backlight/hp680_bl.c 2011-11-15 19:59:43.000000000 -0500
40770@@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
40771 return current_intensity;
40772 }
40773
40774-static struct backlight_ops hp680bl_ops = {
40775+static const struct backlight_ops hp680bl_ops = {
40776 .get_brightness = hp680bl_get_intensity,
40777 .update_status = hp680bl_set_intensity,
40778 };
40779diff -urNp linux-2.6.32.48/drivers/video/backlight/jornada720_bl.c linux-2.6.32.48/drivers/video/backlight/jornada720_bl.c
40780--- linux-2.6.32.48/drivers/video/backlight/jornada720_bl.c 2011-11-08 19:02:43.000000000 -0500
40781+++ linux-2.6.32.48/drivers/video/backlight/jornada720_bl.c 2011-11-15 19:59:43.000000000 -0500
40782@@ -93,7 +93,7 @@ out:
40783 return ret;
40784 }
40785
40786-static struct backlight_ops jornada_bl_ops = {
40787+static const struct backlight_ops jornada_bl_ops = {
40788 .get_brightness = jornada_bl_get_brightness,
40789 .update_status = jornada_bl_update_status,
40790 .options = BL_CORE_SUSPENDRESUME,
40791diff -urNp linux-2.6.32.48/drivers/video/backlight/kb3886_bl.c linux-2.6.32.48/drivers/video/backlight/kb3886_bl.c
40792--- linux-2.6.32.48/drivers/video/backlight/kb3886_bl.c 2011-11-08 19:02:43.000000000 -0500
40793+++ linux-2.6.32.48/drivers/video/backlight/kb3886_bl.c 2011-11-15 19:59:43.000000000 -0500
40794@@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
40795 return kb3886bl_intensity;
40796 }
40797
40798-static struct backlight_ops kb3886bl_ops = {
40799+static const struct backlight_ops kb3886bl_ops = {
40800 .get_brightness = kb3886bl_get_intensity,
40801 .update_status = kb3886bl_send_intensity,
40802 };
40803diff -urNp linux-2.6.32.48/drivers/video/backlight/locomolcd.c linux-2.6.32.48/drivers/video/backlight/locomolcd.c
40804--- linux-2.6.32.48/drivers/video/backlight/locomolcd.c 2011-11-08 19:02:43.000000000 -0500
40805+++ linux-2.6.32.48/drivers/video/backlight/locomolcd.c 2011-11-15 19:59:43.000000000 -0500
40806@@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
40807 return current_intensity;
40808 }
40809
40810-static struct backlight_ops locomobl_data = {
40811+static const struct backlight_ops locomobl_data = {
40812 .get_brightness = locomolcd_get_intensity,
40813 .update_status = locomolcd_set_intensity,
40814 };
40815diff -urNp linux-2.6.32.48/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.48/drivers/video/backlight/mbp_nvidia_bl.c
40816--- linux-2.6.32.48/drivers/video/backlight/mbp_nvidia_bl.c 2011-11-08 19:02:43.000000000 -0500
40817+++ linux-2.6.32.48/drivers/video/backlight/mbp_nvidia_bl.c 2011-11-15 19:59:43.000000000 -0500
40818@@ -33,7 +33,7 @@ struct dmi_match_data {
40819 unsigned long iostart;
40820 unsigned long iolen;
40821 /* Backlight operations structure. */
40822- struct backlight_ops backlight_ops;
40823+ const struct backlight_ops backlight_ops;
40824 };
40825
40826 /* Module parameters. */
40827diff -urNp linux-2.6.32.48/drivers/video/backlight/omap1_bl.c linux-2.6.32.48/drivers/video/backlight/omap1_bl.c
40828--- linux-2.6.32.48/drivers/video/backlight/omap1_bl.c 2011-11-08 19:02:43.000000000 -0500
40829+++ linux-2.6.32.48/drivers/video/backlight/omap1_bl.c 2011-11-15 19:59:43.000000000 -0500
40830@@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
40831 return bl->current_intensity;
40832 }
40833
40834-static struct backlight_ops omapbl_ops = {
40835+static const struct backlight_ops omapbl_ops = {
40836 .get_brightness = omapbl_get_intensity,
40837 .update_status = omapbl_update_status,
40838 };
40839diff -urNp linux-2.6.32.48/drivers/video/backlight/progear_bl.c linux-2.6.32.48/drivers/video/backlight/progear_bl.c
40840--- linux-2.6.32.48/drivers/video/backlight/progear_bl.c 2011-11-08 19:02:43.000000000 -0500
40841+++ linux-2.6.32.48/drivers/video/backlight/progear_bl.c 2011-11-15 19:59:43.000000000 -0500
40842@@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
40843 return intensity - HW_LEVEL_MIN;
40844 }
40845
40846-static struct backlight_ops progearbl_ops = {
40847+static const struct backlight_ops progearbl_ops = {
40848 .get_brightness = progearbl_get_intensity,
40849 .update_status = progearbl_set_intensity,
40850 };
40851diff -urNp linux-2.6.32.48/drivers/video/backlight/pwm_bl.c linux-2.6.32.48/drivers/video/backlight/pwm_bl.c
40852--- linux-2.6.32.48/drivers/video/backlight/pwm_bl.c 2011-11-08 19:02:43.000000000 -0500
40853+++ linux-2.6.32.48/drivers/video/backlight/pwm_bl.c 2011-11-15 19:59:43.000000000 -0500
40854@@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
40855 return bl->props.brightness;
40856 }
40857
40858-static struct backlight_ops pwm_backlight_ops = {
40859+static const struct backlight_ops pwm_backlight_ops = {
40860 .update_status = pwm_backlight_update_status,
40861 .get_brightness = pwm_backlight_get_brightness,
40862 };
40863diff -urNp linux-2.6.32.48/drivers/video/backlight/tosa_bl.c linux-2.6.32.48/drivers/video/backlight/tosa_bl.c
40864--- linux-2.6.32.48/drivers/video/backlight/tosa_bl.c 2011-11-08 19:02:43.000000000 -0500
40865+++ linux-2.6.32.48/drivers/video/backlight/tosa_bl.c 2011-11-15 19:59:43.000000000 -0500
40866@@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
40867 return props->brightness;
40868 }
40869
40870-static struct backlight_ops bl_ops = {
40871+static const struct backlight_ops bl_ops = {
40872 .get_brightness = tosa_bl_get_brightness,
40873 .update_status = tosa_bl_update_status,
40874 };
40875diff -urNp linux-2.6.32.48/drivers/video/backlight/wm831x_bl.c linux-2.6.32.48/drivers/video/backlight/wm831x_bl.c
40876--- linux-2.6.32.48/drivers/video/backlight/wm831x_bl.c 2011-11-08 19:02:43.000000000 -0500
40877+++ linux-2.6.32.48/drivers/video/backlight/wm831x_bl.c 2011-11-15 19:59:43.000000000 -0500
40878@@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
40879 return data->current_brightness;
40880 }
40881
40882-static struct backlight_ops wm831x_backlight_ops = {
40883+static const struct backlight_ops wm831x_backlight_ops = {
40884 .options = BL_CORE_SUSPENDRESUME,
40885 .update_status = wm831x_backlight_update_status,
40886 .get_brightness = wm831x_backlight_get_brightness,
40887diff -urNp linux-2.6.32.48/drivers/video/bf54x-lq043fb.c linux-2.6.32.48/drivers/video/bf54x-lq043fb.c
40888--- linux-2.6.32.48/drivers/video/bf54x-lq043fb.c 2011-11-08 19:02:43.000000000 -0500
40889+++ linux-2.6.32.48/drivers/video/bf54x-lq043fb.c 2011-11-15 19:59:43.000000000 -0500
40890@@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
40891 return 0;
40892 }
40893
40894-static struct backlight_ops bfin_lq043fb_bl_ops = {
40895+static const struct backlight_ops bfin_lq043fb_bl_ops = {
40896 .get_brightness = bl_get_brightness,
40897 };
40898
40899diff -urNp linux-2.6.32.48/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.48/drivers/video/bfin-t350mcqb-fb.c
40900--- linux-2.6.32.48/drivers/video/bfin-t350mcqb-fb.c 2011-11-08 19:02:43.000000000 -0500
40901+++ linux-2.6.32.48/drivers/video/bfin-t350mcqb-fb.c 2011-11-15 19:59:43.000000000 -0500
40902@@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
40903 return 0;
40904 }
40905
40906-static struct backlight_ops bfin_lq043fb_bl_ops = {
40907+static const struct backlight_ops bfin_lq043fb_bl_ops = {
40908 .get_brightness = bl_get_brightness,
40909 };
40910
40911diff -urNp linux-2.6.32.48/drivers/video/fbcmap.c linux-2.6.32.48/drivers/video/fbcmap.c
40912--- linux-2.6.32.48/drivers/video/fbcmap.c 2011-11-08 19:02:43.000000000 -0500
40913+++ linux-2.6.32.48/drivers/video/fbcmap.c 2011-11-15 19:59:43.000000000 -0500
40914@@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
40915 rc = -ENODEV;
40916 goto out;
40917 }
40918- if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
40919- !info->fbops->fb_setcmap)) {
40920+ if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
40921 rc = -EINVAL;
40922 goto out1;
40923 }
40924diff -urNp linux-2.6.32.48/drivers/video/fbmem.c linux-2.6.32.48/drivers/video/fbmem.c
40925--- linux-2.6.32.48/drivers/video/fbmem.c 2011-11-08 19:02:43.000000000 -0500
40926+++ linux-2.6.32.48/drivers/video/fbmem.c 2011-11-15 19:59:43.000000000 -0500
40927@@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
40928 image->dx += image->width + 8;
40929 }
40930 } else if (rotate == FB_ROTATE_UD) {
40931- for (x = 0; x < num && image->dx >= 0; x++) {
40932+ for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
40933 info->fbops->fb_imageblit(info, image);
40934 image->dx -= image->width + 8;
40935 }
40936@@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
40937 image->dy += image->height + 8;
40938 }
40939 } else if (rotate == FB_ROTATE_CCW) {
40940- for (x = 0; x < num && image->dy >= 0; x++) {
40941+ for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
40942 info->fbops->fb_imageblit(info, image);
40943 image->dy -= image->height + 8;
40944 }
40945@@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
40946 int flags = info->flags;
40947 int ret = 0;
40948
40949+ pax_track_stack();
40950+
40951 if (var->activate & FB_ACTIVATE_INV_MODE) {
40952 struct fb_videomode mode1, mode2;
40953
40954@@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
40955 void __user *argp = (void __user *)arg;
40956 long ret = 0;
40957
40958+ pax_track_stack();
40959+
40960 switch (cmd) {
40961 case FBIOGET_VSCREENINFO:
40962 if (!lock_fb_info(info))
40963@@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
40964 return -EFAULT;
40965 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
40966 return -EINVAL;
40967- if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
40968+ if (con2fb.framebuffer >= FB_MAX)
40969 return -EINVAL;
40970 if (!registered_fb[con2fb.framebuffer])
40971 request_module("fb%d", con2fb.framebuffer);
40972diff -urNp linux-2.6.32.48/drivers/video/geode/gx1fb_core.c linux-2.6.32.48/drivers/video/geode/gx1fb_core.c
40973--- linux-2.6.32.48/drivers/video/geode/gx1fb_core.c 2011-11-08 19:02:43.000000000 -0500
40974+++ linux-2.6.32.48/drivers/video/geode/gx1fb_core.c 2011-11-18 18:01:55.000000000 -0500
40975@@ -30,7 +30,7 @@ static int crt_option = 1;
40976 static char panel_option[32] = "";
40977
40978 /* Modes relevant to the GX1 (taken from modedb.c) */
40979-static const struct fb_videomode __initdata gx1_modedb[] = {
40980+static const struct fb_videomode __initconst gx1_modedb[] = {
40981 /* 640x480-60 VESA */
40982 { NULL, 60, 640, 480, 39682, 48, 16, 33, 10, 96, 2,
40983 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_VESA },
40984diff -urNp linux-2.6.32.48/drivers/video/gxt4500.c linux-2.6.32.48/drivers/video/gxt4500.c
40985--- linux-2.6.32.48/drivers/video/gxt4500.c 2011-11-08 19:02:43.000000000 -0500
40986+++ linux-2.6.32.48/drivers/video/gxt4500.c 2011-11-18 18:01:55.000000000 -0500
40987@@ -156,7 +156,7 @@ struct gxt4500_par {
40988 static char *mode_option;
40989
40990 /* default mode: 1280x1024 @ 60 Hz, 8 bpp */
40991-static const struct fb_videomode defaultmode __devinitdata = {
40992+static const struct fb_videomode defaultmode __devinitconst = {
40993 .refresh = 60,
40994 .xres = 1280,
40995 .yres = 1024,
40996@@ -581,7 +581,7 @@ static int gxt4500_blank(int blank, stru
40997 return 0;
40998 }
40999
41000-static const struct fb_fix_screeninfo gxt4500_fix __devinitdata = {
41001+static const struct fb_fix_screeninfo gxt4500_fix __devinitconst = {
41002 .id = "IBM GXT4500P",
41003 .type = FB_TYPE_PACKED_PIXELS,
41004 .visual = FB_VISUAL_PSEUDOCOLOR,
41005diff -urNp linux-2.6.32.48/drivers/video/i810/i810_accel.c linux-2.6.32.48/drivers/video/i810/i810_accel.c
41006--- linux-2.6.32.48/drivers/video/i810/i810_accel.c 2011-11-08 19:02:43.000000000 -0500
41007+++ linux-2.6.32.48/drivers/video/i810/i810_accel.c 2011-11-15 19:59:43.000000000 -0500
41008@@ -73,6 +73,7 @@ static inline int wait_for_space(struct
41009 }
41010 }
41011 printk("ringbuffer lockup!!!\n");
41012+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
41013 i810_report_error(mmio);
41014 par->dev_flags |= LOCKUP;
41015 info->pixmap.scan_align = 1;
41016diff -urNp linux-2.6.32.48/drivers/video/i810/i810_main.c linux-2.6.32.48/drivers/video/i810/i810_main.c
41017--- linux-2.6.32.48/drivers/video/i810/i810_main.c 2011-11-08 19:02:43.000000000 -0500
41018+++ linux-2.6.32.48/drivers/video/i810/i810_main.c 2011-11-18 18:01:55.000000000 -0500
41019@@ -97,7 +97,7 @@ static int i810fb_blank (int blank_
41020 static void i810fb_release_resource (struct fb_info *info, struct i810fb_par *par);
41021
41022 /* PCI */
41023-static const char *i810_pci_list[] __devinitdata = {
41024+static const char *i810_pci_list[] __devinitconst = {
41025 "Intel(R) 810 Framebuffer Device" ,
41026 "Intel(R) 810-DC100 Framebuffer Device" ,
41027 "Intel(R) 810E Framebuffer Device" ,
41028diff -urNp linux-2.6.32.48/drivers/video/logo/logo_linux_clut224.ppm linux-2.6.32.48/drivers/video/logo/logo_linux_clut224.ppm
41029--- linux-2.6.32.48/drivers/video/logo/logo_linux_clut224.ppm 2011-11-08 19:02:43.000000000 -0500
41030+++ linux-2.6.32.48/drivers/video/logo/logo_linux_clut224.ppm 2011-11-15 19:59:43.000000000 -0500
41031@@ -1,1604 +1,1123 @@
41032 P3
41033-# Standard 224-color Linux logo
41034 80 80
41035 255
41036- 0 0 0 0 0 0 0 0 0 0 0 0
41037- 0 0 0 0 0 0 0 0 0 0 0 0
41038- 0 0 0 0 0 0 0 0 0 0 0 0
41039- 0 0 0 0 0 0 0 0 0 0 0 0
41040- 0 0 0 0 0 0 0 0 0 0 0 0
41041- 0 0 0 0 0 0 0 0 0 0 0 0
41042- 0 0 0 0 0 0 0 0 0 0 0 0
41043- 0 0 0 0 0 0 0 0 0 0 0 0
41044- 0 0 0 0 0 0 0 0 0 0 0 0
41045- 6 6 6 6 6 6 10 10 10 10 10 10
41046- 10 10 10 6 6 6 6 6 6 6 6 6
41047- 0 0 0 0 0 0 0 0 0 0 0 0
41048- 0 0 0 0 0 0 0 0 0 0 0 0
41049- 0 0 0 0 0 0 0 0 0 0 0 0
41050- 0 0 0 0 0 0 0 0 0 0 0 0
41051- 0 0 0 0 0 0 0 0 0 0 0 0
41052- 0 0 0 0 0 0 0 0 0 0 0 0
41053- 0 0 0 0 0 0 0 0 0 0 0 0
41054- 0 0 0 0 0 0 0 0 0 0 0 0
41055- 0 0 0 0 0 0 0 0 0 0 0 0
41056- 0 0 0 0 0 0 0 0 0 0 0 0
41057- 0 0 0 0 0 0 0 0 0 0 0 0
41058- 0 0 0 0 0 0 0 0 0 0 0 0
41059- 0 0 0 0 0 0 0 0 0 0 0 0
41060- 0 0 0 0 0 0 0 0 0 0 0 0
41061- 0 0 0 0 0 0 0 0 0 0 0 0
41062- 0 0 0 0 0 0 0 0 0 0 0 0
41063- 0 0 0 0 0 0 0 0 0 0 0 0
41064- 0 0 0 6 6 6 10 10 10 14 14 14
41065- 22 22 22 26 26 26 30 30 30 34 34 34
41066- 30 30 30 30 30 30 26 26 26 18 18 18
41067- 14 14 14 10 10 10 6 6 6 0 0 0
41068- 0 0 0 0 0 0 0 0 0 0 0 0
41069- 0 0 0 0 0 0 0 0 0 0 0 0
41070- 0 0 0 0 0 0 0 0 0 0 0 0
41071- 0 0 0 0 0 0 0 0 0 0 0 0
41072- 0 0 0 0 0 0 0 0 0 0 0 0
41073- 0 0 0 0 0 0 0 0 0 0 0 0
41074- 0 0 0 0 0 0 0 0 0 0 0 0
41075- 0 0 0 0 0 0 0 0 0 0 0 0
41076- 0 0 0 0 0 0 0 0 0 0 0 0
41077- 0 0 0 0 0 1 0 0 1 0 0 0
41078- 0 0 0 0 0 0 0 0 0 0 0 0
41079- 0 0 0 0 0 0 0 0 0 0 0 0
41080- 0 0 0 0 0 0 0 0 0 0 0 0
41081- 0 0 0 0 0 0 0 0 0 0 0 0
41082- 0 0 0 0 0 0 0 0 0 0 0 0
41083- 0 0 0 0 0 0 0 0 0 0 0 0
41084- 6 6 6 14 14 14 26 26 26 42 42 42
41085- 54 54 54 66 66 66 78 78 78 78 78 78
41086- 78 78 78 74 74 74 66 66 66 54 54 54
41087- 42 42 42 26 26 26 18 18 18 10 10 10
41088- 6 6 6 0 0 0 0 0 0 0 0 0
41089- 0 0 0 0 0 0 0 0 0 0 0 0
41090- 0 0 0 0 0 0 0 0 0 0 0 0
41091- 0 0 0 0 0 0 0 0 0 0 0 0
41092- 0 0 0 0 0 0 0 0 0 0 0 0
41093- 0 0 0 0 0 0 0 0 0 0 0 0
41094- 0 0 0 0 0 0 0 0 0 0 0 0
41095- 0 0 0 0 0 0 0 0 0 0 0 0
41096- 0 0 0 0 0 0 0 0 0 0 0 0
41097- 0 0 1 0 0 0 0 0 0 0 0 0
41098- 0 0 0 0 0 0 0 0 0 0 0 0
41099- 0 0 0 0 0 0 0 0 0 0 0 0
41100- 0 0 0 0 0 0 0 0 0 0 0 0
41101- 0 0 0 0 0 0 0 0 0 0 0 0
41102- 0 0 0 0 0 0 0 0 0 0 0 0
41103- 0 0 0 0 0 0 0 0 0 10 10 10
41104- 22 22 22 42 42 42 66 66 66 86 86 86
41105- 66 66 66 38 38 38 38 38 38 22 22 22
41106- 26 26 26 34 34 34 54 54 54 66 66 66
41107- 86 86 86 70 70 70 46 46 46 26 26 26
41108- 14 14 14 6 6 6 0 0 0 0 0 0
41109- 0 0 0 0 0 0 0 0 0 0 0 0
41110- 0 0 0 0 0 0 0 0 0 0 0 0
41111- 0 0 0 0 0 0 0 0 0 0 0 0
41112- 0 0 0 0 0 0 0 0 0 0 0 0
41113- 0 0 0 0 0 0 0 0 0 0 0 0
41114- 0 0 0 0 0 0 0 0 0 0 0 0
41115- 0 0 0 0 0 0 0 0 0 0 0 0
41116- 0 0 0 0 0 0 0 0 0 0 0 0
41117- 0 0 1 0 0 1 0 0 1 0 0 0
41118- 0 0 0 0 0 0 0 0 0 0 0 0
41119- 0 0 0 0 0 0 0 0 0 0 0 0
41120- 0 0 0 0 0 0 0 0 0 0 0 0
41121- 0 0 0 0 0 0 0 0 0 0 0 0
41122- 0 0 0 0 0 0 0 0 0 0 0 0
41123- 0 0 0 0 0 0 10 10 10 26 26 26
41124- 50 50 50 82 82 82 58 58 58 6 6 6
41125- 2 2 6 2 2 6 2 2 6 2 2 6
41126- 2 2 6 2 2 6 2 2 6 2 2 6
41127- 6 6 6 54 54 54 86 86 86 66 66 66
41128- 38 38 38 18 18 18 6 6 6 0 0 0
41129- 0 0 0 0 0 0 0 0 0 0 0 0
41130- 0 0 0 0 0 0 0 0 0 0 0 0
41131- 0 0 0 0 0 0 0 0 0 0 0 0
41132- 0 0 0 0 0 0 0 0 0 0 0 0
41133- 0 0 0 0 0 0 0 0 0 0 0 0
41134- 0 0 0 0 0 0 0 0 0 0 0 0
41135- 0 0 0 0 0 0 0 0 0 0 0 0
41136- 0 0 0 0 0 0 0 0 0 0 0 0
41137- 0 0 0 0 0 0 0 0 0 0 0 0
41138- 0 0 0 0 0 0 0 0 0 0 0 0
41139- 0 0 0 0 0 0 0 0 0 0 0 0
41140- 0 0 0 0 0 0 0 0 0 0 0 0
41141- 0 0 0 0 0 0 0 0 0 0 0 0
41142- 0 0 0 0 0 0 0 0 0 0 0 0
41143- 0 0 0 6 6 6 22 22 22 50 50 50
41144- 78 78 78 34 34 34 2 2 6 2 2 6
41145- 2 2 6 2 2 6 2 2 6 2 2 6
41146- 2 2 6 2 2 6 2 2 6 2 2 6
41147- 2 2 6 2 2 6 6 6 6 70 70 70
41148- 78 78 78 46 46 46 22 22 22 6 6 6
41149- 0 0 0 0 0 0 0 0 0 0 0 0
41150- 0 0 0 0 0 0 0 0 0 0 0 0
41151- 0 0 0 0 0 0 0 0 0 0 0 0
41152- 0 0 0 0 0 0 0 0 0 0 0 0
41153- 0 0 0 0 0 0 0 0 0 0 0 0
41154- 0 0 0 0 0 0 0 0 0 0 0 0
41155- 0 0 0 0 0 0 0 0 0 0 0 0
41156- 0 0 0 0 0 0 0 0 0 0 0 0
41157- 0 0 1 0 0 1 0 0 1 0 0 0
41158- 0 0 0 0 0 0 0 0 0 0 0 0
41159- 0 0 0 0 0 0 0 0 0 0 0 0
41160- 0 0 0 0 0 0 0 0 0 0 0 0
41161- 0 0 0 0 0 0 0 0 0 0 0 0
41162- 0 0 0 0 0 0 0 0 0 0 0 0
41163- 6 6 6 18 18 18 42 42 42 82 82 82
41164- 26 26 26 2 2 6 2 2 6 2 2 6
41165- 2 2 6 2 2 6 2 2 6 2 2 6
41166- 2 2 6 2 2 6 2 2 6 14 14 14
41167- 46 46 46 34 34 34 6 6 6 2 2 6
41168- 42 42 42 78 78 78 42 42 42 18 18 18
41169- 6 6 6 0 0 0 0 0 0 0 0 0
41170- 0 0 0 0 0 0 0 0 0 0 0 0
41171- 0 0 0 0 0 0 0 0 0 0 0 0
41172- 0 0 0 0 0 0 0 0 0 0 0 0
41173- 0 0 0 0 0 0 0 0 0 0 0 0
41174- 0 0 0 0 0 0 0 0 0 0 0 0
41175- 0 0 0 0 0 0 0 0 0 0 0 0
41176- 0 0 0 0 0 0 0 0 0 0 0 0
41177- 0 0 1 0 0 0 0 0 1 0 0 0
41178- 0 0 0 0 0 0 0 0 0 0 0 0
41179- 0 0 0 0 0 0 0 0 0 0 0 0
41180- 0 0 0 0 0 0 0 0 0 0 0 0
41181- 0 0 0 0 0 0 0 0 0 0 0 0
41182- 0 0 0 0 0 0 0 0 0 0 0 0
41183- 10 10 10 30 30 30 66 66 66 58 58 58
41184- 2 2 6 2 2 6 2 2 6 2 2 6
41185- 2 2 6 2 2 6 2 2 6 2 2 6
41186- 2 2 6 2 2 6 2 2 6 26 26 26
41187- 86 86 86 101 101 101 46 46 46 10 10 10
41188- 2 2 6 58 58 58 70 70 70 34 34 34
41189- 10 10 10 0 0 0 0 0 0 0 0 0
41190- 0 0 0 0 0 0 0 0 0 0 0 0
41191- 0 0 0 0 0 0 0 0 0 0 0 0
41192- 0 0 0 0 0 0 0 0 0 0 0 0
41193- 0 0 0 0 0 0 0 0 0 0 0 0
41194- 0 0 0 0 0 0 0 0 0 0 0 0
41195- 0 0 0 0 0 0 0 0 0 0 0 0
41196- 0 0 0 0 0 0 0 0 0 0 0 0
41197- 0 0 1 0 0 1 0 0 1 0 0 0
41198- 0 0 0 0 0 0 0 0 0 0 0 0
41199- 0 0 0 0 0 0 0 0 0 0 0 0
41200- 0 0 0 0 0 0 0 0 0 0 0 0
41201- 0 0 0 0 0 0 0 0 0 0 0 0
41202- 0 0 0 0 0 0 0 0 0 0 0 0
41203- 14 14 14 42 42 42 86 86 86 10 10 10
41204- 2 2 6 2 2 6 2 2 6 2 2 6
41205- 2 2 6 2 2 6 2 2 6 2 2 6
41206- 2 2 6 2 2 6 2 2 6 30 30 30
41207- 94 94 94 94 94 94 58 58 58 26 26 26
41208- 2 2 6 6 6 6 78 78 78 54 54 54
41209- 22 22 22 6 6 6 0 0 0 0 0 0
41210- 0 0 0 0 0 0 0 0 0 0 0 0
41211- 0 0 0 0 0 0 0 0 0 0 0 0
41212- 0 0 0 0 0 0 0 0 0 0 0 0
41213- 0 0 0 0 0 0 0 0 0 0 0 0
41214- 0 0 0 0 0 0 0 0 0 0 0 0
41215- 0 0 0 0 0 0 0 0 0 0 0 0
41216- 0 0 0 0 0 0 0 0 0 0 0 0
41217- 0 0 0 0 0 0 0 0 0 0 0 0
41218- 0 0 0 0 0 0 0 0 0 0 0 0
41219- 0 0 0 0 0 0 0 0 0 0 0 0
41220- 0 0 0 0 0 0 0 0 0 0 0 0
41221- 0 0 0 0 0 0 0 0 0 0 0 0
41222- 0 0 0 0 0 0 0 0 0 6 6 6
41223- 22 22 22 62 62 62 62 62 62 2 2 6
41224- 2 2 6 2 2 6 2 2 6 2 2 6
41225- 2 2 6 2 2 6 2 2 6 2 2 6
41226- 2 2 6 2 2 6 2 2 6 26 26 26
41227- 54 54 54 38 38 38 18 18 18 10 10 10
41228- 2 2 6 2 2 6 34 34 34 82 82 82
41229- 38 38 38 14 14 14 0 0 0 0 0 0
41230- 0 0 0 0 0 0 0 0 0 0 0 0
41231- 0 0 0 0 0 0 0 0 0 0 0 0
41232- 0 0 0 0 0 0 0 0 0 0 0 0
41233- 0 0 0 0 0 0 0 0 0 0 0 0
41234- 0 0 0 0 0 0 0 0 0 0 0 0
41235- 0 0 0 0 0 0 0 0 0 0 0 0
41236- 0 0 0 0 0 0 0 0 0 0 0 0
41237- 0 0 0 0 0 1 0 0 1 0 0 0
41238- 0 0 0 0 0 0 0 0 0 0 0 0
41239- 0 0 0 0 0 0 0 0 0 0 0 0
41240- 0 0 0 0 0 0 0 0 0 0 0 0
41241- 0 0 0 0 0 0 0 0 0 0 0 0
41242- 0 0 0 0 0 0 0 0 0 6 6 6
41243- 30 30 30 78 78 78 30 30 30 2 2 6
41244- 2 2 6 2 2 6 2 2 6 2 2 6
41245- 2 2 6 2 2 6 2 2 6 2 2 6
41246- 2 2 6 2 2 6 2 2 6 10 10 10
41247- 10 10 10 2 2 6 2 2 6 2 2 6
41248- 2 2 6 2 2 6 2 2 6 78 78 78
41249- 50 50 50 18 18 18 6 6 6 0 0 0
41250- 0 0 0 0 0 0 0 0 0 0 0 0
41251- 0 0 0 0 0 0 0 0 0 0 0 0
41252- 0 0 0 0 0 0 0 0 0 0 0 0
41253- 0 0 0 0 0 0 0 0 0 0 0 0
41254- 0 0 0 0 0 0 0 0 0 0 0 0
41255- 0 0 0 0 0 0 0 0 0 0 0 0
41256- 0 0 0 0 0 0 0 0 0 0 0 0
41257- 0 0 1 0 0 0 0 0 0 0 0 0
41258- 0 0 0 0 0 0 0 0 0 0 0 0
41259- 0 0 0 0 0 0 0 0 0 0 0 0
41260- 0 0 0 0 0 0 0 0 0 0 0 0
41261- 0 0 0 0 0 0 0 0 0 0 0 0
41262- 0 0 0 0 0 0 0 0 0 10 10 10
41263- 38 38 38 86 86 86 14 14 14 2 2 6
41264- 2 2 6 2 2 6 2 2 6 2 2 6
41265- 2 2 6 2 2 6 2 2 6 2 2 6
41266- 2 2 6 2 2 6 2 2 6 2 2 6
41267- 2 2 6 2 2 6 2 2 6 2 2 6
41268- 2 2 6 2 2 6 2 2 6 54 54 54
41269- 66 66 66 26 26 26 6 6 6 0 0 0
41270- 0 0 0 0 0 0 0 0 0 0 0 0
41271- 0 0 0 0 0 0 0 0 0 0 0 0
41272- 0 0 0 0 0 0 0 0 0 0 0 0
41273- 0 0 0 0 0 0 0 0 0 0 0 0
41274- 0 0 0 0 0 0 0 0 0 0 0 0
41275- 0 0 0 0 0 0 0 0 0 0 0 0
41276- 0 0 0 0 0 0 0 0 0 0 0 0
41277- 0 0 0 0 0 1 0 0 1 0 0 0
41278- 0 0 0 0 0 0 0 0 0 0 0 0
41279- 0 0 0 0 0 0 0 0 0 0 0 0
41280- 0 0 0 0 0 0 0 0 0 0 0 0
41281- 0 0 0 0 0 0 0 0 0 0 0 0
41282- 0 0 0 0 0 0 0 0 0 14 14 14
41283- 42 42 42 82 82 82 2 2 6 2 2 6
41284- 2 2 6 6 6 6 10 10 10 2 2 6
41285- 2 2 6 2 2 6 2 2 6 2 2 6
41286- 2 2 6 2 2 6 2 2 6 6 6 6
41287- 14 14 14 10 10 10 2 2 6 2 2 6
41288- 2 2 6 2 2 6 2 2 6 18 18 18
41289- 82 82 82 34 34 34 10 10 10 0 0 0
41290- 0 0 0 0 0 0 0 0 0 0 0 0
41291- 0 0 0 0 0 0 0 0 0 0 0 0
41292- 0 0 0 0 0 0 0 0 0 0 0 0
41293- 0 0 0 0 0 0 0 0 0 0 0 0
41294- 0 0 0 0 0 0 0 0 0 0 0 0
41295- 0 0 0 0 0 0 0 0 0 0 0 0
41296- 0 0 0 0 0 0 0 0 0 0 0 0
41297- 0 0 1 0 0 0 0 0 0 0 0 0
41298- 0 0 0 0 0 0 0 0 0 0 0 0
41299- 0 0 0 0 0 0 0 0 0 0 0 0
41300- 0 0 0 0 0 0 0 0 0 0 0 0
41301- 0 0 0 0 0 0 0 0 0 0 0 0
41302- 0 0 0 0 0 0 0 0 0 14 14 14
41303- 46 46 46 86 86 86 2 2 6 2 2 6
41304- 6 6 6 6 6 6 22 22 22 34 34 34
41305- 6 6 6 2 2 6 2 2 6 2 2 6
41306- 2 2 6 2 2 6 18 18 18 34 34 34
41307- 10 10 10 50 50 50 22 22 22 2 2 6
41308- 2 2 6 2 2 6 2 2 6 10 10 10
41309- 86 86 86 42 42 42 14 14 14 0 0 0
41310- 0 0 0 0 0 0 0 0 0 0 0 0
41311- 0 0 0 0 0 0 0 0 0 0 0 0
41312- 0 0 0 0 0 0 0 0 0 0 0 0
41313- 0 0 0 0 0 0 0 0 0 0 0 0
41314- 0 0 0 0 0 0 0 0 0 0 0 0
41315- 0 0 0 0 0 0 0 0 0 0 0 0
41316- 0 0 0 0 0 0 0 0 0 0 0 0
41317- 0 0 1 0 0 1 0 0 1 0 0 0
41318- 0 0 0 0 0 0 0 0 0 0 0 0
41319- 0 0 0 0 0 0 0 0 0 0 0 0
41320- 0 0 0 0 0 0 0 0 0 0 0 0
41321- 0 0 0 0 0 0 0 0 0 0 0 0
41322- 0 0 0 0 0 0 0 0 0 14 14 14
41323- 46 46 46 86 86 86 2 2 6 2 2 6
41324- 38 38 38 116 116 116 94 94 94 22 22 22
41325- 22 22 22 2 2 6 2 2 6 2 2 6
41326- 14 14 14 86 86 86 138 138 138 162 162 162
41327-154 154 154 38 38 38 26 26 26 6 6 6
41328- 2 2 6 2 2 6 2 2 6 2 2 6
41329- 86 86 86 46 46 46 14 14 14 0 0 0
41330- 0 0 0 0 0 0 0 0 0 0 0 0
41331- 0 0 0 0 0 0 0 0 0 0 0 0
41332- 0 0 0 0 0 0 0 0 0 0 0 0
41333- 0 0 0 0 0 0 0 0 0 0 0 0
41334- 0 0 0 0 0 0 0 0 0 0 0 0
41335- 0 0 0 0 0 0 0 0 0 0 0 0
41336- 0 0 0 0 0 0 0 0 0 0 0 0
41337- 0 0 0 0 0 0 0 0 0 0 0 0
41338- 0 0 0 0 0 0 0 0 0 0 0 0
41339- 0 0 0 0 0 0 0 0 0 0 0 0
41340- 0 0 0 0 0 0 0 0 0 0 0 0
41341- 0 0 0 0 0 0 0 0 0 0 0 0
41342- 0 0 0 0 0 0 0 0 0 14 14 14
41343- 46 46 46 86 86 86 2 2 6 14 14 14
41344-134 134 134 198 198 198 195 195 195 116 116 116
41345- 10 10 10 2 2 6 2 2 6 6 6 6
41346-101 98 89 187 187 187 210 210 210 218 218 218
41347-214 214 214 134 134 134 14 14 14 6 6 6
41348- 2 2 6 2 2 6 2 2 6 2 2 6
41349- 86 86 86 50 50 50 18 18 18 6 6 6
41350- 0 0 0 0 0 0 0 0 0 0 0 0
41351- 0 0 0 0 0 0 0 0 0 0 0 0
41352- 0 0 0 0 0 0 0 0 0 0 0 0
41353- 0 0 0 0 0 0 0 0 0 0 0 0
41354- 0 0 0 0 0 0 0 0 0 0 0 0
41355- 0 0 0 0 0 0 0 0 0 0 0 0
41356- 0 0 0 0 0 0 0 0 1 0 0 0
41357- 0 0 1 0 0 1 0 0 1 0 0 0
41358- 0 0 0 0 0 0 0 0 0 0 0 0
41359- 0 0 0 0 0 0 0 0 0 0 0 0
41360- 0 0 0 0 0 0 0 0 0 0 0 0
41361- 0 0 0 0 0 0 0 0 0 0 0 0
41362- 0 0 0 0 0 0 0 0 0 14 14 14
41363- 46 46 46 86 86 86 2 2 6 54 54 54
41364-218 218 218 195 195 195 226 226 226 246 246 246
41365- 58 58 58 2 2 6 2 2 6 30 30 30
41366-210 210 210 253 253 253 174 174 174 123 123 123
41367-221 221 221 234 234 234 74 74 74 2 2 6
41368- 2 2 6 2 2 6 2 2 6 2 2 6
41369- 70 70 70 58 58 58 22 22 22 6 6 6
41370- 0 0 0 0 0 0 0 0 0 0 0 0
41371- 0 0 0 0 0 0 0 0 0 0 0 0
41372- 0 0 0 0 0 0 0 0 0 0 0 0
41373- 0 0 0 0 0 0 0 0 0 0 0 0
41374- 0 0 0 0 0 0 0 0 0 0 0 0
41375- 0 0 0 0 0 0 0 0 0 0 0 0
41376- 0 0 0 0 0 0 0 0 0 0 0 0
41377- 0 0 0 0 0 0 0 0 0 0 0 0
41378- 0 0 0 0 0 0 0 0 0 0 0 0
41379- 0 0 0 0 0 0 0 0 0 0 0 0
41380- 0 0 0 0 0 0 0 0 0 0 0 0
41381- 0 0 0 0 0 0 0 0 0 0 0 0
41382- 0 0 0 0 0 0 0 0 0 14 14 14
41383- 46 46 46 82 82 82 2 2 6 106 106 106
41384-170 170 170 26 26 26 86 86 86 226 226 226
41385-123 123 123 10 10 10 14 14 14 46 46 46
41386-231 231 231 190 190 190 6 6 6 70 70 70
41387- 90 90 90 238 238 238 158 158 158 2 2 6
41388- 2 2 6 2 2 6 2 2 6 2 2 6
41389- 70 70 70 58 58 58 22 22 22 6 6 6
41390- 0 0 0 0 0 0 0 0 0 0 0 0
41391- 0 0 0 0 0 0 0 0 0 0 0 0
41392- 0 0 0 0 0 0 0 0 0 0 0 0
41393- 0 0 0 0 0 0 0 0 0 0 0 0
41394- 0 0 0 0 0 0 0 0 0 0 0 0
41395- 0 0 0 0 0 0 0 0 0 0 0 0
41396- 0 0 0 0 0 0 0 0 1 0 0 0
41397- 0 0 1 0 0 1 0 0 1 0 0 0
41398- 0 0 0 0 0 0 0 0 0 0 0 0
41399- 0 0 0 0 0 0 0 0 0 0 0 0
41400- 0 0 0 0 0 0 0 0 0 0 0 0
41401- 0 0 0 0 0 0 0 0 0 0 0 0
41402- 0 0 0 0 0 0 0 0 0 14 14 14
41403- 42 42 42 86 86 86 6 6 6 116 116 116
41404-106 106 106 6 6 6 70 70 70 149 149 149
41405-128 128 128 18 18 18 38 38 38 54 54 54
41406-221 221 221 106 106 106 2 2 6 14 14 14
41407- 46 46 46 190 190 190 198 198 198 2 2 6
41408- 2 2 6 2 2 6 2 2 6 2 2 6
41409- 74 74 74 62 62 62 22 22 22 6 6 6
41410- 0 0 0 0 0 0 0 0 0 0 0 0
41411- 0 0 0 0 0 0 0 0 0 0 0 0
41412- 0 0 0 0 0 0 0 0 0 0 0 0
41413- 0 0 0 0 0 0 0 0 0 0 0 0
41414- 0 0 0 0 0 0 0 0 0 0 0 0
41415- 0 0 0 0 0 0 0 0 0 0 0 0
41416- 0 0 0 0 0 0 0 0 1 0 0 0
41417- 0 0 1 0 0 0 0 0 1 0 0 0
41418- 0 0 0 0 0 0 0 0 0 0 0 0
41419- 0 0 0 0 0 0 0 0 0 0 0 0
41420- 0 0 0 0 0 0 0 0 0 0 0 0
41421- 0 0 0 0 0 0 0 0 0 0 0 0
41422- 0 0 0 0 0 0 0 0 0 14 14 14
41423- 42 42 42 94 94 94 14 14 14 101 101 101
41424-128 128 128 2 2 6 18 18 18 116 116 116
41425-118 98 46 121 92 8 121 92 8 98 78 10
41426-162 162 162 106 106 106 2 2 6 2 2 6
41427- 2 2 6 195 195 195 195 195 195 6 6 6
41428- 2 2 6 2 2 6 2 2 6 2 2 6
41429- 74 74 74 62 62 62 22 22 22 6 6 6
41430- 0 0 0 0 0 0 0 0 0 0 0 0
41431- 0 0 0 0 0 0 0 0 0 0 0 0
41432- 0 0 0 0 0 0 0 0 0 0 0 0
41433- 0 0 0 0 0 0 0 0 0 0 0 0
41434- 0 0 0 0 0 0 0 0 0 0 0 0
41435- 0 0 0 0 0 0 0 0 0 0 0 0
41436- 0 0 0 0 0 0 0 0 1 0 0 1
41437- 0 0 1 0 0 0 0 0 1 0 0 0
41438- 0 0 0 0 0 0 0 0 0 0 0 0
41439- 0 0 0 0 0 0 0 0 0 0 0 0
41440- 0 0 0 0 0 0 0 0 0 0 0 0
41441- 0 0 0 0 0 0 0 0 0 0 0 0
41442- 0 0 0 0 0 0 0 0 0 10 10 10
41443- 38 38 38 90 90 90 14 14 14 58 58 58
41444-210 210 210 26 26 26 54 38 6 154 114 10
41445-226 170 11 236 186 11 225 175 15 184 144 12
41446-215 174 15 175 146 61 37 26 9 2 2 6
41447- 70 70 70 246 246 246 138 138 138 2 2 6
41448- 2 2 6 2 2 6 2 2 6 2 2 6
41449- 70 70 70 66 66 66 26 26 26 6 6 6
41450- 0 0 0 0 0 0 0 0 0 0 0 0
41451- 0 0 0 0 0 0 0 0 0 0 0 0
41452- 0 0 0 0 0 0 0 0 0 0 0 0
41453- 0 0 0 0 0 0 0 0 0 0 0 0
41454- 0 0 0 0 0 0 0 0 0 0 0 0
41455- 0 0 0 0 0 0 0 0 0 0 0 0
41456- 0 0 0 0 0 0 0 0 0 0 0 0
41457- 0 0 0 0 0 0 0 0 0 0 0 0
41458- 0 0 0 0 0 0 0 0 0 0 0 0
41459- 0 0 0 0 0 0 0 0 0 0 0 0
41460- 0 0 0 0 0 0 0 0 0 0 0 0
41461- 0 0 0 0 0 0 0 0 0 0 0 0
41462- 0 0 0 0 0 0 0 0 0 10 10 10
41463- 38 38 38 86 86 86 14 14 14 10 10 10
41464-195 195 195 188 164 115 192 133 9 225 175 15
41465-239 182 13 234 190 10 232 195 16 232 200 30
41466-245 207 45 241 208 19 232 195 16 184 144 12
41467-218 194 134 211 206 186 42 42 42 2 2 6
41468- 2 2 6 2 2 6 2 2 6 2 2 6
41469- 50 50 50 74 74 74 30 30 30 6 6 6
41470- 0 0 0 0 0 0 0 0 0 0 0 0
41471- 0 0 0 0 0 0 0 0 0 0 0 0
41472- 0 0 0 0 0 0 0 0 0 0 0 0
41473- 0 0 0 0 0 0 0 0 0 0 0 0
41474- 0 0 0 0 0 0 0 0 0 0 0 0
41475- 0 0 0 0 0 0 0 0 0 0 0 0
41476- 0 0 0 0 0 0 0 0 0 0 0 0
41477- 0 0 0 0 0 0 0 0 0 0 0 0
41478- 0 0 0 0 0 0 0 0 0 0 0 0
41479- 0 0 0 0 0 0 0 0 0 0 0 0
41480- 0 0 0 0 0 0 0 0 0 0 0 0
41481- 0 0 0 0 0 0 0 0 0 0 0 0
41482- 0 0 0 0 0 0 0 0 0 10 10 10
41483- 34 34 34 86 86 86 14 14 14 2 2 6
41484-121 87 25 192 133 9 219 162 10 239 182 13
41485-236 186 11 232 195 16 241 208 19 244 214 54
41486-246 218 60 246 218 38 246 215 20 241 208 19
41487-241 208 19 226 184 13 121 87 25 2 2 6
41488- 2 2 6 2 2 6 2 2 6 2 2 6
41489- 50 50 50 82 82 82 34 34 34 10 10 10
41490- 0 0 0 0 0 0 0 0 0 0 0 0
41491- 0 0 0 0 0 0 0 0 0 0 0 0
41492- 0 0 0 0 0 0 0 0 0 0 0 0
41493- 0 0 0 0 0 0 0 0 0 0 0 0
41494- 0 0 0 0 0 0 0 0 0 0 0 0
41495- 0 0 0 0 0 0 0 0 0 0 0 0
41496- 0 0 0 0 0 0 0 0 0 0 0 0
41497- 0 0 0 0 0 0 0 0 0 0 0 0
41498- 0 0 0 0 0 0 0 0 0 0 0 0
41499- 0 0 0 0 0 0 0 0 0 0 0 0
41500- 0 0 0 0 0 0 0 0 0 0 0 0
41501- 0 0 0 0 0 0 0 0 0 0 0 0
41502- 0 0 0 0 0 0 0 0 0 10 10 10
41503- 34 34 34 82 82 82 30 30 30 61 42 6
41504-180 123 7 206 145 10 230 174 11 239 182 13
41505-234 190 10 238 202 15 241 208 19 246 218 74
41506-246 218 38 246 215 20 246 215 20 246 215 20
41507-226 184 13 215 174 15 184 144 12 6 6 6
41508- 2 2 6 2 2 6 2 2 6 2 2 6
41509- 26 26 26 94 94 94 42 42 42 14 14 14
41510- 0 0 0 0 0 0 0 0 0 0 0 0
41511- 0 0 0 0 0 0 0 0 0 0 0 0
41512- 0 0 0 0 0 0 0 0 0 0 0 0
41513- 0 0 0 0 0 0 0 0 0 0 0 0
41514- 0 0 0 0 0 0 0 0 0 0 0 0
41515- 0 0 0 0 0 0 0 0 0 0 0 0
41516- 0 0 0 0 0 0 0 0 0 0 0 0
41517- 0 0 0 0 0 0 0 0 0 0 0 0
41518- 0 0 0 0 0 0 0 0 0 0 0 0
41519- 0 0 0 0 0 0 0 0 0 0 0 0
41520- 0 0 0 0 0 0 0 0 0 0 0 0
41521- 0 0 0 0 0 0 0 0 0 0 0 0
41522- 0 0 0 0 0 0 0 0 0 10 10 10
41523- 30 30 30 78 78 78 50 50 50 104 69 6
41524-192 133 9 216 158 10 236 178 12 236 186 11
41525-232 195 16 241 208 19 244 214 54 245 215 43
41526-246 215 20 246 215 20 241 208 19 198 155 10
41527-200 144 11 216 158 10 156 118 10 2 2 6
41528- 2 2 6 2 2 6 2 2 6 2 2 6
41529- 6 6 6 90 90 90 54 54 54 18 18 18
41530- 6 6 6 0 0 0 0 0 0 0 0 0
41531- 0 0 0 0 0 0 0 0 0 0 0 0
41532- 0 0 0 0 0 0 0 0 0 0 0 0
41533- 0 0 0 0 0 0 0 0 0 0 0 0
41534- 0 0 0 0 0 0 0 0 0 0 0 0
41535- 0 0 0 0 0 0 0 0 0 0 0 0
41536- 0 0 0 0 0 0 0 0 0 0 0 0
41537- 0 0 0 0 0 0 0 0 0 0 0 0
41538- 0 0 0 0 0 0 0 0 0 0 0 0
41539- 0 0 0 0 0 0 0 0 0 0 0 0
41540- 0 0 0 0 0 0 0 0 0 0 0 0
41541- 0 0 0 0 0 0 0 0 0 0 0 0
41542- 0 0 0 0 0 0 0 0 0 10 10 10
41543- 30 30 30 78 78 78 46 46 46 22 22 22
41544-137 92 6 210 162 10 239 182 13 238 190 10
41545-238 202 15 241 208 19 246 215 20 246 215 20
41546-241 208 19 203 166 17 185 133 11 210 150 10
41547-216 158 10 210 150 10 102 78 10 2 2 6
41548- 6 6 6 54 54 54 14 14 14 2 2 6
41549- 2 2 6 62 62 62 74 74 74 30 30 30
41550- 10 10 10 0 0 0 0 0 0 0 0 0
41551- 0 0 0 0 0 0 0 0 0 0 0 0
41552- 0 0 0 0 0 0 0 0 0 0 0 0
41553- 0 0 0 0 0 0 0 0 0 0 0 0
41554- 0 0 0 0 0 0 0 0 0 0 0 0
41555- 0 0 0 0 0 0 0 0 0 0 0 0
41556- 0 0 0 0 0 0 0 0 0 0 0 0
41557- 0 0 0 0 0 0 0 0 0 0 0 0
41558- 0 0 0 0 0 0 0 0 0 0 0 0
41559- 0 0 0 0 0 0 0 0 0 0 0 0
41560- 0 0 0 0 0 0 0 0 0 0 0 0
41561- 0 0 0 0 0 0 0 0 0 0 0 0
41562- 0 0 0 0 0 0 0 0 0 10 10 10
41563- 34 34 34 78 78 78 50 50 50 6 6 6
41564- 94 70 30 139 102 15 190 146 13 226 184 13
41565-232 200 30 232 195 16 215 174 15 190 146 13
41566-168 122 10 192 133 9 210 150 10 213 154 11
41567-202 150 34 182 157 106 101 98 89 2 2 6
41568- 2 2 6 78 78 78 116 116 116 58 58 58
41569- 2 2 6 22 22 22 90 90 90 46 46 46
41570- 18 18 18 6 6 6 0 0 0 0 0 0
41571- 0 0 0 0 0 0 0 0 0 0 0 0
41572- 0 0 0 0 0 0 0 0 0 0 0 0
41573- 0 0 0 0 0 0 0 0 0 0 0 0
41574- 0 0 0 0 0 0 0 0 0 0 0 0
41575- 0 0 0 0 0 0 0 0 0 0 0 0
41576- 0 0 0 0 0 0 0 0 0 0 0 0
41577- 0 0 0 0 0 0 0 0 0 0 0 0
41578- 0 0 0 0 0 0 0 0 0 0 0 0
41579- 0 0 0 0 0 0 0 0 0 0 0 0
41580- 0 0 0 0 0 0 0 0 0 0 0 0
41581- 0 0 0 0 0 0 0 0 0 0 0 0
41582- 0 0 0 0 0 0 0 0 0 10 10 10
41583- 38 38 38 86 86 86 50 50 50 6 6 6
41584-128 128 128 174 154 114 156 107 11 168 122 10
41585-198 155 10 184 144 12 197 138 11 200 144 11
41586-206 145 10 206 145 10 197 138 11 188 164 115
41587-195 195 195 198 198 198 174 174 174 14 14 14
41588- 2 2 6 22 22 22 116 116 116 116 116 116
41589- 22 22 22 2 2 6 74 74 74 70 70 70
41590- 30 30 30 10 10 10 0 0 0 0 0 0
41591- 0 0 0 0 0 0 0 0 0 0 0 0
41592- 0 0 0 0 0 0 0 0 0 0 0 0
41593- 0 0 0 0 0 0 0 0 0 0 0 0
41594- 0 0 0 0 0 0 0 0 0 0 0 0
41595- 0 0 0 0 0 0 0 0 0 0 0 0
41596- 0 0 0 0 0 0 0 0 0 0 0 0
41597- 0 0 0 0 0 0 0 0 0 0 0 0
41598- 0 0 0 0 0 0 0 0 0 0 0 0
41599- 0 0 0 0 0 0 0 0 0 0 0 0
41600- 0 0 0 0 0 0 0 0 0 0 0 0
41601- 0 0 0 0 0 0 0 0 0 0 0 0
41602- 0 0 0 0 0 0 6 6 6 18 18 18
41603- 50 50 50 101 101 101 26 26 26 10 10 10
41604-138 138 138 190 190 190 174 154 114 156 107 11
41605-197 138 11 200 144 11 197 138 11 192 133 9
41606-180 123 7 190 142 34 190 178 144 187 187 187
41607-202 202 202 221 221 221 214 214 214 66 66 66
41608- 2 2 6 2 2 6 50 50 50 62 62 62
41609- 6 6 6 2 2 6 10 10 10 90 90 90
41610- 50 50 50 18 18 18 6 6 6 0 0 0
41611- 0 0 0 0 0 0 0 0 0 0 0 0
41612- 0 0 0 0 0 0 0 0 0 0 0 0
41613- 0 0 0 0 0 0 0 0 0 0 0 0
41614- 0 0 0 0 0 0 0 0 0 0 0 0
41615- 0 0 0 0 0 0 0 0 0 0 0 0
41616- 0 0 0 0 0 0 0 0 0 0 0 0
41617- 0 0 0 0 0 0 0 0 0 0 0 0
41618- 0 0 0 0 0 0 0 0 0 0 0 0
41619- 0 0 0 0 0 0 0 0 0 0 0 0
41620- 0 0 0 0 0 0 0 0 0 0 0 0
41621- 0 0 0 0 0 0 0 0 0 0 0 0
41622- 0 0 0 0 0 0 10 10 10 34 34 34
41623- 74 74 74 74 74 74 2 2 6 6 6 6
41624-144 144 144 198 198 198 190 190 190 178 166 146
41625-154 121 60 156 107 11 156 107 11 168 124 44
41626-174 154 114 187 187 187 190 190 190 210 210 210
41627-246 246 246 253 253 253 253 253 253 182 182 182
41628- 6 6 6 2 2 6 2 2 6 2 2 6
41629- 2 2 6 2 2 6 2 2 6 62 62 62
41630- 74 74 74 34 34 34 14 14 14 0 0 0
41631- 0 0 0 0 0 0 0 0 0 0 0 0
41632- 0 0 0 0 0 0 0 0 0 0 0 0
41633- 0 0 0 0 0 0 0 0 0 0 0 0
41634- 0 0 0 0 0 0 0 0 0 0 0 0
41635- 0 0 0 0 0 0 0 0 0 0 0 0
41636- 0 0 0 0 0 0 0 0 0 0 0 0
41637- 0 0 0 0 0 0 0 0 0 0 0 0
41638- 0 0 0 0 0 0 0 0 0 0 0 0
41639- 0 0 0 0 0 0 0 0 0 0 0 0
41640- 0 0 0 0 0 0 0 0 0 0 0 0
41641- 0 0 0 0 0 0 0 0 0 0 0 0
41642- 0 0 0 10 10 10 22 22 22 54 54 54
41643- 94 94 94 18 18 18 2 2 6 46 46 46
41644-234 234 234 221 221 221 190 190 190 190 190 190
41645-190 190 190 187 187 187 187 187 187 190 190 190
41646-190 190 190 195 195 195 214 214 214 242 242 242
41647-253 253 253 253 253 253 253 253 253 253 253 253
41648- 82 82 82 2 2 6 2 2 6 2 2 6
41649- 2 2 6 2 2 6 2 2 6 14 14 14
41650- 86 86 86 54 54 54 22 22 22 6 6 6
41651- 0 0 0 0 0 0 0 0 0 0 0 0
41652- 0 0 0 0 0 0 0 0 0 0 0 0
41653- 0 0 0 0 0 0 0 0 0 0 0 0
41654- 0 0 0 0 0 0 0 0 0 0 0 0
41655- 0 0 0 0 0 0 0 0 0 0 0 0
41656- 0 0 0 0 0 0 0 0 0 0 0 0
41657- 0 0 0 0 0 0 0 0 0 0 0 0
41658- 0 0 0 0 0 0 0 0 0 0 0 0
41659- 0 0 0 0 0 0 0 0 0 0 0 0
41660- 0 0 0 0 0 0 0 0 0 0 0 0
41661- 0 0 0 0 0 0 0 0 0 0 0 0
41662- 6 6 6 18 18 18 46 46 46 90 90 90
41663- 46 46 46 18 18 18 6 6 6 182 182 182
41664-253 253 253 246 246 246 206 206 206 190 190 190
41665-190 190 190 190 190 190 190 190 190 190 190 190
41666-206 206 206 231 231 231 250 250 250 253 253 253
41667-253 253 253 253 253 253 253 253 253 253 253 253
41668-202 202 202 14 14 14 2 2 6 2 2 6
41669- 2 2 6 2 2 6 2 2 6 2 2 6
41670- 42 42 42 86 86 86 42 42 42 18 18 18
41671- 6 6 6 0 0 0 0 0 0 0 0 0
41672- 0 0 0 0 0 0 0 0 0 0 0 0
41673- 0 0 0 0 0 0 0 0 0 0 0 0
41674- 0 0 0 0 0 0 0 0 0 0 0 0
41675- 0 0 0 0 0 0 0 0 0 0 0 0
41676- 0 0 0 0 0 0 0 0 0 0 0 0
41677- 0 0 0 0 0 0 0 0 0 0 0 0
41678- 0 0 0 0 0 0 0 0 0 0 0 0
41679- 0 0 0 0 0 0 0 0 0 0 0 0
41680- 0 0 0 0 0 0 0 0 0 0 0 0
41681- 0 0 0 0 0 0 0 0 0 6 6 6
41682- 14 14 14 38 38 38 74 74 74 66 66 66
41683- 2 2 6 6 6 6 90 90 90 250 250 250
41684-253 253 253 253 253 253 238 238 238 198 198 198
41685-190 190 190 190 190 190 195 195 195 221 221 221
41686-246 246 246 253 253 253 253 253 253 253 253 253
41687-253 253 253 253 253 253 253 253 253 253 253 253
41688-253 253 253 82 82 82 2 2 6 2 2 6
41689- 2 2 6 2 2 6 2 2 6 2 2 6
41690- 2 2 6 78 78 78 70 70 70 34 34 34
41691- 14 14 14 6 6 6 0 0 0 0 0 0
41692- 0 0 0 0 0 0 0 0 0 0 0 0
41693- 0 0 0 0 0 0 0 0 0 0 0 0
41694- 0 0 0 0 0 0 0 0 0 0 0 0
41695- 0 0 0 0 0 0 0 0 0 0 0 0
41696- 0 0 0 0 0 0 0 0 0 0 0 0
41697- 0 0 0 0 0 0 0 0 0 0 0 0
41698- 0 0 0 0 0 0 0 0 0 0 0 0
41699- 0 0 0 0 0 0 0 0 0 0 0 0
41700- 0 0 0 0 0 0 0 0 0 0 0 0
41701- 0 0 0 0 0 0 0 0 0 14 14 14
41702- 34 34 34 66 66 66 78 78 78 6 6 6
41703- 2 2 6 18 18 18 218 218 218 253 253 253
41704-253 253 253 253 253 253 253 253 253 246 246 246
41705-226 226 226 231 231 231 246 246 246 253 253 253
41706-253 253 253 253 253 253 253 253 253 253 253 253
41707-253 253 253 253 253 253 253 253 253 253 253 253
41708-253 253 253 178 178 178 2 2 6 2 2 6
41709- 2 2 6 2 2 6 2 2 6 2 2 6
41710- 2 2 6 18 18 18 90 90 90 62 62 62
41711- 30 30 30 10 10 10 0 0 0 0 0 0
41712- 0 0 0 0 0 0 0 0 0 0 0 0
41713- 0 0 0 0 0 0 0 0 0 0 0 0
41714- 0 0 0 0 0 0 0 0 0 0 0 0
41715- 0 0 0 0 0 0 0 0 0 0 0 0
41716- 0 0 0 0 0 0 0 0 0 0 0 0
41717- 0 0 0 0 0 0 0 0 0 0 0 0
41718- 0 0 0 0 0 0 0 0 0 0 0 0
41719- 0 0 0 0 0 0 0 0 0 0 0 0
41720- 0 0 0 0 0 0 0 0 0 0 0 0
41721- 0 0 0 0 0 0 10 10 10 26 26 26
41722- 58 58 58 90 90 90 18 18 18 2 2 6
41723- 2 2 6 110 110 110 253 253 253 253 253 253
41724-253 253 253 253 253 253 253 253 253 253 253 253
41725-250 250 250 253 253 253 253 253 253 253 253 253
41726-253 253 253 253 253 253 253 253 253 253 253 253
41727-253 253 253 253 253 253 253 253 253 253 253 253
41728-253 253 253 231 231 231 18 18 18 2 2 6
41729- 2 2 6 2 2 6 2 2 6 2 2 6
41730- 2 2 6 2 2 6 18 18 18 94 94 94
41731- 54 54 54 26 26 26 10 10 10 0 0 0
41732- 0 0 0 0 0 0 0 0 0 0 0 0
41733- 0 0 0 0 0 0 0 0 0 0 0 0
41734- 0 0 0 0 0 0 0 0 0 0 0 0
41735- 0 0 0 0 0 0 0 0 0 0 0 0
41736- 0 0 0 0 0 0 0 0 0 0 0 0
41737- 0 0 0 0 0 0 0 0 0 0 0 0
41738- 0 0 0 0 0 0 0 0 0 0 0 0
41739- 0 0 0 0 0 0 0 0 0 0 0 0
41740- 0 0 0 0 0 0 0 0 0 0 0 0
41741- 0 0 0 6 6 6 22 22 22 50 50 50
41742- 90 90 90 26 26 26 2 2 6 2 2 6
41743- 14 14 14 195 195 195 250 250 250 253 253 253
41744-253 253 253 253 253 253 253 253 253 253 253 253
41745-253 253 253 253 253 253 253 253 253 253 253 253
41746-253 253 253 253 253 253 253 253 253 253 253 253
41747-253 253 253 253 253 253 253 253 253 253 253 253
41748-250 250 250 242 242 242 54 54 54 2 2 6
41749- 2 2 6 2 2 6 2 2 6 2 2 6
41750- 2 2 6 2 2 6 2 2 6 38 38 38
41751- 86 86 86 50 50 50 22 22 22 6 6 6
41752- 0 0 0 0 0 0 0 0 0 0 0 0
41753- 0 0 0 0 0 0 0 0 0 0 0 0
41754- 0 0 0 0 0 0 0 0 0 0 0 0
41755- 0 0 0 0 0 0 0 0 0 0 0 0
41756- 0 0 0 0 0 0 0 0 0 0 0 0
41757- 0 0 0 0 0 0 0 0 0 0 0 0
41758- 0 0 0 0 0 0 0 0 0 0 0 0
41759- 0 0 0 0 0 0 0 0 0 0 0 0
41760- 0 0 0 0 0 0 0 0 0 0 0 0
41761- 6 6 6 14 14 14 38 38 38 82 82 82
41762- 34 34 34 2 2 6 2 2 6 2 2 6
41763- 42 42 42 195 195 195 246 246 246 253 253 253
41764-253 253 253 253 253 253 253 253 253 250 250 250
41765-242 242 242 242 242 242 250 250 250 253 253 253
41766-253 253 253 253 253 253 253 253 253 253 253 253
41767-253 253 253 250 250 250 246 246 246 238 238 238
41768-226 226 226 231 231 231 101 101 101 6 6 6
41769- 2 2 6 2 2 6 2 2 6 2 2 6
41770- 2 2 6 2 2 6 2 2 6 2 2 6
41771- 38 38 38 82 82 82 42 42 42 14 14 14
41772- 6 6 6 0 0 0 0 0 0 0 0 0
41773- 0 0 0 0 0 0 0 0 0 0 0 0
41774- 0 0 0 0 0 0 0 0 0 0 0 0
41775- 0 0 0 0 0 0 0 0 0 0 0 0
41776- 0 0 0 0 0 0 0 0 0 0 0 0
41777- 0 0 0 0 0 0 0 0 0 0 0 0
41778- 0 0 0 0 0 0 0 0 0 0 0 0
41779- 0 0 0 0 0 0 0 0 0 0 0 0
41780- 0 0 0 0 0 0 0 0 0 0 0 0
41781- 10 10 10 26 26 26 62 62 62 66 66 66
41782- 2 2 6 2 2 6 2 2 6 6 6 6
41783- 70 70 70 170 170 170 206 206 206 234 234 234
41784-246 246 246 250 250 250 250 250 250 238 238 238
41785-226 226 226 231 231 231 238 238 238 250 250 250
41786-250 250 250 250 250 250 246 246 246 231 231 231
41787-214 214 214 206 206 206 202 202 202 202 202 202
41788-198 198 198 202 202 202 182 182 182 18 18 18
41789- 2 2 6 2 2 6 2 2 6 2 2 6
41790- 2 2 6 2 2 6 2 2 6 2 2 6
41791- 2 2 6 62 62 62 66 66 66 30 30 30
41792- 10 10 10 0 0 0 0 0 0 0 0 0
41793- 0 0 0 0 0 0 0 0 0 0 0 0
41794- 0 0 0 0 0 0 0 0 0 0 0 0
41795- 0 0 0 0 0 0 0 0 0 0 0 0
41796- 0 0 0 0 0 0 0 0 0 0 0 0
41797- 0 0 0 0 0 0 0 0 0 0 0 0
41798- 0 0 0 0 0 0 0 0 0 0 0 0
41799- 0 0 0 0 0 0 0 0 0 0 0 0
41800- 0 0 0 0 0 0 0 0 0 0 0 0
41801- 14 14 14 42 42 42 82 82 82 18 18 18
41802- 2 2 6 2 2 6 2 2 6 10 10 10
41803- 94 94 94 182 182 182 218 218 218 242 242 242
41804-250 250 250 253 253 253 253 253 253 250 250 250
41805-234 234 234 253 253 253 253 253 253 253 253 253
41806-253 253 253 253 253 253 253 253 253 246 246 246
41807-238 238 238 226 226 226 210 210 210 202 202 202
41808-195 195 195 195 195 195 210 210 210 158 158 158
41809- 6 6 6 14 14 14 50 50 50 14 14 14
41810- 2 2 6 2 2 6 2 2 6 2 2 6
41811- 2 2 6 6 6 6 86 86 86 46 46 46
41812- 18 18 18 6 6 6 0 0 0 0 0 0
41813- 0 0 0 0 0 0 0 0 0 0 0 0
41814- 0 0 0 0 0 0 0 0 0 0 0 0
41815- 0 0 0 0 0 0 0 0 0 0 0 0
41816- 0 0 0 0 0 0 0 0 0 0 0 0
41817- 0 0 0 0 0 0 0 0 0 0 0 0
41818- 0 0 0 0 0 0 0 0 0 0 0 0
41819- 0 0 0 0 0 0 0 0 0 0 0 0
41820- 0 0 0 0 0 0 0 0 0 6 6 6
41821- 22 22 22 54 54 54 70 70 70 2 2 6
41822- 2 2 6 10 10 10 2 2 6 22 22 22
41823-166 166 166 231 231 231 250 250 250 253 253 253
41824-253 253 253 253 253 253 253 253 253 250 250 250
41825-242 242 242 253 253 253 253 253 253 253 253 253
41826-253 253 253 253 253 253 253 253 253 253 253 253
41827-253 253 253 253 253 253 253 253 253 246 246 246
41828-231 231 231 206 206 206 198 198 198 226 226 226
41829- 94 94 94 2 2 6 6 6 6 38 38 38
41830- 30 30 30 2 2 6 2 2 6 2 2 6
41831- 2 2 6 2 2 6 62 62 62 66 66 66
41832- 26 26 26 10 10 10 0 0 0 0 0 0
41833- 0 0 0 0 0 0 0 0 0 0 0 0
41834- 0 0 0 0 0 0 0 0 0 0 0 0
41835- 0 0 0 0 0 0 0 0 0 0 0 0
41836- 0 0 0 0 0 0 0 0 0 0 0 0
41837- 0 0 0 0 0 0 0 0 0 0 0 0
41838- 0 0 0 0 0 0 0 0 0 0 0 0
41839- 0 0 0 0 0 0 0 0 0 0 0 0
41840- 0 0 0 0 0 0 0 0 0 10 10 10
41841- 30 30 30 74 74 74 50 50 50 2 2 6
41842- 26 26 26 26 26 26 2 2 6 106 106 106
41843-238 238 238 253 253 253 253 253 253 253 253 253
41844-253 253 253 253 253 253 253 253 253 253 253 253
41845-253 253 253 253 253 253 253 253 253 253 253 253
41846-253 253 253 253 253 253 253 253 253 253 253 253
41847-253 253 253 253 253 253 253 253 253 253 253 253
41848-253 253 253 246 246 246 218 218 218 202 202 202
41849-210 210 210 14 14 14 2 2 6 2 2 6
41850- 30 30 30 22 22 22 2 2 6 2 2 6
41851- 2 2 6 2 2 6 18 18 18 86 86 86
41852- 42 42 42 14 14 14 0 0 0 0 0 0
41853- 0 0 0 0 0 0 0 0 0 0 0 0
41854- 0 0 0 0 0 0 0 0 0 0 0 0
41855- 0 0 0 0 0 0 0 0 0 0 0 0
41856- 0 0 0 0 0 0 0 0 0 0 0 0
41857- 0 0 0 0 0 0 0 0 0 0 0 0
41858- 0 0 0 0 0 0 0 0 0 0 0 0
41859- 0 0 0 0 0 0 0 0 0 0 0 0
41860- 0 0 0 0 0 0 0 0 0 14 14 14
41861- 42 42 42 90 90 90 22 22 22 2 2 6
41862- 42 42 42 2 2 6 18 18 18 218 218 218
41863-253 253 253 253 253 253 253 253 253 253 253 253
41864-253 253 253 253 253 253 253 253 253 253 253 253
41865-253 253 253 253 253 253 253 253 253 253 253 253
41866-253 253 253 253 253 253 253 253 253 253 253 253
41867-253 253 253 253 253 253 253 253 253 253 253 253
41868-253 253 253 253 253 253 250 250 250 221 221 221
41869-218 218 218 101 101 101 2 2 6 14 14 14
41870- 18 18 18 38 38 38 10 10 10 2 2 6
41871- 2 2 6 2 2 6 2 2 6 78 78 78
41872- 58 58 58 22 22 22 6 6 6 0 0 0
41873- 0 0 0 0 0 0 0 0 0 0 0 0
41874- 0 0 0 0 0 0 0 0 0 0 0 0
41875- 0 0 0 0 0 0 0 0 0 0 0 0
41876- 0 0 0 0 0 0 0 0 0 0 0 0
41877- 0 0 0 0 0 0 0 0 0 0 0 0
41878- 0 0 0 0 0 0 0 0 0 0 0 0
41879- 0 0 0 0 0 0 0 0 0 0 0 0
41880- 0 0 0 0 0 0 6 6 6 18 18 18
41881- 54 54 54 82 82 82 2 2 6 26 26 26
41882- 22 22 22 2 2 6 123 123 123 253 253 253
41883-253 253 253 253 253 253 253 253 253 253 253 253
41884-253 253 253 253 253 253 253 253 253 253 253 253
41885-253 253 253 253 253 253 253 253 253 253 253 253
41886-253 253 253 253 253 253 253 253 253 253 253 253
41887-253 253 253 253 253 253 253 253 253 253 253 253
41888-253 253 253 253 253 253 253 253 253 250 250 250
41889-238 238 238 198 198 198 6 6 6 38 38 38
41890- 58 58 58 26 26 26 38 38 38 2 2 6
41891- 2 2 6 2 2 6 2 2 6 46 46 46
41892- 78 78 78 30 30 30 10 10 10 0 0 0
41893- 0 0 0 0 0 0 0 0 0 0 0 0
41894- 0 0 0 0 0 0 0 0 0 0 0 0
41895- 0 0 0 0 0 0 0 0 0 0 0 0
41896- 0 0 0 0 0 0 0 0 0 0 0 0
41897- 0 0 0 0 0 0 0 0 0 0 0 0
41898- 0 0 0 0 0 0 0 0 0 0 0 0
41899- 0 0 0 0 0 0 0 0 0 0 0 0
41900- 0 0 0 0 0 0 10 10 10 30 30 30
41901- 74 74 74 58 58 58 2 2 6 42 42 42
41902- 2 2 6 22 22 22 231 231 231 253 253 253
41903-253 253 253 253 253 253 253 253 253 253 253 253
41904-253 253 253 253 253 253 253 253 253 250 250 250
41905-253 253 253 253 253 253 253 253 253 253 253 253
41906-253 253 253 253 253 253 253 253 253 253 253 253
41907-253 253 253 253 253 253 253 253 253 253 253 253
41908-253 253 253 253 253 253 253 253 253 253 253 253
41909-253 253 253 246 246 246 46 46 46 38 38 38
41910- 42 42 42 14 14 14 38 38 38 14 14 14
41911- 2 2 6 2 2 6 2 2 6 6 6 6
41912- 86 86 86 46 46 46 14 14 14 0 0 0
41913- 0 0 0 0 0 0 0 0 0 0 0 0
41914- 0 0 0 0 0 0 0 0 0 0 0 0
41915- 0 0 0 0 0 0 0 0 0 0 0 0
41916- 0 0 0 0 0 0 0 0 0 0 0 0
41917- 0 0 0 0 0 0 0 0 0 0 0 0
41918- 0 0 0 0 0 0 0 0 0 0 0 0
41919- 0 0 0 0 0 0 0 0 0 0 0 0
41920- 0 0 0 6 6 6 14 14 14 42 42 42
41921- 90 90 90 18 18 18 18 18 18 26 26 26
41922- 2 2 6 116 116 116 253 253 253 253 253 253
41923-253 253 253 253 253 253 253 253 253 253 253 253
41924-253 253 253 253 253 253 250 250 250 238 238 238
41925-253 253 253 253 253 253 253 253 253 253 253 253
41926-253 253 253 253 253 253 253 253 253 253 253 253
41927-253 253 253 253 253 253 253 253 253 253 253 253
41928-253 253 253 253 253 253 253 253 253 253 253 253
41929-253 253 253 253 253 253 94 94 94 6 6 6
41930- 2 2 6 2 2 6 10 10 10 34 34 34
41931- 2 2 6 2 2 6 2 2 6 2 2 6
41932- 74 74 74 58 58 58 22 22 22 6 6 6
41933- 0 0 0 0 0 0 0 0 0 0 0 0
41934- 0 0 0 0 0 0 0 0 0 0 0 0
41935- 0 0 0 0 0 0 0 0 0 0 0 0
41936- 0 0 0 0 0 0 0 0 0 0 0 0
41937- 0 0 0 0 0 0 0 0 0 0 0 0
41938- 0 0 0 0 0 0 0 0 0 0 0 0
41939- 0 0 0 0 0 0 0 0 0 0 0 0
41940- 0 0 0 10 10 10 26 26 26 66 66 66
41941- 82 82 82 2 2 6 38 38 38 6 6 6
41942- 14 14 14 210 210 210 253 253 253 253 253 253
41943-253 253 253 253 253 253 253 253 253 253 253 253
41944-253 253 253 253 253 253 246 246 246 242 242 242
41945-253 253 253 253 253 253 253 253 253 253 253 253
41946-253 253 253 253 253 253 253 253 253 253 253 253
41947-253 253 253 253 253 253 253 253 253 253 253 253
41948-253 253 253 253 253 253 253 253 253 253 253 253
41949-253 253 253 253 253 253 144 144 144 2 2 6
41950- 2 2 6 2 2 6 2 2 6 46 46 46
41951- 2 2 6 2 2 6 2 2 6 2 2 6
41952- 42 42 42 74 74 74 30 30 30 10 10 10
41953- 0 0 0 0 0 0 0 0 0 0 0 0
41954- 0 0 0 0 0 0 0 0 0 0 0 0
41955- 0 0 0 0 0 0 0 0 0 0 0 0
41956- 0 0 0 0 0 0 0 0 0 0 0 0
41957- 0 0 0 0 0 0 0 0 0 0 0 0
41958- 0 0 0 0 0 0 0 0 0 0 0 0
41959- 0 0 0 0 0 0 0 0 0 0 0 0
41960- 6 6 6 14 14 14 42 42 42 90 90 90
41961- 26 26 26 6 6 6 42 42 42 2 2 6
41962- 74 74 74 250 250 250 253 253 253 253 253 253
41963-253 253 253 253 253 253 253 253 253 253 253 253
41964-253 253 253 253 253 253 242 242 242 242 242 242
41965-253 253 253 253 253 253 253 253 253 253 253 253
41966-253 253 253 253 253 253 253 253 253 253 253 253
41967-253 253 253 253 253 253 253 253 253 253 253 253
41968-253 253 253 253 253 253 253 253 253 253 253 253
41969-253 253 253 253 253 253 182 182 182 2 2 6
41970- 2 2 6 2 2 6 2 2 6 46 46 46
41971- 2 2 6 2 2 6 2 2 6 2 2 6
41972- 10 10 10 86 86 86 38 38 38 10 10 10
41973- 0 0 0 0 0 0 0 0 0 0 0 0
41974- 0 0 0 0 0 0 0 0 0 0 0 0
41975- 0 0 0 0 0 0 0 0 0 0 0 0
41976- 0 0 0 0 0 0 0 0 0 0 0 0
41977- 0 0 0 0 0 0 0 0 0 0 0 0
41978- 0 0 0 0 0 0 0 0 0 0 0 0
41979- 0 0 0 0 0 0 0 0 0 0 0 0
41980- 10 10 10 26 26 26 66 66 66 82 82 82
41981- 2 2 6 22 22 22 18 18 18 2 2 6
41982-149 149 149 253 253 253 253 253 253 253 253 253
41983-253 253 253 253 253 253 253 253 253 253 253 253
41984-253 253 253 253 253 253 234 234 234 242 242 242
41985-253 253 253 253 253 253 253 253 253 253 253 253
41986-253 253 253 253 253 253 253 253 253 253 253 253
41987-253 253 253 253 253 253 253 253 253 253 253 253
41988-253 253 253 253 253 253 253 253 253 253 253 253
41989-253 253 253 253 253 253 206 206 206 2 2 6
41990- 2 2 6 2 2 6 2 2 6 38 38 38
41991- 2 2 6 2 2 6 2 2 6 2 2 6
41992- 6 6 6 86 86 86 46 46 46 14 14 14
41993- 0 0 0 0 0 0 0 0 0 0 0 0
41994- 0 0 0 0 0 0 0 0 0 0 0 0
41995- 0 0 0 0 0 0 0 0 0 0 0 0
41996- 0 0 0 0 0 0 0 0 0 0 0 0
41997- 0 0 0 0 0 0 0 0 0 0 0 0
41998- 0 0 0 0 0 0 0 0 0 0 0 0
41999- 0 0 0 0 0 0 0 0 0 6 6 6
42000- 18 18 18 46 46 46 86 86 86 18 18 18
42001- 2 2 6 34 34 34 10 10 10 6 6 6
42002-210 210 210 253 253 253 253 253 253 253 253 253
42003-253 253 253 253 253 253 253 253 253 253 253 253
42004-253 253 253 253 253 253 234 234 234 242 242 242
42005-253 253 253 253 253 253 253 253 253 253 253 253
42006-253 253 253 253 253 253 253 253 253 253 253 253
42007-253 253 253 253 253 253 253 253 253 253 253 253
42008-253 253 253 253 253 253 253 253 253 253 253 253
42009-253 253 253 253 253 253 221 221 221 6 6 6
42010- 2 2 6 2 2 6 6 6 6 30 30 30
42011- 2 2 6 2 2 6 2 2 6 2 2 6
42012- 2 2 6 82 82 82 54 54 54 18 18 18
42013- 6 6 6 0 0 0 0 0 0 0 0 0
42014- 0 0 0 0 0 0 0 0 0 0 0 0
42015- 0 0 0 0 0 0 0 0 0 0 0 0
42016- 0 0 0 0 0 0 0 0 0 0 0 0
42017- 0 0 0 0 0 0 0 0 0 0 0 0
42018- 0 0 0 0 0 0 0 0 0 0 0 0
42019- 0 0 0 0 0 0 0 0 0 10 10 10
42020- 26 26 26 66 66 66 62 62 62 2 2 6
42021- 2 2 6 38 38 38 10 10 10 26 26 26
42022-238 238 238 253 253 253 253 253 253 253 253 253
42023-253 253 253 253 253 253 253 253 253 253 253 253
42024-253 253 253 253 253 253 231 231 231 238 238 238
42025-253 253 253 253 253 253 253 253 253 253 253 253
42026-253 253 253 253 253 253 253 253 253 253 253 253
42027-253 253 253 253 253 253 253 253 253 253 253 253
42028-253 253 253 253 253 253 253 253 253 253 253 253
42029-253 253 253 253 253 253 231 231 231 6 6 6
42030- 2 2 6 2 2 6 10 10 10 30 30 30
42031- 2 2 6 2 2 6 2 2 6 2 2 6
42032- 2 2 6 66 66 66 58 58 58 22 22 22
42033- 6 6 6 0 0 0 0 0 0 0 0 0
42034- 0 0 0 0 0 0 0 0 0 0 0 0
42035- 0 0 0 0 0 0 0 0 0 0 0 0
42036- 0 0 0 0 0 0 0 0 0 0 0 0
42037- 0 0 0 0 0 0 0 0 0 0 0 0
42038- 0 0 0 0 0 0 0 0 0 0 0 0
42039- 0 0 0 0 0 0 0 0 0 10 10 10
42040- 38 38 38 78 78 78 6 6 6 2 2 6
42041- 2 2 6 46 46 46 14 14 14 42 42 42
42042-246 246 246 253 253 253 253 253 253 253 253 253
42043-253 253 253 253 253 253 253 253 253 253 253 253
42044-253 253 253 253 253 253 231 231 231 242 242 242
42045-253 253 253 253 253 253 253 253 253 253 253 253
42046-253 253 253 253 253 253 253 253 253 253 253 253
42047-253 253 253 253 253 253 253 253 253 253 253 253
42048-253 253 253 253 253 253 253 253 253 253 253 253
42049-253 253 253 253 253 253 234 234 234 10 10 10
42050- 2 2 6 2 2 6 22 22 22 14 14 14
42051- 2 2 6 2 2 6 2 2 6 2 2 6
42052- 2 2 6 66 66 66 62 62 62 22 22 22
42053- 6 6 6 0 0 0 0 0 0 0 0 0
42054- 0 0 0 0 0 0 0 0 0 0 0 0
42055- 0 0 0 0 0 0 0 0 0 0 0 0
42056- 0 0 0 0 0 0 0 0 0 0 0 0
42057- 0 0 0 0 0 0 0 0 0 0 0 0
42058- 0 0 0 0 0 0 0 0 0 0 0 0
42059- 0 0 0 0 0 0 6 6 6 18 18 18
42060- 50 50 50 74 74 74 2 2 6 2 2 6
42061- 14 14 14 70 70 70 34 34 34 62 62 62
42062-250 250 250 253 253 253 253 253 253 253 253 253
42063-253 253 253 253 253 253 253 253 253 253 253 253
42064-253 253 253 253 253 253 231 231 231 246 246 246
42065-253 253 253 253 253 253 253 253 253 253 253 253
42066-253 253 253 253 253 253 253 253 253 253 253 253
42067-253 253 253 253 253 253 253 253 253 253 253 253
42068-253 253 253 253 253 253 253 253 253 253 253 253
42069-253 253 253 253 253 253 234 234 234 14 14 14
42070- 2 2 6 2 2 6 30 30 30 2 2 6
42071- 2 2 6 2 2 6 2 2 6 2 2 6
42072- 2 2 6 66 66 66 62 62 62 22 22 22
42073- 6 6 6 0 0 0 0 0 0 0 0 0
42074- 0 0 0 0 0 0 0 0 0 0 0 0
42075- 0 0 0 0 0 0 0 0 0 0 0 0
42076- 0 0 0 0 0 0 0 0 0 0 0 0
42077- 0 0 0 0 0 0 0 0 0 0 0 0
42078- 0 0 0 0 0 0 0 0 0 0 0 0
42079- 0 0 0 0 0 0 6 6 6 18 18 18
42080- 54 54 54 62 62 62 2 2 6 2 2 6
42081- 2 2 6 30 30 30 46 46 46 70 70 70
42082-250 250 250 253 253 253 253 253 253 253 253 253
42083-253 253 253 253 253 253 253 253 253 253 253 253
42084-253 253 253 253 253 253 231 231 231 246 246 246
42085-253 253 253 253 253 253 253 253 253 253 253 253
42086-253 253 253 253 253 253 253 253 253 253 253 253
42087-253 253 253 253 253 253 253 253 253 253 253 253
42088-253 253 253 253 253 253 253 253 253 253 253 253
42089-253 253 253 253 253 253 226 226 226 10 10 10
42090- 2 2 6 6 6 6 30 30 30 2 2 6
42091- 2 2 6 2 2 6 2 2 6 2 2 6
42092- 2 2 6 66 66 66 58 58 58 22 22 22
42093- 6 6 6 0 0 0 0 0 0 0 0 0
42094- 0 0 0 0 0 0 0 0 0 0 0 0
42095- 0 0 0 0 0 0 0 0 0 0 0 0
42096- 0 0 0 0 0 0 0 0 0 0 0 0
42097- 0 0 0 0 0 0 0 0 0 0 0 0
42098- 0 0 0 0 0 0 0 0 0 0 0 0
42099- 0 0 0 0 0 0 6 6 6 22 22 22
42100- 58 58 58 62 62 62 2 2 6 2 2 6
42101- 2 2 6 2 2 6 30 30 30 78 78 78
42102-250 250 250 253 253 253 253 253 253 253 253 253
42103-253 253 253 253 253 253 253 253 253 253 253 253
42104-253 253 253 253 253 253 231 231 231 246 246 246
42105-253 253 253 253 253 253 253 253 253 253 253 253
42106-253 253 253 253 253 253 253 253 253 253 253 253
42107-253 253 253 253 253 253 253 253 253 253 253 253
42108-253 253 253 253 253 253 253 253 253 253 253 253
42109-253 253 253 253 253 253 206 206 206 2 2 6
42110- 22 22 22 34 34 34 18 14 6 22 22 22
42111- 26 26 26 18 18 18 6 6 6 2 2 6
42112- 2 2 6 82 82 82 54 54 54 18 18 18
42113- 6 6 6 0 0 0 0 0 0 0 0 0
42114- 0 0 0 0 0 0 0 0 0 0 0 0
42115- 0 0 0 0 0 0 0 0 0 0 0 0
42116- 0 0 0 0 0 0 0 0 0 0 0 0
42117- 0 0 0 0 0 0 0 0 0 0 0 0
42118- 0 0 0 0 0 0 0 0 0 0 0 0
42119- 0 0 0 0 0 0 6 6 6 26 26 26
42120- 62 62 62 106 106 106 74 54 14 185 133 11
42121-210 162 10 121 92 8 6 6 6 62 62 62
42122-238 238 238 253 253 253 253 253 253 253 253 253
42123-253 253 253 253 253 253 253 253 253 253 253 253
42124-253 253 253 253 253 253 231 231 231 246 246 246
42125-253 253 253 253 253 253 253 253 253 253 253 253
42126-253 253 253 253 253 253 253 253 253 253 253 253
42127-253 253 253 253 253 253 253 253 253 253 253 253
42128-253 253 253 253 253 253 253 253 253 253 253 253
42129-253 253 253 253 253 253 158 158 158 18 18 18
42130- 14 14 14 2 2 6 2 2 6 2 2 6
42131- 6 6 6 18 18 18 66 66 66 38 38 38
42132- 6 6 6 94 94 94 50 50 50 18 18 18
42133- 6 6 6 0 0 0 0 0 0 0 0 0
42134- 0 0 0 0 0 0 0 0 0 0 0 0
42135- 0 0 0 0 0 0 0 0 0 0 0 0
42136- 0 0 0 0 0 0 0 0 0 0 0 0
42137- 0 0 0 0 0 0 0 0 0 0 0 0
42138- 0 0 0 0 0 0 0 0 0 6 6 6
42139- 10 10 10 10 10 10 18 18 18 38 38 38
42140- 78 78 78 142 134 106 216 158 10 242 186 14
42141-246 190 14 246 190 14 156 118 10 10 10 10
42142- 90 90 90 238 238 238 253 253 253 253 253 253
42143-253 253 253 253 253 253 253 253 253 253 253 253
42144-253 253 253 253 253 253 231 231 231 250 250 250
42145-253 253 253 253 253 253 253 253 253 253 253 253
42146-253 253 253 253 253 253 253 253 253 253 253 253
42147-253 253 253 253 253 253 253 253 253 253 253 253
42148-253 253 253 253 253 253 253 253 253 246 230 190
42149-238 204 91 238 204 91 181 142 44 37 26 9
42150- 2 2 6 2 2 6 2 2 6 2 2 6
42151- 2 2 6 2 2 6 38 38 38 46 46 46
42152- 26 26 26 106 106 106 54 54 54 18 18 18
42153- 6 6 6 0 0 0 0 0 0 0 0 0
42154- 0 0 0 0 0 0 0 0 0 0 0 0
42155- 0 0 0 0 0 0 0 0 0 0 0 0
42156- 0 0 0 0 0 0 0 0 0 0 0 0
42157- 0 0 0 0 0 0 0 0 0 0 0 0
42158- 0 0 0 6 6 6 14 14 14 22 22 22
42159- 30 30 30 38 38 38 50 50 50 70 70 70
42160-106 106 106 190 142 34 226 170 11 242 186 14
42161-246 190 14 246 190 14 246 190 14 154 114 10
42162- 6 6 6 74 74 74 226 226 226 253 253 253
42163-253 253 253 253 253 253 253 253 253 253 253 253
42164-253 253 253 253 253 253 231 231 231 250 250 250
42165-253 253 253 253 253 253 253 253 253 253 253 253
42166-253 253 253 253 253 253 253 253 253 253 253 253
42167-253 253 253 253 253 253 253 253 253 253 253 253
42168-253 253 253 253 253 253 253 253 253 228 184 62
42169-241 196 14 241 208 19 232 195 16 38 30 10
42170- 2 2 6 2 2 6 2 2 6 2 2 6
42171- 2 2 6 6 6 6 30 30 30 26 26 26
42172-203 166 17 154 142 90 66 66 66 26 26 26
42173- 6 6 6 0 0 0 0 0 0 0 0 0
42174- 0 0 0 0 0 0 0 0 0 0 0 0
42175- 0 0 0 0 0 0 0 0 0 0 0 0
42176- 0 0 0 0 0 0 0 0 0 0 0 0
42177- 0 0 0 0 0 0 0 0 0 0 0 0
42178- 6 6 6 18 18 18 38 38 38 58 58 58
42179- 78 78 78 86 86 86 101 101 101 123 123 123
42180-175 146 61 210 150 10 234 174 13 246 186 14
42181-246 190 14 246 190 14 246 190 14 238 190 10
42182-102 78 10 2 2 6 46 46 46 198 198 198
42183-253 253 253 253 253 253 253 253 253 253 253 253
42184-253 253 253 253 253 253 234 234 234 242 242 242
42185-253 253 253 253 253 253 253 253 253 253 253 253
42186-253 253 253 253 253 253 253 253 253 253 253 253
42187-253 253 253 253 253 253 253 253 253 253 253 253
42188-253 253 253 253 253 253 253 253 253 224 178 62
42189-242 186 14 241 196 14 210 166 10 22 18 6
42190- 2 2 6 2 2 6 2 2 6 2 2 6
42191- 2 2 6 2 2 6 6 6 6 121 92 8
42192-238 202 15 232 195 16 82 82 82 34 34 34
42193- 10 10 10 0 0 0 0 0 0 0 0 0
42194- 0 0 0 0 0 0 0 0 0 0 0 0
42195- 0 0 0 0 0 0 0 0 0 0 0 0
42196- 0 0 0 0 0 0 0 0 0 0 0 0
42197- 0 0 0 0 0 0 0 0 0 0 0 0
42198- 14 14 14 38 38 38 70 70 70 154 122 46
42199-190 142 34 200 144 11 197 138 11 197 138 11
42200-213 154 11 226 170 11 242 186 14 246 190 14
42201-246 190 14 246 190 14 246 190 14 246 190 14
42202-225 175 15 46 32 6 2 2 6 22 22 22
42203-158 158 158 250 250 250 253 253 253 253 253 253
42204-253 253 253 253 253 253 253 253 253 253 253 253
42205-253 253 253 253 253 253 253 253 253 253 253 253
42206-253 253 253 253 253 253 253 253 253 253 253 253
42207-253 253 253 253 253 253 253 253 253 253 253 253
42208-253 253 253 250 250 250 242 242 242 224 178 62
42209-239 182 13 236 186 11 213 154 11 46 32 6
42210- 2 2 6 2 2 6 2 2 6 2 2 6
42211- 2 2 6 2 2 6 61 42 6 225 175 15
42212-238 190 10 236 186 11 112 100 78 42 42 42
42213- 14 14 14 0 0 0 0 0 0 0 0 0
42214- 0 0 0 0 0 0 0 0 0 0 0 0
42215- 0 0 0 0 0 0 0 0 0 0 0 0
42216- 0 0 0 0 0 0 0 0 0 0 0 0
42217- 0 0 0 0 0 0 0 0 0 6 6 6
42218- 22 22 22 54 54 54 154 122 46 213 154 11
42219-226 170 11 230 174 11 226 170 11 226 170 11
42220-236 178 12 242 186 14 246 190 14 246 190 14
42221-246 190 14 246 190 14 246 190 14 246 190 14
42222-241 196 14 184 144 12 10 10 10 2 2 6
42223- 6 6 6 116 116 116 242 242 242 253 253 253
42224-253 253 253 253 253 253 253 253 253 253 253 253
42225-253 253 253 253 253 253 253 253 253 253 253 253
42226-253 253 253 253 253 253 253 253 253 253 253 253
42227-253 253 253 253 253 253 253 253 253 253 253 253
42228-253 253 253 231 231 231 198 198 198 214 170 54
42229-236 178 12 236 178 12 210 150 10 137 92 6
42230- 18 14 6 2 2 6 2 2 6 2 2 6
42231- 6 6 6 70 47 6 200 144 11 236 178 12
42232-239 182 13 239 182 13 124 112 88 58 58 58
42233- 22 22 22 6 6 6 0 0 0 0 0 0
42234- 0 0 0 0 0 0 0 0 0 0 0 0
42235- 0 0 0 0 0 0 0 0 0 0 0 0
42236- 0 0 0 0 0 0 0 0 0 0 0 0
42237- 0 0 0 0 0 0 0 0 0 10 10 10
42238- 30 30 30 70 70 70 180 133 36 226 170 11
42239-239 182 13 242 186 14 242 186 14 246 186 14
42240-246 190 14 246 190 14 246 190 14 246 190 14
42241-246 190 14 246 190 14 246 190 14 246 190 14
42242-246 190 14 232 195 16 98 70 6 2 2 6
42243- 2 2 6 2 2 6 66 66 66 221 221 221
42244-253 253 253 253 253 253 253 253 253 253 253 253
42245-253 253 253 253 253 253 253 253 253 253 253 253
42246-253 253 253 253 253 253 253 253 253 253 253 253
42247-253 253 253 253 253 253 253 253 253 253 253 253
42248-253 253 253 206 206 206 198 198 198 214 166 58
42249-230 174 11 230 174 11 216 158 10 192 133 9
42250-163 110 8 116 81 8 102 78 10 116 81 8
42251-167 114 7 197 138 11 226 170 11 239 182 13
42252-242 186 14 242 186 14 162 146 94 78 78 78
42253- 34 34 34 14 14 14 6 6 6 0 0 0
42254- 0 0 0 0 0 0 0 0 0 0 0 0
42255- 0 0 0 0 0 0 0 0 0 0 0 0
42256- 0 0 0 0 0 0 0 0 0 0 0 0
42257- 0 0 0 0 0 0 0 0 0 6 6 6
42258- 30 30 30 78 78 78 190 142 34 226 170 11
42259-239 182 13 246 190 14 246 190 14 246 190 14
42260-246 190 14 246 190 14 246 190 14 246 190 14
42261-246 190 14 246 190 14 246 190 14 246 190 14
42262-246 190 14 241 196 14 203 166 17 22 18 6
42263- 2 2 6 2 2 6 2 2 6 38 38 38
42264-218 218 218 253 253 253 253 253 253 253 253 253
42265-253 253 253 253 253 253 253 253 253 253 253 253
42266-253 253 253 253 253 253 253 253 253 253 253 253
42267-253 253 253 253 253 253 253 253 253 253 253 253
42268-250 250 250 206 206 206 198 198 198 202 162 69
42269-226 170 11 236 178 12 224 166 10 210 150 10
42270-200 144 11 197 138 11 192 133 9 197 138 11
42271-210 150 10 226 170 11 242 186 14 246 190 14
42272-246 190 14 246 186 14 225 175 15 124 112 88
42273- 62 62 62 30 30 30 14 14 14 6 6 6
42274- 0 0 0 0 0 0 0 0 0 0 0 0
42275- 0 0 0 0 0 0 0 0 0 0 0 0
42276- 0 0 0 0 0 0 0 0 0 0 0 0
42277- 0 0 0 0 0 0 0 0 0 10 10 10
42278- 30 30 30 78 78 78 174 135 50 224 166 10
42279-239 182 13 246 190 14 246 190 14 246 190 14
42280-246 190 14 246 190 14 246 190 14 246 190 14
42281-246 190 14 246 190 14 246 190 14 246 190 14
42282-246 190 14 246 190 14 241 196 14 139 102 15
42283- 2 2 6 2 2 6 2 2 6 2 2 6
42284- 78 78 78 250 250 250 253 253 253 253 253 253
42285-253 253 253 253 253 253 253 253 253 253 253 253
42286-253 253 253 253 253 253 253 253 253 253 253 253
42287-253 253 253 253 253 253 253 253 253 253 253 253
42288-250 250 250 214 214 214 198 198 198 190 150 46
42289-219 162 10 236 178 12 234 174 13 224 166 10
42290-216 158 10 213 154 11 213 154 11 216 158 10
42291-226 170 11 239 182 13 246 190 14 246 190 14
42292-246 190 14 246 190 14 242 186 14 206 162 42
42293-101 101 101 58 58 58 30 30 30 14 14 14
42294- 6 6 6 0 0 0 0 0 0 0 0 0
42295- 0 0 0 0 0 0 0 0 0 0 0 0
42296- 0 0 0 0 0 0 0 0 0 0 0 0
42297- 0 0 0 0 0 0 0 0 0 10 10 10
42298- 30 30 30 74 74 74 174 135 50 216 158 10
42299-236 178 12 246 190 14 246 190 14 246 190 14
42300-246 190 14 246 190 14 246 190 14 246 190 14
42301-246 190 14 246 190 14 246 190 14 246 190 14
42302-246 190 14 246 190 14 241 196 14 226 184 13
42303- 61 42 6 2 2 6 2 2 6 2 2 6
42304- 22 22 22 238 238 238 253 253 253 253 253 253
42305-253 253 253 253 253 253 253 253 253 253 253 253
42306-253 253 253 253 253 253 253 253 253 253 253 253
42307-253 253 253 253 253 253 253 253 253 253 253 253
42308-253 253 253 226 226 226 187 187 187 180 133 36
42309-216 158 10 236 178 12 239 182 13 236 178 12
42310-230 174 11 226 170 11 226 170 11 230 174 11
42311-236 178 12 242 186 14 246 190 14 246 190 14
42312-246 190 14 246 190 14 246 186 14 239 182 13
42313-206 162 42 106 106 106 66 66 66 34 34 34
42314- 14 14 14 6 6 6 0 0 0 0 0 0
42315- 0 0 0 0 0 0 0 0 0 0 0 0
42316- 0 0 0 0 0 0 0 0 0 0 0 0
42317- 0 0 0 0 0 0 0 0 0 6 6 6
42318- 26 26 26 70 70 70 163 133 67 213 154 11
42319-236 178 12 246 190 14 246 190 14 246 190 14
42320-246 190 14 246 190 14 246 190 14 246 190 14
42321-246 190 14 246 190 14 246 190 14 246 190 14
42322-246 190 14 246 190 14 246 190 14 241 196 14
42323-190 146 13 18 14 6 2 2 6 2 2 6
42324- 46 46 46 246 246 246 253 253 253 253 253 253
42325-253 253 253 253 253 253 253 253 253 253 253 253
42326-253 253 253 253 253 253 253 253 253 253 253 253
42327-253 253 253 253 253 253 253 253 253 253 253 253
42328-253 253 253 221 221 221 86 86 86 156 107 11
42329-216 158 10 236 178 12 242 186 14 246 186 14
42330-242 186 14 239 182 13 239 182 13 242 186 14
42331-242 186 14 246 186 14 246 190 14 246 190 14
42332-246 190 14 246 190 14 246 190 14 246 190 14
42333-242 186 14 225 175 15 142 122 72 66 66 66
42334- 30 30 30 10 10 10 0 0 0 0 0 0
42335- 0 0 0 0 0 0 0 0 0 0 0 0
42336- 0 0 0 0 0 0 0 0 0 0 0 0
42337- 0 0 0 0 0 0 0 0 0 6 6 6
42338- 26 26 26 70 70 70 163 133 67 210 150 10
42339-236 178 12 246 190 14 246 190 14 246 190 14
42340-246 190 14 246 190 14 246 190 14 246 190 14
42341-246 190 14 246 190 14 246 190 14 246 190 14
42342-246 190 14 246 190 14 246 190 14 246 190 14
42343-232 195 16 121 92 8 34 34 34 106 106 106
42344-221 221 221 253 253 253 253 253 253 253 253 253
42345-253 253 253 253 253 253 253 253 253 253 253 253
42346-253 253 253 253 253 253 253 253 253 253 253 253
42347-253 253 253 253 253 253 253 253 253 253 253 253
42348-242 242 242 82 82 82 18 14 6 163 110 8
42349-216 158 10 236 178 12 242 186 14 246 190 14
42350-246 190 14 246 190 14 246 190 14 246 190 14
42351-246 190 14 246 190 14 246 190 14 246 190 14
42352-246 190 14 246 190 14 246 190 14 246 190 14
42353-246 190 14 246 190 14 242 186 14 163 133 67
42354- 46 46 46 18 18 18 6 6 6 0 0 0
42355- 0 0 0 0 0 0 0 0 0 0 0 0
42356- 0 0 0 0 0 0 0 0 0 0 0 0
42357- 0 0 0 0 0 0 0 0 0 10 10 10
42358- 30 30 30 78 78 78 163 133 67 210 150 10
42359-236 178 12 246 186 14 246 190 14 246 190 14
42360-246 190 14 246 190 14 246 190 14 246 190 14
42361-246 190 14 246 190 14 246 190 14 246 190 14
42362-246 190 14 246 190 14 246 190 14 246 190 14
42363-241 196 14 215 174 15 190 178 144 253 253 253
42364-253 253 253 253 253 253 253 253 253 253 253 253
42365-253 253 253 253 253 253 253 253 253 253 253 253
42366-253 253 253 253 253 253 253 253 253 253 253 253
42367-253 253 253 253 253 253 253 253 253 218 218 218
42368- 58 58 58 2 2 6 22 18 6 167 114 7
42369-216 158 10 236 178 12 246 186 14 246 190 14
42370-246 190 14 246 190 14 246 190 14 246 190 14
42371-246 190 14 246 190 14 246 190 14 246 190 14
42372-246 190 14 246 190 14 246 190 14 246 190 14
42373-246 190 14 246 186 14 242 186 14 190 150 46
42374- 54 54 54 22 22 22 6 6 6 0 0 0
42375- 0 0 0 0 0 0 0 0 0 0 0 0
42376- 0 0 0 0 0 0 0 0 0 0 0 0
42377- 0 0 0 0 0 0 0 0 0 14 14 14
42378- 38 38 38 86 86 86 180 133 36 213 154 11
42379-236 178 12 246 186 14 246 190 14 246 190 14
42380-246 190 14 246 190 14 246 190 14 246 190 14
42381-246 190 14 246 190 14 246 190 14 246 190 14
42382-246 190 14 246 190 14 246 190 14 246 190 14
42383-246 190 14 232 195 16 190 146 13 214 214 214
42384-253 253 253 253 253 253 253 253 253 253 253 253
42385-253 253 253 253 253 253 253 253 253 253 253 253
42386-253 253 253 253 253 253 253 253 253 253 253 253
42387-253 253 253 250 250 250 170 170 170 26 26 26
42388- 2 2 6 2 2 6 37 26 9 163 110 8
42389-219 162 10 239 182 13 246 186 14 246 190 14
42390-246 190 14 246 190 14 246 190 14 246 190 14
42391-246 190 14 246 190 14 246 190 14 246 190 14
42392-246 190 14 246 190 14 246 190 14 246 190 14
42393-246 186 14 236 178 12 224 166 10 142 122 72
42394- 46 46 46 18 18 18 6 6 6 0 0 0
42395- 0 0 0 0 0 0 0 0 0 0 0 0
42396- 0 0 0 0 0 0 0 0 0 0 0 0
42397- 0 0 0 0 0 0 6 6 6 18 18 18
42398- 50 50 50 109 106 95 192 133 9 224 166 10
42399-242 186 14 246 190 14 246 190 14 246 190 14
42400-246 190 14 246 190 14 246 190 14 246 190 14
42401-246 190 14 246 190 14 246 190 14 246 190 14
42402-246 190 14 246 190 14 246 190 14 246 190 14
42403-242 186 14 226 184 13 210 162 10 142 110 46
42404-226 226 226 253 253 253 253 253 253 253 253 253
42405-253 253 253 253 253 253 253 253 253 253 253 253
42406-253 253 253 253 253 253 253 253 253 253 253 253
42407-198 198 198 66 66 66 2 2 6 2 2 6
42408- 2 2 6 2 2 6 50 34 6 156 107 11
42409-219 162 10 239 182 13 246 186 14 246 190 14
42410-246 190 14 246 190 14 246 190 14 246 190 14
42411-246 190 14 246 190 14 246 190 14 246 190 14
42412-246 190 14 246 190 14 246 190 14 242 186 14
42413-234 174 13 213 154 11 154 122 46 66 66 66
42414- 30 30 30 10 10 10 0 0 0 0 0 0
42415- 0 0 0 0 0 0 0 0 0 0 0 0
42416- 0 0 0 0 0 0 0 0 0 0 0 0
42417- 0 0 0 0 0 0 6 6 6 22 22 22
42418- 58 58 58 154 121 60 206 145 10 234 174 13
42419-242 186 14 246 186 14 246 190 14 246 190 14
42420-246 190 14 246 190 14 246 190 14 246 190 14
42421-246 190 14 246 190 14 246 190 14 246 190 14
42422-246 190 14 246 190 14 246 190 14 246 190 14
42423-246 186 14 236 178 12 210 162 10 163 110 8
42424- 61 42 6 138 138 138 218 218 218 250 250 250
42425-253 253 253 253 253 253 253 253 253 250 250 250
42426-242 242 242 210 210 210 144 144 144 66 66 66
42427- 6 6 6 2 2 6 2 2 6 2 2 6
42428- 2 2 6 2 2 6 61 42 6 163 110 8
42429-216 158 10 236 178 12 246 190 14 246 190 14
42430-246 190 14 246 190 14 246 190 14 246 190 14
42431-246 190 14 246 190 14 246 190 14 246 190 14
42432-246 190 14 239 182 13 230 174 11 216 158 10
42433-190 142 34 124 112 88 70 70 70 38 38 38
42434- 18 18 18 6 6 6 0 0 0 0 0 0
42435- 0 0 0 0 0 0 0 0 0 0 0 0
42436- 0 0 0 0 0 0 0 0 0 0 0 0
42437- 0 0 0 0 0 0 6 6 6 22 22 22
42438- 62 62 62 168 124 44 206 145 10 224 166 10
42439-236 178 12 239 182 13 242 186 14 242 186 14
42440-246 186 14 246 190 14 246 190 14 246 190 14
42441-246 190 14 246 190 14 246 190 14 246 190 14
42442-246 190 14 246 190 14 246 190 14 246 190 14
42443-246 190 14 236 178 12 216 158 10 175 118 6
42444- 80 54 7 2 2 6 6 6 6 30 30 30
42445- 54 54 54 62 62 62 50 50 50 38 38 38
42446- 14 14 14 2 2 6 2 2 6 2 2 6
42447- 2 2 6 2 2 6 2 2 6 2 2 6
42448- 2 2 6 6 6 6 80 54 7 167 114 7
42449-213 154 11 236 178 12 246 190 14 246 190 14
42450-246 190 14 246 190 14 246 190 14 246 190 14
42451-246 190 14 242 186 14 239 182 13 239 182 13
42452-230 174 11 210 150 10 174 135 50 124 112 88
42453- 82 82 82 54 54 54 34 34 34 18 18 18
42454- 6 6 6 0 0 0 0 0 0 0 0 0
42455- 0 0 0 0 0 0 0 0 0 0 0 0
42456- 0 0 0 0 0 0 0 0 0 0 0 0
42457- 0 0 0 0 0 0 6 6 6 18 18 18
42458- 50 50 50 158 118 36 192 133 9 200 144 11
42459-216 158 10 219 162 10 224 166 10 226 170 11
42460-230 174 11 236 178 12 239 182 13 239 182 13
42461-242 186 14 246 186 14 246 190 14 246 190 14
42462-246 190 14 246 190 14 246 190 14 246 190 14
42463-246 186 14 230 174 11 210 150 10 163 110 8
42464-104 69 6 10 10 10 2 2 6 2 2 6
42465- 2 2 6 2 2 6 2 2 6 2 2 6
42466- 2 2 6 2 2 6 2 2 6 2 2 6
42467- 2 2 6 2 2 6 2 2 6 2 2 6
42468- 2 2 6 6 6 6 91 60 6 167 114 7
42469-206 145 10 230 174 11 242 186 14 246 190 14
42470-246 190 14 246 190 14 246 186 14 242 186 14
42471-239 182 13 230 174 11 224 166 10 213 154 11
42472-180 133 36 124 112 88 86 86 86 58 58 58
42473- 38 38 38 22 22 22 10 10 10 6 6 6
42474- 0 0 0 0 0 0 0 0 0 0 0 0
42475- 0 0 0 0 0 0 0 0 0 0 0 0
42476- 0 0 0 0 0 0 0 0 0 0 0 0
42477- 0 0 0 0 0 0 0 0 0 14 14 14
42478- 34 34 34 70 70 70 138 110 50 158 118 36
42479-167 114 7 180 123 7 192 133 9 197 138 11
42480-200 144 11 206 145 10 213 154 11 219 162 10
42481-224 166 10 230 174 11 239 182 13 242 186 14
42482-246 186 14 246 186 14 246 186 14 246 186 14
42483-239 182 13 216 158 10 185 133 11 152 99 6
42484-104 69 6 18 14 6 2 2 6 2 2 6
42485- 2 2 6 2 2 6 2 2 6 2 2 6
42486- 2 2 6 2 2 6 2 2 6 2 2 6
42487- 2 2 6 2 2 6 2 2 6 2 2 6
42488- 2 2 6 6 6 6 80 54 7 152 99 6
42489-192 133 9 219 162 10 236 178 12 239 182 13
42490-246 186 14 242 186 14 239 182 13 236 178 12
42491-224 166 10 206 145 10 192 133 9 154 121 60
42492- 94 94 94 62 62 62 42 42 42 22 22 22
42493- 14 14 14 6 6 6 0 0 0 0 0 0
42494- 0 0 0 0 0 0 0 0 0 0 0 0
42495- 0 0 0 0 0 0 0 0 0 0 0 0
42496- 0 0 0 0 0 0 0 0 0 0 0 0
42497- 0 0 0 0 0 0 0 0 0 6 6 6
42498- 18 18 18 34 34 34 58 58 58 78 78 78
42499-101 98 89 124 112 88 142 110 46 156 107 11
42500-163 110 8 167 114 7 175 118 6 180 123 7
42501-185 133 11 197 138 11 210 150 10 219 162 10
42502-226 170 11 236 178 12 236 178 12 234 174 13
42503-219 162 10 197 138 11 163 110 8 130 83 6
42504- 91 60 6 10 10 10 2 2 6 2 2 6
42505- 18 18 18 38 38 38 38 38 38 38 38 38
42506- 38 38 38 38 38 38 38 38 38 38 38 38
42507- 38 38 38 38 38 38 26 26 26 2 2 6
42508- 2 2 6 6 6 6 70 47 6 137 92 6
42509-175 118 6 200 144 11 219 162 10 230 174 11
42510-234 174 13 230 174 11 219 162 10 210 150 10
42511-192 133 9 163 110 8 124 112 88 82 82 82
42512- 50 50 50 30 30 30 14 14 14 6 6 6
42513- 0 0 0 0 0 0 0 0 0 0 0 0
42514- 0 0 0 0 0 0 0 0 0 0 0 0
42515- 0 0 0 0 0 0 0 0 0 0 0 0
42516- 0 0 0 0 0 0 0 0 0 0 0 0
42517- 0 0 0 0 0 0 0 0 0 0 0 0
42518- 6 6 6 14 14 14 22 22 22 34 34 34
42519- 42 42 42 58 58 58 74 74 74 86 86 86
42520-101 98 89 122 102 70 130 98 46 121 87 25
42521-137 92 6 152 99 6 163 110 8 180 123 7
42522-185 133 11 197 138 11 206 145 10 200 144 11
42523-180 123 7 156 107 11 130 83 6 104 69 6
42524- 50 34 6 54 54 54 110 110 110 101 98 89
42525- 86 86 86 82 82 82 78 78 78 78 78 78
42526- 78 78 78 78 78 78 78 78 78 78 78 78
42527- 78 78 78 82 82 82 86 86 86 94 94 94
42528-106 106 106 101 101 101 86 66 34 124 80 6
42529-156 107 11 180 123 7 192 133 9 200 144 11
42530-206 145 10 200 144 11 192 133 9 175 118 6
42531-139 102 15 109 106 95 70 70 70 42 42 42
42532- 22 22 22 10 10 10 0 0 0 0 0 0
42533- 0 0 0 0 0 0 0 0 0 0 0 0
42534- 0 0 0 0 0 0 0 0 0 0 0 0
42535- 0 0 0 0 0 0 0 0 0 0 0 0
42536- 0 0 0 0 0 0 0 0 0 0 0 0
42537- 0 0 0 0 0 0 0 0 0 0 0 0
42538- 0 0 0 0 0 0 6 6 6 10 10 10
42539- 14 14 14 22 22 22 30 30 30 38 38 38
42540- 50 50 50 62 62 62 74 74 74 90 90 90
42541-101 98 89 112 100 78 121 87 25 124 80 6
42542-137 92 6 152 99 6 152 99 6 152 99 6
42543-138 86 6 124 80 6 98 70 6 86 66 30
42544-101 98 89 82 82 82 58 58 58 46 46 46
42545- 38 38 38 34 34 34 34 34 34 34 34 34
42546- 34 34 34 34 34 34 34 34 34 34 34 34
42547- 34 34 34 34 34 34 38 38 38 42 42 42
42548- 54 54 54 82 82 82 94 86 76 91 60 6
42549-134 86 6 156 107 11 167 114 7 175 118 6
42550-175 118 6 167 114 7 152 99 6 121 87 25
42551-101 98 89 62 62 62 34 34 34 18 18 18
42552- 6 6 6 0 0 0 0 0 0 0 0 0
42553- 0 0 0 0 0 0 0 0 0 0 0 0
42554- 0 0 0 0 0 0 0 0 0 0 0 0
42555- 0 0 0 0 0 0 0 0 0 0 0 0
42556- 0 0 0 0 0 0 0 0 0 0 0 0
42557- 0 0 0 0 0 0 0 0 0 0 0 0
42558- 0 0 0 0 0 0 0 0 0 0 0 0
42559- 0 0 0 6 6 6 6 6 6 10 10 10
42560- 18 18 18 22 22 22 30 30 30 42 42 42
42561- 50 50 50 66 66 66 86 86 86 101 98 89
42562-106 86 58 98 70 6 104 69 6 104 69 6
42563-104 69 6 91 60 6 82 62 34 90 90 90
42564- 62 62 62 38 38 38 22 22 22 14 14 14
42565- 10 10 10 10 10 10 10 10 10 10 10 10
42566- 10 10 10 10 10 10 6 6 6 10 10 10
42567- 10 10 10 10 10 10 10 10 10 14 14 14
42568- 22 22 22 42 42 42 70 70 70 89 81 66
42569- 80 54 7 104 69 6 124 80 6 137 92 6
42570-134 86 6 116 81 8 100 82 52 86 86 86
42571- 58 58 58 30 30 30 14 14 14 6 6 6
42572- 0 0 0 0 0 0 0 0 0 0 0 0
42573- 0 0 0 0 0 0 0 0 0 0 0 0
42574- 0 0 0 0 0 0 0 0 0 0 0 0
42575- 0 0 0 0 0 0 0 0 0 0 0 0
42576- 0 0 0 0 0 0 0 0 0 0 0 0
42577- 0 0 0 0 0 0 0 0 0 0 0 0
42578- 0 0 0 0 0 0 0 0 0 0 0 0
42579- 0 0 0 0 0 0 0 0 0 0 0 0
42580- 0 0 0 6 6 6 10 10 10 14 14 14
42581- 18 18 18 26 26 26 38 38 38 54 54 54
42582- 70 70 70 86 86 86 94 86 76 89 81 66
42583- 89 81 66 86 86 86 74 74 74 50 50 50
42584- 30 30 30 14 14 14 6 6 6 0 0 0
42585- 0 0 0 0 0 0 0 0 0 0 0 0
42586- 0 0 0 0 0 0 0 0 0 0 0 0
42587- 0 0 0 0 0 0 0 0 0 0 0 0
42588- 6 6 6 18 18 18 34 34 34 58 58 58
42589- 82 82 82 89 81 66 89 81 66 89 81 66
42590- 94 86 66 94 86 76 74 74 74 50 50 50
42591- 26 26 26 14 14 14 6 6 6 0 0 0
42592- 0 0 0 0 0 0 0 0 0 0 0 0
42593- 0 0 0 0 0 0 0 0 0 0 0 0
42594- 0 0 0 0 0 0 0 0 0 0 0 0
42595- 0 0 0 0 0 0 0 0 0 0 0 0
42596- 0 0 0 0 0 0 0 0 0 0 0 0
42597- 0 0 0 0 0 0 0 0 0 0 0 0
42598- 0 0 0 0 0 0 0 0 0 0 0 0
42599- 0 0 0 0 0 0 0 0 0 0 0 0
42600- 0 0 0 0 0 0 0 0 0 0 0 0
42601- 6 6 6 6 6 6 14 14 14 18 18 18
42602- 30 30 30 38 38 38 46 46 46 54 54 54
42603- 50 50 50 42 42 42 30 30 30 18 18 18
42604- 10 10 10 0 0 0 0 0 0 0 0 0
42605- 0 0 0 0 0 0 0 0 0 0 0 0
42606- 0 0 0 0 0 0 0 0 0 0 0 0
42607- 0 0 0 0 0 0 0 0 0 0 0 0
42608- 0 0 0 6 6 6 14 14 14 26 26 26
42609- 38 38 38 50 50 50 58 58 58 58 58 58
42610- 54 54 54 42 42 42 30 30 30 18 18 18
42611- 10 10 10 0 0 0 0 0 0 0 0 0
42612- 0 0 0 0 0 0 0 0 0 0 0 0
42613- 0 0 0 0 0 0 0 0 0 0 0 0
42614- 0 0 0 0 0 0 0 0 0 0 0 0
42615- 0 0 0 0 0 0 0 0 0 0 0 0
42616- 0 0 0 0 0 0 0 0 0 0 0 0
42617- 0 0 0 0 0 0 0 0 0 0 0 0
42618- 0 0 0 0 0 0 0 0 0 0 0 0
42619- 0 0 0 0 0 0 0 0 0 0 0 0
42620- 0 0 0 0 0 0 0 0 0 0 0 0
42621- 0 0 0 0 0 0 0 0 0 6 6 6
42622- 6 6 6 10 10 10 14 14 14 18 18 18
42623- 18 18 18 14 14 14 10 10 10 6 6 6
42624- 0 0 0 0 0 0 0 0 0 0 0 0
42625- 0 0 0 0 0 0 0 0 0 0 0 0
42626- 0 0 0 0 0 0 0 0 0 0 0 0
42627- 0 0 0 0 0 0 0 0 0 0 0 0
42628- 0 0 0 0 0 0 0 0 0 6 6 6
42629- 14 14 14 18 18 18 22 22 22 22 22 22
42630- 18 18 18 14 14 14 10 10 10 6 6 6
42631- 0 0 0 0 0 0 0 0 0 0 0 0
42632- 0 0 0 0 0 0 0 0 0 0 0 0
42633- 0 0 0 0 0 0 0 0 0 0 0 0
42634- 0 0 0 0 0 0 0 0 0 0 0 0
42635- 0 0 0 0 0 0 0 0 0 0 0 0
42636+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42637+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42638+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42639+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42640+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42641+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42642+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42643+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42644+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42645+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42646+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42647+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42648+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42649+4 4 4 4 4 4
42650+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42651+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42652+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42653+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42654+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42655+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42656+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42657+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42658+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42659+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42660+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42661+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42662+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42663+4 4 4 4 4 4
42664+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42665+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42666+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42667+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42668+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42669+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42670+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42671+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42672+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42673+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42674+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42675+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42676+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42677+4 4 4 4 4 4
42678+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42679+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42680+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42681+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42682+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42683+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42684+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42685+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42686+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42687+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42688+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42689+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42690+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42691+4 4 4 4 4 4
42692+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42693+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42694+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42695+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42696+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42697+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42698+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42699+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42700+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42701+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42702+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42703+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42704+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42705+4 4 4 4 4 4
42706+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42707+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42708+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42709+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42710+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42711+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42712+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42713+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42714+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42715+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42716+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42717+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42718+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42719+4 4 4 4 4 4
42720+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42721+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42722+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42723+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42724+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
42725+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
42726+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42727+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42728+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42729+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
42730+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42731+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
42732+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42733+4 4 4 4 4 4
42734+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42735+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42736+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42737+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42738+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
42739+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
42740+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42741+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42742+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42743+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
42744+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
42745+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
42746+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42747+4 4 4 4 4 4
42748+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42749+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42750+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42751+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42752+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
42753+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
42754+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42755+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42757+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
42758+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
42759+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
42760+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
42761+4 4 4 4 4 4
42762+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42763+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42764+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42765+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
42766+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
42767+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
42768+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
42769+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42770+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
42771+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
42772+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
42773+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
42774+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
42775+4 4 4 4 4 4
42776+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42777+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42778+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42779+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
42780+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
42781+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
42782+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
42783+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
42784+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
42785+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
42786+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
42787+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
42788+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
42789+4 4 4 4 4 4
42790+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42791+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42792+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
42793+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
42794+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
42795+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
42796+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
42797+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
42798+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
42799+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
42800+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
42801+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
42802+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
42803+4 4 4 4 4 4
42804+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42805+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42806+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
42807+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
42808+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
42809+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
42810+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
42811+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
42812+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
42813+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
42814+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
42815+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
42816+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
42817+4 4 4 4 4 4
42818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42820+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
42821+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
42822+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
42823+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
42824+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
42825+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
42826+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
42827+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
42828+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
42829+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
42830+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
42831+4 4 4 4 4 4
42832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42834+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
42835+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
42836+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
42837+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
42838+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
42839+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
42840+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
42841+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
42842+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
42843+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
42844+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
42845+4 4 4 4 4 4
42846+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42848+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
42849+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
42850+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
42851+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
42852+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
42853+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
42854+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
42855+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
42856+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
42857+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
42858+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
42859+4 4 4 4 4 4
42860+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42861+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
42862+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
42863+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
42864+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
42865+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
42866+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
42867+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
42868+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
42869+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
42870+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
42871+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
42872+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
42873+4 4 4 4 4 4
42874+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
42875+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
42876+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
42877+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
42878+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
42879+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
42880+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
42881+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
42882+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
42883+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
42884+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
42885+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
42886+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
42887+0 0 0 4 4 4
42888+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
42889+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
42890+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
42891+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
42892+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
42893+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
42894+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
42895+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
42896+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
42897+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
42898+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
42899+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
42900+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
42901+2 0 0 0 0 0
42902+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
42903+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
42904+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
42905+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
42906+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
42907+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
42908+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
42909+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
42910+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
42911+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
42912+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
42913+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
42914+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
42915+37 38 37 0 0 0
42916+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
42917+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
42918+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
42919+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
42920+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
42921+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
42922+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
42923+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
42924+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
42925+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
42926+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
42927+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
42928+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
42929+85 115 134 4 0 0
42930+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
42931+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
42932+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
42933+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
42934+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
42935+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
42936+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
42937+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
42938+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
42939+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
42940+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
42941+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
42942+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
42943+60 73 81 4 0 0
42944+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
42945+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
42946+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
42947+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
42948+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
42949+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
42950+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
42951+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
42952+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
42953+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
42954+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
42955+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
42956+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
42957+16 19 21 4 0 0
42958+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
42959+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
42960+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
42961+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
42962+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
42963+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
42964+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
42965+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
42966+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
42967+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
42968+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
42969+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
42970+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
42971+4 0 0 4 3 3
42972+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
42973+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
42974+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
42975+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
42976+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
42977+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
42978+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
42979+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
42980+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
42981+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
42982+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
42983+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
42984+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
42985+3 2 2 4 4 4
42986+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
42987+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
42988+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
42989+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
42990+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
42991+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
42992+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
42993+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
42994+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
42995+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
42996+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
42997+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
42998+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
42999+4 4 4 4 4 4
43000+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
43001+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
43002+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
43003+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
43004+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
43005+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
43006+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
43007+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
43008+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
43009+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
43010+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
43011+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
43012+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
43013+4 4 4 4 4 4
43014+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
43015+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
43016+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
43017+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
43018+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
43019+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
43020+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
43021+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
43022+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
43023+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
43024+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
43025+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
43026+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
43027+5 5 5 5 5 5
43028+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
43029+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
43030+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
43031+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
43032+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
43033+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43034+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
43035+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
43036+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
43037+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
43038+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
43039+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
43040+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
43041+5 5 5 4 4 4
43042+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
43043+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
43044+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
43045+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
43046+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43047+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
43048+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
43049+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
43050+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
43051+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
43052+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
43053+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
43054+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43055+4 4 4 4 4 4
43056+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
43057+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
43058+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
43059+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
43060+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
43061+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43062+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43063+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
43064+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
43065+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
43066+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
43067+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
43068+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43069+4 4 4 4 4 4
43070+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
43071+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
43072+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
43073+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
43074+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43075+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
43076+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
43077+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
43078+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
43079+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
43080+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
43081+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43082+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43083+4 4 4 4 4 4
43084+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
43085+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
43086+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
43087+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
43088+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43089+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43090+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
43091+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
43092+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
43093+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
43094+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
43095+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43096+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43097+4 4 4 4 4 4
43098+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
43099+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
43100+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
43101+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
43102+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43103+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
43104+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
43105+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
43106+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
43107+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
43108+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43109+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43110+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43111+4 4 4 4 4 4
43112+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
43113+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
43114+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
43115+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
43116+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
43117+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
43118+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
43119+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
43120+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
43121+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
43122+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
43123+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43124+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43125+4 4 4 4 4 4
43126+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
43127+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
43128+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
43129+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
43130+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
43131+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
43132+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
43133+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
43134+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
43135+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
43136+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
43137+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43138+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43139+4 4 4 4 4 4
43140+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
43141+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
43142+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
43143+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
43144+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
43145+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
43146+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
43147+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
43148+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
43149+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
43150+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43151+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43152+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43153+4 4 4 4 4 4
43154+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
43155+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
43156+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
43157+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
43158+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43159+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
43160+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
43161+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
43162+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
43163+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
43164+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43165+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43166+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43167+4 4 4 4 4 4
43168+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
43169+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
43170+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
43171+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
43172+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43173+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
43174+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
43175+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
43176+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
43177+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
43178+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43179+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43180+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43181+4 4 4 4 4 4
43182+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
43183+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
43184+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
43185+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
43186+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43187+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
43188+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
43189+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
43190+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
43191+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43192+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43193+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43194+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43195+4 4 4 4 4 4
43196+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
43197+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
43198+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
43199+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
43200+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
43201+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
43202+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
43203+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
43204+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43205+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43206+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43207+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43208+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43209+4 4 4 4 4 4
43210+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
43211+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
43212+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
43213+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
43214+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43215+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
43216+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
43217+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
43218+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43219+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43220+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43221+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43222+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43223+4 4 4 4 4 4
43224+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
43225+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
43226+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
43227+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
43228+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
43229+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
43230+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
43231+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
43232+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43233+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43234+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43235+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43236+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43237+4 4 4 4 4 4
43238+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
43239+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
43240+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43241+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
43242+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
43243+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
43244+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
43245+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
43246+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
43247+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43248+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43249+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43250+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43251+4 4 4 4 4 4
43252+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
43253+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
43254+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
43255+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
43256+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
43257+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
43258+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
43259+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
43260+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43261+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43262+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43263+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43264+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43265+4 4 4 4 4 4
43266+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
43267+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
43268+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43269+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
43270+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
43271+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
43272+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
43273+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
43274+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
43275+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43276+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43277+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43278+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43279+4 4 4 4 4 4
43280+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
43281+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
43282+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
43283+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
43284+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
43285+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
43286+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
43287+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
43288+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43289+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43290+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43291+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43292+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43293+4 4 4 4 4 4
43294+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43295+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
43296+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
43297+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
43298+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
43299+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
43300+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
43301+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
43302+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43303+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43304+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43305+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43306+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43307+4 4 4 4 4 4
43308+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
43309+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
43310+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
43311+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
43312+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
43313+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
43314+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43315+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
43316+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
43317+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43318+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43319+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43320+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43321+4 4 4 4 4 4
43322+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43323+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
43324+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
43325+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
43326+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
43327+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
43328+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
43329+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
43330+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
43331+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43332+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43333+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43334+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43335+4 4 4 4 4 4
43336+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
43337+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
43338+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
43339+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
43340+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
43341+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
43342+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
43343+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
43344+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
43345+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43346+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43347+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43348+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43349+4 4 4 4 4 4
43350+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43351+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
43352+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
43353+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
43354+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
43355+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
43356+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
43357+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
43358+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
43359+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43360+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43361+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43362+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43363+4 4 4 4 4 4
43364+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
43365+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
43366+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
43367+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
43368+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
43369+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
43370+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
43371+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
43372+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
43373+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43374+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43375+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43376+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43377+4 4 4 4 4 4
43378+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
43379+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
43380+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
43381+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
43382+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
43383+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
43384+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
43385+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
43386+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
43387+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
43388+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43389+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43390+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43391+4 4 4 4 4 4
43392+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
43393+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
43394+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
43395+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
43396+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
43397+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
43398+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
43399+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
43400+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
43401+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
43402+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43403+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43404+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43405+4 4 4 4 4 4
43406+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
43407+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
43408+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
43409+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
43410+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
43411+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
43412+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
43413+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
43414+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
43415+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
43416+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43417+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43418+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43419+4 4 4 4 4 4
43420+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
43421+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
43422+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
43423+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
43424+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
43425+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
43426+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43427+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
43428+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
43429+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
43430+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43431+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43432+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43433+4 4 4 4 4 4
43434+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
43435+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
43436+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
43437+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
43438+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
43439+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
43440+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
43441+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
43442+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
43443+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
43444+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43445+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43446+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43447+4 4 4 4 4 4
43448+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
43449+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
43450+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
43451+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
43452+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
43453+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
43454+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
43455+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
43456+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
43457+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
43458+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43459+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43460+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43461+4 4 4 4 4 4
43462+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43463+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
43464+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
43465+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
43466+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
43467+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
43468+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
43469+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
43470+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
43471+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
43472+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43473+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43474+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43475+4 4 4 4 4 4
43476+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
43477+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
43478+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
43479+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
43480+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
43481+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
43482+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
43483+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
43484+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
43485+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
43486+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43487+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43488+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43489+4 4 4 4 4 4
43490+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
43491+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
43492+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
43493+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
43494+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
43495+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
43496+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
43497+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
43498+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
43499+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43500+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43501+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43502+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43503+4 4 4 4 4 4
43504+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
43505+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43506+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
43507+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
43508+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
43509+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
43510+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
43511+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
43512+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
43513+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43514+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43515+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43516+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43517+4 4 4 4 4 4
43518+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
43519+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
43520+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
43521+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
43522+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
43523+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
43524+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
43525+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
43526+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
43527+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43528+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43529+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43530+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43531+4 4 4 4 4 4
43532+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
43533+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
43534+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
43535+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
43536+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
43537+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
43538+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
43539+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
43540+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43541+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43542+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43543+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43544+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43545+4 4 4 4 4 4
43546+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
43547+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
43548+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
43549+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
43550+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
43551+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
43552+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
43553+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
43554+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43555+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43556+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43557+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43558+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43559+4 4 4 4 4 4
43560+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
43561+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
43562+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
43563+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
43564+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
43565+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
43566+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
43567+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
43568+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43569+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43570+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43571+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43572+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43573+4 4 4 4 4 4
43574+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43575+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
43576+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43577+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
43578+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
43579+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
43580+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
43581+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
43582+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43583+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43584+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43585+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43586+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43587+4 4 4 4 4 4
43588+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43589+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
43590+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
43591+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
43592+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
43593+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
43594+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
43595+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
43596+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43597+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43598+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43599+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43600+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43601+4 4 4 4 4 4
43602+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43603+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
43604+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
43605+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
43606+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
43607+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
43608+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
43609+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43610+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43611+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43612+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43613+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43614+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43615+4 4 4 4 4 4
43616+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43617+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43618+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
43619+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
43620+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
43621+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
43622+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
43623+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
43624+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43625+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43626+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43627+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43628+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43629+4 4 4 4 4 4
43630+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43631+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43632+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43633+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43634+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
43635+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
43636+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
43637+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43638+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43639+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43640+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43641+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43642+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43643+4 4 4 4 4 4
43644+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43645+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43646+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43647+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
43648+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
43649+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
43650+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
43651+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43652+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43653+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43654+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43655+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43656+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43657+4 4 4 4 4 4
43658+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43659+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43660+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43661+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
43662+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
43663+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
43664+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
43665+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43666+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43667+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43668+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43669+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43670+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43671+4 4 4 4 4 4
43672+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43673+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43674+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43675+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
43676+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
43677+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
43678+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
43679+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43680+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43681+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43682+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43683+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43684+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43685+4 4 4 4 4 4
43686+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43687+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43688+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43689+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
43690+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
43691+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
43692+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
43693+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43694+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43695+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43696+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43697+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43698+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43699+4 4 4 4 4 4
43700+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43701+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43702+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43703+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43704+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
43705+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
43706+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
43707+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43708+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43709+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43710+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43711+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43712+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43713+4 4 4 4 4 4
43714+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43715+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43716+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43717+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43718+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
43719+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
43720+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43721+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43722+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43723+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43724+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43725+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43726+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43727+4 4 4 4 4 4
43728+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43729+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43730+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43731+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43732+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
43733+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
43734+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43735+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43736+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43737+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43738+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43739+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43740+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43741+4 4 4 4 4 4
43742+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43743+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43744+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43745+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43746+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
43747+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
43748+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43749+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43750+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43751+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43752+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43753+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43754+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
43755+4 4 4 4 4 4
43756diff -urNp linux-2.6.32.48/drivers/video/nvidia/nv_backlight.c linux-2.6.32.48/drivers/video/nvidia/nv_backlight.c
43757--- linux-2.6.32.48/drivers/video/nvidia/nv_backlight.c 2011-11-08 19:02:43.000000000 -0500
43758+++ linux-2.6.32.48/drivers/video/nvidia/nv_backlight.c 2011-11-15 19:59:43.000000000 -0500
43759@@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
43760 return bd->props.brightness;
43761 }
43762
43763-static struct backlight_ops nvidia_bl_ops = {
43764+static const struct backlight_ops nvidia_bl_ops = {
43765 .get_brightness = nvidia_bl_get_brightness,
43766 .update_status = nvidia_bl_update_status,
43767 };
43768diff -urNp linux-2.6.32.48/drivers/video/riva/fbdev.c linux-2.6.32.48/drivers/video/riva/fbdev.c
43769--- linux-2.6.32.48/drivers/video/riva/fbdev.c 2011-11-08 19:02:43.000000000 -0500
43770+++ linux-2.6.32.48/drivers/video/riva/fbdev.c 2011-11-15 19:59:43.000000000 -0500
43771@@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
43772 return bd->props.brightness;
43773 }
43774
43775-static struct backlight_ops riva_bl_ops = {
43776+static const struct backlight_ops riva_bl_ops = {
43777 .get_brightness = riva_bl_get_brightness,
43778 .update_status = riva_bl_update_status,
43779 };
43780diff -urNp linux-2.6.32.48/drivers/video/uvesafb.c linux-2.6.32.48/drivers/video/uvesafb.c
43781--- linux-2.6.32.48/drivers/video/uvesafb.c 2011-11-08 19:02:43.000000000 -0500
43782+++ linux-2.6.32.48/drivers/video/uvesafb.c 2011-11-15 19:59:43.000000000 -0500
43783@@ -18,6 +18,7 @@
43784 #include <linux/fb.h>
43785 #include <linux/io.h>
43786 #include <linux/mutex.h>
43787+#include <linux/moduleloader.h>
43788 #include <video/edid.h>
43789 #include <video/uvesafb.h>
43790 #ifdef CONFIG_X86
43791@@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
43792 NULL,
43793 };
43794
43795- return call_usermodehelper(v86d_path, argv, envp, 1);
43796+ return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
43797 }
43798
43799 /*
43800@@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
43801 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
43802 par->pmi_setpal = par->ypan = 0;
43803 } else {
43804+
43805+#ifdef CONFIG_PAX_KERNEXEC
43806+#ifdef CONFIG_MODULES
43807+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
43808+#endif
43809+ if (!par->pmi_code) {
43810+ par->pmi_setpal = par->ypan = 0;
43811+ return 0;
43812+ }
43813+#endif
43814+
43815 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
43816 + task->t.regs.edi);
43817+
43818+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43819+ pax_open_kernel();
43820+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
43821+ pax_close_kernel();
43822+
43823+ par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
43824+ par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
43825+#else
43826 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
43827 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
43828+#endif
43829+
43830 printk(KERN_INFO "uvesafb: protected mode interface info at "
43831 "%04x:%04x\n",
43832 (u16)task->t.regs.es, (u16)task->t.regs.edi);
43833@@ -1799,6 +1822,11 @@ out:
43834 if (par->vbe_modes)
43835 kfree(par->vbe_modes);
43836
43837+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43838+ if (par->pmi_code)
43839+ module_free_exec(NULL, par->pmi_code);
43840+#endif
43841+
43842 framebuffer_release(info);
43843 return err;
43844 }
43845@@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
43846 kfree(par->vbe_state_orig);
43847 if (par->vbe_state_saved)
43848 kfree(par->vbe_state_saved);
43849+
43850+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43851+ if (par->pmi_code)
43852+ module_free_exec(NULL, par->pmi_code);
43853+#endif
43854+
43855 }
43856
43857 framebuffer_release(info);
43858diff -urNp linux-2.6.32.48/drivers/video/vesafb.c linux-2.6.32.48/drivers/video/vesafb.c
43859--- linux-2.6.32.48/drivers/video/vesafb.c 2011-11-08 19:02:43.000000000 -0500
43860+++ linux-2.6.32.48/drivers/video/vesafb.c 2011-11-15 19:59:43.000000000 -0500
43861@@ -9,6 +9,7 @@
43862 */
43863
43864 #include <linux/module.h>
43865+#include <linux/moduleloader.h>
43866 #include <linux/kernel.h>
43867 #include <linux/errno.h>
43868 #include <linux/string.h>
43869@@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
43870 static int vram_total __initdata; /* Set total amount of memory */
43871 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
43872 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
43873-static void (*pmi_start)(void) __read_mostly;
43874-static void (*pmi_pal) (void) __read_mostly;
43875+static void (*pmi_start)(void) __read_only;
43876+static void (*pmi_pal) (void) __read_only;
43877 static int depth __read_mostly;
43878 static int vga_compat __read_mostly;
43879 /* --------------------------------------------------------------------- */
43880@@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
43881 unsigned int size_vmode;
43882 unsigned int size_remap;
43883 unsigned int size_total;
43884+ void *pmi_code = NULL;
43885
43886 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
43887 return -ENODEV;
43888@@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
43889 size_remap = size_total;
43890 vesafb_fix.smem_len = size_remap;
43891
43892-#ifndef __i386__
43893- screen_info.vesapm_seg = 0;
43894-#endif
43895-
43896 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
43897 printk(KERN_WARNING
43898 "vesafb: cannot reserve video memory at 0x%lx\n",
43899@@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
43900 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
43901 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
43902
43903+#ifdef __i386__
43904+
43905+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43906+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
43907+ if (!pmi_code)
43908+#elif !defined(CONFIG_PAX_KERNEXEC)
43909+ if (0)
43910+#endif
43911+
43912+#endif
43913+ screen_info.vesapm_seg = 0;
43914+
43915 if (screen_info.vesapm_seg) {
43916- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
43917- screen_info.vesapm_seg,screen_info.vesapm_off);
43918+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
43919+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
43920 }
43921
43922 if (screen_info.vesapm_seg < 0xc000)
43923@@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
43924
43925 if (ypan || pmi_setpal) {
43926 unsigned short *pmi_base;
43927+
43928 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
43929- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
43930- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
43931+
43932+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43933+ pax_open_kernel();
43934+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
43935+#else
43936+ pmi_code = pmi_base;
43937+#endif
43938+
43939+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
43940+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
43941+
43942+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43943+ pmi_start = ktva_ktla(pmi_start);
43944+ pmi_pal = ktva_ktla(pmi_pal);
43945+ pax_close_kernel();
43946+#endif
43947+
43948 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
43949 if (pmi_base[3]) {
43950 printk(KERN_INFO "vesafb: pmi: ports = ");
43951@@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
43952 info->node, info->fix.id);
43953 return 0;
43954 err:
43955+
43956+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
43957+ module_free_exec(NULL, pmi_code);
43958+#endif
43959+
43960 if (info->screen_base)
43961 iounmap(info->screen_base);
43962 framebuffer_release(info);
43963diff -urNp linux-2.6.32.48/drivers/xen/sys-hypervisor.c linux-2.6.32.48/drivers/xen/sys-hypervisor.c
43964--- linux-2.6.32.48/drivers/xen/sys-hypervisor.c 2011-11-08 19:02:43.000000000 -0500
43965+++ linux-2.6.32.48/drivers/xen/sys-hypervisor.c 2011-11-15 19:59:43.000000000 -0500
43966@@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
43967 return 0;
43968 }
43969
43970-static struct sysfs_ops hyp_sysfs_ops = {
43971+static const struct sysfs_ops hyp_sysfs_ops = {
43972 .show = hyp_sysfs_show,
43973 .store = hyp_sysfs_store,
43974 };
43975diff -urNp linux-2.6.32.48/fs/9p/vfs_inode.c linux-2.6.32.48/fs/9p/vfs_inode.c
43976--- linux-2.6.32.48/fs/9p/vfs_inode.c 2011-11-08 19:02:43.000000000 -0500
43977+++ linux-2.6.32.48/fs/9p/vfs_inode.c 2011-11-15 19:59:43.000000000 -0500
43978@@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
43979 static void
43980 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43981 {
43982- char *s = nd_get_link(nd);
43983+ const char *s = nd_get_link(nd);
43984
43985 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
43986 IS_ERR(s) ? "<error>" : s);
43987diff -urNp linux-2.6.32.48/fs/aio.c linux-2.6.32.48/fs/aio.c
43988--- linux-2.6.32.48/fs/aio.c 2011-11-08 19:02:43.000000000 -0500
43989+++ linux-2.6.32.48/fs/aio.c 2011-11-15 19:59:43.000000000 -0500
43990@@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
43991 size += sizeof(struct io_event) * nr_events;
43992 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
43993
43994- if (nr_pages < 0)
43995+ if (nr_pages <= 0)
43996 return -EINVAL;
43997
43998 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
43999@@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
44000 struct aio_timeout to;
44001 int retry = 0;
44002
44003+ pax_track_stack();
44004+
44005 /* needed to zero any padding within an entry (there shouldn't be
44006 * any, but C is fun!
44007 */
44008@@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
44009 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
44010 {
44011 ssize_t ret;
44012+ struct iovec iovstack;
44013
44014 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
44015 kiocb->ki_nbytes, 1,
44016- &kiocb->ki_inline_vec, &kiocb->ki_iovec);
44017+ &iovstack, &kiocb->ki_iovec);
44018 if (ret < 0)
44019 goto out;
44020
44021+ if (kiocb->ki_iovec == &iovstack) {
44022+ kiocb->ki_inline_vec = iovstack;
44023+ kiocb->ki_iovec = &kiocb->ki_inline_vec;
44024+ }
44025 kiocb->ki_nr_segs = kiocb->ki_nbytes;
44026 kiocb->ki_cur_seg = 0;
44027 /* ki_nbytes/left now reflect bytes instead of segs */
44028diff -urNp linux-2.6.32.48/fs/attr.c linux-2.6.32.48/fs/attr.c
44029--- linux-2.6.32.48/fs/attr.c 2011-11-08 19:02:43.000000000 -0500
44030+++ linux-2.6.32.48/fs/attr.c 2011-11-15 19:59:43.000000000 -0500
44031@@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
44032 unsigned long limit;
44033
44034 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
44035+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
44036 if (limit != RLIM_INFINITY && offset > limit)
44037 goto out_sig;
44038 if (offset > inode->i_sb->s_maxbytes)
44039diff -urNp linux-2.6.32.48/fs/autofs/root.c linux-2.6.32.48/fs/autofs/root.c
44040--- linux-2.6.32.48/fs/autofs/root.c 2011-11-08 19:02:43.000000000 -0500
44041+++ linux-2.6.32.48/fs/autofs/root.c 2011-11-15 19:59:43.000000000 -0500
44042@@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
44043 set_bit(n,sbi->symlink_bitmap);
44044 sl = &sbi->symlink[n];
44045 sl->len = strlen(symname);
44046- sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
44047+ slsize = sl->len+1;
44048+ sl->data = kmalloc(slsize, GFP_KERNEL);
44049 if (!sl->data) {
44050 clear_bit(n,sbi->symlink_bitmap);
44051 unlock_kernel();
44052diff -urNp linux-2.6.32.48/fs/autofs4/symlink.c linux-2.6.32.48/fs/autofs4/symlink.c
44053--- linux-2.6.32.48/fs/autofs4/symlink.c 2011-11-08 19:02:43.000000000 -0500
44054+++ linux-2.6.32.48/fs/autofs4/symlink.c 2011-11-15 19:59:43.000000000 -0500
44055@@ -15,7 +15,7 @@
44056 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
44057 {
44058 struct autofs_info *ino = autofs4_dentry_ino(dentry);
44059- nd_set_link(nd, (char *)ino->u.symlink);
44060+ nd_set_link(nd, ino->u.symlink);
44061 return NULL;
44062 }
44063
44064diff -urNp linux-2.6.32.48/fs/autofs4/waitq.c linux-2.6.32.48/fs/autofs4/waitq.c
44065--- linux-2.6.32.48/fs/autofs4/waitq.c 2011-11-08 19:02:43.000000000 -0500
44066+++ linux-2.6.32.48/fs/autofs4/waitq.c 2011-11-15 19:59:43.000000000 -0500
44067@@ -60,7 +60,7 @@ static int autofs4_write(struct file *fi
44068 {
44069 unsigned long sigpipe, flags;
44070 mm_segment_t fs;
44071- const char *data = (const char *)addr;
44072+ const char __user *data = (const char __force_user *)addr;
44073 ssize_t wr = 0;
44074
44075 /** WARNING: this is not safe for writing more than PIPE_BUF bytes! **/
44076diff -urNp linux-2.6.32.48/fs/befs/linuxvfs.c linux-2.6.32.48/fs/befs/linuxvfs.c
44077--- linux-2.6.32.48/fs/befs/linuxvfs.c 2011-11-08 19:02:43.000000000 -0500
44078+++ linux-2.6.32.48/fs/befs/linuxvfs.c 2011-11-15 19:59:43.000000000 -0500
44079@@ -498,7 +498,7 @@ static void befs_put_link(struct dentry
44080 {
44081 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
44082 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
44083- char *link = nd_get_link(nd);
44084+ const char *link = nd_get_link(nd);
44085 if (!IS_ERR(link))
44086 kfree(link);
44087 }
44088diff -urNp linux-2.6.32.48/fs/binfmt_aout.c linux-2.6.32.48/fs/binfmt_aout.c
44089--- linux-2.6.32.48/fs/binfmt_aout.c 2011-11-08 19:02:43.000000000 -0500
44090+++ linux-2.6.32.48/fs/binfmt_aout.c 2011-11-15 19:59:43.000000000 -0500
44091@@ -16,6 +16,7 @@
44092 #include <linux/string.h>
44093 #include <linux/fs.h>
44094 #include <linux/file.h>
44095+#include <linux/security.h>
44096 #include <linux/stat.h>
44097 #include <linux/fcntl.h>
44098 #include <linux/ptrace.h>
44099@@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
44100 #endif
44101 # define START_STACK(u) (u.start_stack)
44102
44103+ memset(&dump, 0, sizeof(dump));
44104+
44105 fs = get_fs();
44106 set_fs(KERNEL_DS);
44107 has_dumped = 1;
44108@@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
44109
44110 /* If the size of the dump file exceeds the rlimit, then see what would happen
44111 if we wrote the stack, but not the data area. */
44112+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
44113 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
44114 dump.u_dsize = 0;
44115
44116 /* Make sure we have enough room to write the stack and data areas. */
44117+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
44118 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
44119 dump.u_ssize = 0;
44120
44121@@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
44122 dump_size = dump.u_ssize << PAGE_SHIFT;
44123 DUMP_WRITE(dump_start,dump_size);
44124 }
44125-/* Finally dump the task struct. Not be used by gdb, but could be useful */
44126- set_fs(KERNEL_DS);
44127- DUMP_WRITE(current,sizeof(*current));
44128+/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
44129 end_coredump:
44130 set_fs(fs);
44131 return has_dumped;
44132@@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
44133 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
44134 if (rlim >= RLIM_INFINITY)
44135 rlim = ~0;
44136+
44137+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
44138 if (ex.a_data + ex.a_bss > rlim)
44139 return -ENOMEM;
44140
44141@@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
44142 install_exec_creds(bprm);
44143 current->flags &= ~PF_FORKNOEXEC;
44144
44145+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44146+ current->mm->pax_flags = 0UL;
44147+#endif
44148+
44149+#ifdef CONFIG_PAX_PAGEEXEC
44150+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
44151+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
44152+
44153+#ifdef CONFIG_PAX_EMUTRAMP
44154+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
44155+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
44156+#endif
44157+
44158+#ifdef CONFIG_PAX_MPROTECT
44159+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
44160+ current->mm->pax_flags |= MF_PAX_MPROTECT;
44161+#endif
44162+
44163+ }
44164+#endif
44165+
44166 if (N_MAGIC(ex) == OMAGIC) {
44167 unsigned long text_addr, map_size;
44168 loff_t pos;
44169@@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
44170
44171 down_write(&current->mm->mmap_sem);
44172 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
44173- PROT_READ | PROT_WRITE | PROT_EXEC,
44174+ PROT_READ | PROT_WRITE,
44175 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
44176 fd_offset + ex.a_text);
44177 up_write(&current->mm->mmap_sem);
44178diff -urNp linux-2.6.32.48/fs/binfmt_elf.c linux-2.6.32.48/fs/binfmt_elf.c
44179--- linux-2.6.32.48/fs/binfmt_elf.c 2011-11-08 19:02:43.000000000 -0500
44180+++ linux-2.6.32.48/fs/binfmt_elf.c 2011-11-18 18:51:56.000000000 -0500
44181@@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
44182 #define elf_core_dump NULL
44183 #endif
44184
44185+#ifdef CONFIG_PAX_MPROTECT
44186+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
44187+#endif
44188+
44189 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
44190 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
44191 #else
44192@@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
44193 .load_binary = load_elf_binary,
44194 .load_shlib = load_elf_library,
44195 .core_dump = elf_core_dump,
44196+
44197+#ifdef CONFIG_PAX_MPROTECT
44198+ .handle_mprotect= elf_handle_mprotect,
44199+#endif
44200+
44201 .min_coredump = ELF_EXEC_PAGESIZE,
44202 .hasvdso = 1
44203 };
44204@@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
44205
44206 static int set_brk(unsigned long start, unsigned long end)
44207 {
44208+ unsigned long e = end;
44209+
44210 start = ELF_PAGEALIGN(start);
44211 end = ELF_PAGEALIGN(end);
44212 if (end > start) {
44213@@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
44214 if (BAD_ADDR(addr))
44215 return addr;
44216 }
44217- current->mm->start_brk = current->mm->brk = end;
44218+ current->mm->start_brk = current->mm->brk = e;
44219 return 0;
44220 }
44221
44222@@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
44223 elf_addr_t __user *u_rand_bytes;
44224 const char *k_platform = ELF_PLATFORM;
44225 const char *k_base_platform = ELF_BASE_PLATFORM;
44226- unsigned char k_rand_bytes[16];
44227+ u32 k_rand_bytes[4];
44228 int items;
44229 elf_addr_t *elf_info;
44230 int ei_index = 0;
44231 const struct cred *cred = current_cred();
44232 struct vm_area_struct *vma;
44233+ unsigned long saved_auxv[AT_VECTOR_SIZE];
44234+
44235+ pax_track_stack();
44236
44237 /*
44238 * In some cases (e.g. Hyper-Threading), we want to avoid L1
44239@@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
44240 * Generate 16 random bytes for userspace PRNG seeding.
44241 */
44242 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
44243- u_rand_bytes = (elf_addr_t __user *)
44244- STACK_ALLOC(p, sizeof(k_rand_bytes));
44245+ srandom32(k_rand_bytes[0] ^ random32());
44246+ srandom32(k_rand_bytes[1] ^ random32());
44247+ srandom32(k_rand_bytes[2] ^ random32());
44248+ srandom32(k_rand_bytes[3] ^ random32());
44249+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
44250+ u_rand_bytes = (elf_addr_t __user *) p;
44251 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
44252 return -EFAULT;
44253
44254@@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
44255 return -EFAULT;
44256 current->mm->env_end = p;
44257
44258+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
44259+
44260 /* Put the elf_info on the stack in the right place. */
44261 sp = (elf_addr_t __user *)envp + 1;
44262- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
44263+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
44264 return -EFAULT;
44265 return 0;
44266 }
44267@@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
44268 {
44269 struct elf_phdr *elf_phdata;
44270 struct elf_phdr *eppnt;
44271- unsigned long load_addr = 0;
44272+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
44273 int load_addr_set = 0;
44274 unsigned long last_bss = 0, elf_bss = 0;
44275- unsigned long error = ~0UL;
44276+ unsigned long error = -EINVAL;
44277 unsigned long total_size;
44278 int retval, i, size;
44279
44280@@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
44281 goto out_close;
44282 }
44283
44284+#ifdef CONFIG_PAX_SEGMEXEC
44285+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
44286+ pax_task_size = SEGMEXEC_TASK_SIZE;
44287+#endif
44288+
44289 eppnt = elf_phdata;
44290 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
44291 if (eppnt->p_type == PT_LOAD) {
44292@@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
44293 k = load_addr + eppnt->p_vaddr;
44294 if (BAD_ADDR(k) ||
44295 eppnt->p_filesz > eppnt->p_memsz ||
44296- eppnt->p_memsz > TASK_SIZE ||
44297- TASK_SIZE - eppnt->p_memsz < k) {
44298+ eppnt->p_memsz > pax_task_size ||
44299+ pax_task_size - eppnt->p_memsz < k) {
44300 error = -ENOMEM;
44301 goto out_close;
44302 }
44303@@ -532,6 +557,194 @@ out:
44304 return error;
44305 }
44306
44307+#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
44308+static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
44309+{
44310+ unsigned long pax_flags = 0UL;
44311+
44312+#ifdef CONFIG_PAX_PAGEEXEC
44313+ if (elf_phdata->p_flags & PF_PAGEEXEC)
44314+ pax_flags |= MF_PAX_PAGEEXEC;
44315+#endif
44316+
44317+#ifdef CONFIG_PAX_SEGMEXEC
44318+ if (elf_phdata->p_flags & PF_SEGMEXEC)
44319+ pax_flags |= MF_PAX_SEGMEXEC;
44320+#endif
44321+
44322+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44323+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44324+ if (nx_enabled)
44325+ pax_flags &= ~MF_PAX_SEGMEXEC;
44326+ else
44327+ pax_flags &= ~MF_PAX_PAGEEXEC;
44328+ }
44329+#endif
44330+
44331+#ifdef CONFIG_PAX_EMUTRAMP
44332+ if (elf_phdata->p_flags & PF_EMUTRAMP)
44333+ pax_flags |= MF_PAX_EMUTRAMP;
44334+#endif
44335+
44336+#ifdef CONFIG_PAX_MPROTECT
44337+ if (elf_phdata->p_flags & PF_MPROTECT)
44338+ pax_flags |= MF_PAX_MPROTECT;
44339+#endif
44340+
44341+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44342+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
44343+ pax_flags |= MF_PAX_RANDMMAP;
44344+#endif
44345+
44346+ return pax_flags;
44347+}
44348+#endif
44349+
44350+#ifdef CONFIG_PAX_PT_PAX_FLAGS
44351+static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
44352+{
44353+ unsigned long pax_flags = 0UL;
44354+
44355+#ifdef CONFIG_PAX_PAGEEXEC
44356+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
44357+ pax_flags |= MF_PAX_PAGEEXEC;
44358+#endif
44359+
44360+#ifdef CONFIG_PAX_SEGMEXEC
44361+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
44362+ pax_flags |= MF_PAX_SEGMEXEC;
44363+#endif
44364+
44365+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44366+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44367+ if (nx_enabled)
44368+ pax_flags &= ~MF_PAX_SEGMEXEC;
44369+ else
44370+ pax_flags &= ~MF_PAX_PAGEEXEC;
44371+ }
44372+#endif
44373+
44374+#ifdef CONFIG_PAX_EMUTRAMP
44375+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
44376+ pax_flags |= MF_PAX_EMUTRAMP;
44377+#endif
44378+
44379+#ifdef CONFIG_PAX_MPROTECT
44380+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
44381+ pax_flags |= MF_PAX_MPROTECT;
44382+#endif
44383+
44384+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
44385+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
44386+ pax_flags |= MF_PAX_RANDMMAP;
44387+#endif
44388+
44389+ return pax_flags;
44390+}
44391+#endif
44392+
44393+#ifdef CONFIG_PAX_EI_PAX
44394+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
44395+{
44396+ unsigned long pax_flags = 0UL;
44397+
44398+#ifdef CONFIG_PAX_PAGEEXEC
44399+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
44400+ pax_flags |= MF_PAX_PAGEEXEC;
44401+#endif
44402+
44403+#ifdef CONFIG_PAX_SEGMEXEC
44404+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
44405+ pax_flags |= MF_PAX_SEGMEXEC;
44406+#endif
44407+
44408+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
44409+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44410+ if (nx_enabled)
44411+ pax_flags &= ~MF_PAX_SEGMEXEC;
44412+ else
44413+ pax_flags &= ~MF_PAX_PAGEEXEC;
44414+ }
44415+#endif
44416+
44417+#ifdef CONFIG_PAX_EMUTRAMP
44418+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
44419+ pax_flags |= MF_PAX_EMUTRAMP;
44420+#endif
44421+
44422+#ifdef CONFIG_PAX_MPROTECT
44423+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
44424+ pax_flags |= MF_PAX_MPROTECT;
44425+#endif
44426+
44427+#ifdef CONFIG_PAX_ASLR
44428+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
44429+ pax_flags |= MF_PAX_RANDMMAP;
44430+#endif
44431+
44432+ return pax_flags;
44433+}
44434+#endif
44435+
44436+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44437+static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
44438+{
44439+ unsigned long pax_flags = 0UL;
44440+
44441+#ifdef CONFIG_PAX_PT_PAX_FLAGS
44442+ unsigned long i;
44443+ int found_flags = 0;
44444+#endif
44445+
44446+#ifdef CONFIG_PAX_EI_PAX
44447+ pax_flags = pax_parse_ei_pax(elf_ex);
44448+#endif
44449+
44450+#ifdef CONFIG_PAX_PT_PAX_FLAGS
44451+ for (i = 0UL; i < elf_ex->e_phnum; i++)
44452+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
44453+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
44454+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
44455+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
44456+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
44457+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
44458+ return -EINVAL;
44459+
44460+#ifdef CONFIG_PAX_SOFTMODE
44461+ if (pax_softmode)
44462+ pax_flags = pax_parse_softmode(&elf_phdata[i]);
44463+ else
44464+#endif
44465+
44466+ pax_flags = pax_parse_hardmode(&elf_phdata[i]);
44467+ found_flags = 1;
44468+ break;
44469+ }
44470+#endif
44471+
44472+#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
44473+ if (found_flags == 0) {
44474+ struct elf_phdr phdr;
44475+ memset(&phdr, 0, sizeof(phdr));
44476+ phdr.p_flags = PF_NOEMUTRAMP;
44477+#ifdef CONFIG_PAX_SOFTMODE
44478+ if (pax_softmode)
44479+ pax_flags = pax_parse_softmode(&phdr);
44480+ else
44481+#endif
44482+ pax_flags = pax_parse_hardmode(&phdr);
44483+ }
44484+#endif
44485+
44486+
44487+ if (0 > pax_check_flags(&pax_flags))
44488+ return -EINVAL;
44489+
44490+ current->mm->pax_flags = pax_flags;
44491+ return 0;
44492+}
44493+#endif
44494+
44495 /*
44496 * These are the functions used to load ELF style executables and shared
44497 * libraries. There is no binary dependent code anywhere else.
44498@@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
44499 {
44500 unsigned int random_variable = 0;
44501
44502+#ifdef CONFIG_PAX_RANDUSTACK
44503+ if (randomize_va_space)
44504+ return stack_top - current->mm->delta_stack;
44505+#endif
44506+
44507 if ((current->flags & PF_RANDOMIZE) &&
44508 !(current->personality & ADDR_NO_RANDOMIZE)) {
44509 random_variable = get_random_int() & STACK_RND_MASK;
44510@@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
44511 unsigned long load_addr = 0, load_bias = 0;
44512 int load_addr_set = 0;
44513 char * elf_interpreter = NULL;
44514- unsigned long error;
44515+ unsigned long error = 0;
44516 struct elf_phdr *elf_ppnt, *elf_phdata;
44517 unsigned long elf_bss, elf_brk;
44518 int retval, i;
44519@@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
44520 unsigned long start_code, end_code, start_data, end_data;
44521 unsigned long reloc_func_desc = 0;
44522 int executable_stack = EXSTACK_DEFAULT;
44523- unsigned long def_flags = 0;
44524 struct {
44525 struct elfhdr elf_ex;
44526 struct elfhdr interp_elf_ex;
44527 } *loc;
44528+ unsigned long pax_task_size = TASK_SIZE;
44529
44530 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
44531 if (!loc) {
44532@@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
44533
44534 /* OK, This is the point of no return */
44535 current->flags &= ~PF_FORKNOEXEC;
44536- current->mm->def_flags = def_flags;
44537+
44538+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
44539+ current->mm->pax_flags = 0UL;
44540+#endif
44541+
44542+#ifdef CONFIG_PAX_DLRESOLVE
44543+ current->mm->call_dl_resolve = 0UL;
44544+#endif
44545+
44546+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
44547+ current->mm->call_syscall = 0UL;
44548+#endif
44549+
44550+#ifdef CONFIG_PAX_ASLR
44551+ current->mm->delta_mmap = 0UL;
44552+ current->mm->delta_stack = 0UL;
44553+#endif
44554+
44555+ current->mm->def_flags = 0;
44556+
44557+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
44558+ if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
44559+ send_sig(SIGKILL, current, 0);
44560+ goto out_free_dentry;
44561+ }
44562+#endif
44563+
44564+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
44565+ pax_set_initial_flags(bprm);
44566+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
44567+ if (pax_set_initial_flags_func)
44568+ (pax_set_initial_flags_func)(bprm);
44569+#endif
44570+
44571+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
44572+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
44573+ current->mm->context.user_cs_limit = PAGE_SIZE;
44574+ current->mm->def_flags |= VM_PAGEEXEC;
44575+ }
44576+#endif
44577+
44578+#ifdef CONFIG_PAX_SEGMEXEC
44579+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
44580+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
44581+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
44582+ pax_task_size = SEGMEXEC_TASK_SIZE;
44583+ }
44584+#endif
44585+
44586+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
44587+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44588+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
44589+ put_cpu();
44590+ }
44591+#endif
44592
44593 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
44594 may depend on the personality. */
44595 SET_PERSONALITY(loc->elf_ex);
44596+
44597+#ifdef CONFIG_PAX_ASLR
44598+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
44599+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
44600+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
44601+ }
44602+#endif
44603+
44604+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
44605+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
44606+ executable_stack = EXSTACK_DISABLE_X;
44607+ current->personality &= ~READ_IMPLIES_EXEC;
44608+ } else
44609+#endif
44610+
44611 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
44612 current->personality |= READ_IMPLIES_EXEC;
44613
44614@@ -800,10 +1087,27 @@ static int load_elf_binary(struct linux_
44615 * might try to exec. This is because the brk will
44616 * follow the loader, and is not movable. */
44617 #ifdef CONFIG_X86
44618- load_bias = 0;
44619+ if (current->flags & PF_RANDOMIZE)
44620+ load_bias = 0;
44621+ else
44622+ load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44623 #else
44624 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
44625 #endif
44626+
44627+#ifdef CONFIG_PAX_RANDMMAP
44628+ /* PaX: randomize base address at the default exe base if requested */
44629+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
44630+#ifdef CONFIG_SPARC64
44631+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
44632+#else
44633+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
44634+#endif
44635+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
44636+ elf_flags |= MAP_FIXED;
44637+ }
44638+#endif
44639+
44640 }
44641
44642 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
44643@@ -836,9 +1140,9 @@ static int load_elf_binary(struct linux_
44644 * allowed task size. Note that p_filesz must always be
44645 * <= p_memsz so it is only necessary to check p_memsz.
44646 */
44647- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44648- elf_ppnt->p_memsz > TASK_SIZE ||
44649- TASK_SIZE - elf_ppnt->p_memsz < k) {
44650+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
44651+ elf_ppnt->p_memsz > pax_task_size ||
44652+ pax_task_size - elf_ppnt->p_memsz < k) {
44653 /* set_brk can never work. Avoid overflows. */
44654 send_sig(SIGKILL, current, 0);
44655 retval = -EINVAL;
44656@@ -866,6 +1170,11 @@ static int load_elf_binary(struct linux_
44657 start_data += load_bias;
44658 end_data += load_bias;
44659
44660+#ifdef CONFIG_PAX_RANDMMAP
44661+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
44662+ elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
44663+#endif
44664+
44665 /* Calling set_brk effectively mmaps the pages that we need
44666 * for the bss and break sections. We must do this before
44667 * mapping in the interpreter, to make sure it doesn't wind
44668@@ -877,9 +1186,11 @@ static int load_elf_binary(struct linux_
44669 goto out_free_dentry;
44670 }
44671 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
44672- send_sig(SIGSEGV, current, 0);
44673- retval = -EFAULT; /* Nobody gets to see this, but.. */
44674- goto out_free_dentry;
44675+ /*
44676+ * This bss-zeroing can fail if the ELF
44677+ * file specifies odd protections. So
44678+ * we don't check the return value
44679+ */
44680 }
44681
44682 if (elf_interpreter) {
44683@@ -1112,8 +1423,10 @@ static int dump_seek(struct file *file,
44684 unsigned long n = off;
44685 if (n > PAGE_SIZE)
44686 n = PAGE_SIZE;
44687- if (!dump_write(file, buf, n))
44688+ if (!dump_write(file, buf, n)) {
44689+ free_page((unsigned long)buf);
44690 return 0;
44691+ }
44692 off -= n;
44693 }
44694 free_page((unsigned long)buf);
44695@@ -1125,7 +1438,7 @@ static int dump_seek(struct file *file,
44696 * Decide what to dump of a segment, part, all or none.
44697 */
44698 static unsigned long vma_dump_size(struct vm_area_struct *vma,
44699- unsigned long mm_flags)
44700+ unsigned long mm_flags, long signr)
44701 {
44702 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
44703
44704@@ -1159,7 +1472,7 @@ static unsigned long vma_dump_size(struc
44705 if (vma->vm_file == NULL)
44706 return 0;
44707
44708- if (FILTER(MAPPED_PRIVATE))
44709+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
44710 goto whole;
44711
44712 /*
44713@@ -1255,8 +1568,11 @@ static int writenote(struct memelfnote *
44714 #undef DUMP_WRITE
44715
44716 #define DUMP_WRITE(addr, nr) \
44717+ do { \
44718+ gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
44719 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
44720- goto end_coredump;
44721+ goto end_coredump; \
44722+ } while (0);
44723
44724 static void fill_elf_header(struct elfhdr *elf, int segs,
44725 u16 machine, u32 flags, u8 osabi)
44726@@ -1385,9 +1701,9 @@ static void fill_auxv_note(struct memelf
44727 {
44728 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
44729 int i = 0;
44730- do
44731+ do {
44732 i += 2;
44733- while (auxv[i - 2] != AT_NULL);
44734+ } while (auxv[i - 2] != AT_NULL);
44735 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
44736 }
44737
44738@@ -1973,7 +2289,7 @@ static int elf_core_dump(long signr, str
44739 phdr.p_offset = offset;
44740 phdr.p_vaddr = vma->vm_start;
44741 phdr.p_paddr = 0;
44742- phdr.p_filesz = vma_dump_size(vma, mm_flags);
44743+ phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
44744 phdr.p_memsz = vma->vm_end - vma->vm_start;
44745 offset += phdr.p_filesz;
44746 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
44747@@ -2006,7 +2322,7 @@ static int elf_core_dump(long signr, str
44748 unsigned long addr;
44749 unsigned long end;
44750
44751- end = vma->vm_start + vma_dump_size(vma, mm_flags);
44752+ end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
44753
44754 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
44755 struct page *page;
44756@@ -2015,6 +2331,7 @@ static int elf_core_dump(long signr, str
44757 page = get_dump_page(addr);
44758 if (page) {
44759 void *kaddr = kmap(page);
44760+ gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
44761 stop = ((size += PAGE_SIZE) > limit) ||
44762 !dump_write(file, kaddr, PAGE_SIZE);
44763 kunmap(page);
44764@@ -2042,6 +2359,97 @@ out:
44765
44766 #endif /* USE_ELF_CORE_DUMP */
44767
44768+#ifdef CONFIG_PAX_MPROTECT
44769+/* PaX: non-PIC ELF libraries need relocations on their executable segments
44770+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
44771+ * we'll remove VM_MAYWRITE for good on RELRO segments.
44772+ *
44773+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
44774+ * basis because we want to allow the common case and not the special ones.
44775+ */
44776+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
44777+{
44778+ struct elfhdr elf_h;
44779+ struct elf_phdr elf_p;
44780+ unsigned long i;
44781+ unsigned long oldflags;
44782+ bool is_textrel_rw, is_textrel_rx, is_relro;
44783+
44784+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
44785+ return;
44786+
44787+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
44788+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
44789+
44790+#ifdef CONFIG_PAX_ELFRELOCS
44791+ /* possible TEXTREL */
44792+ is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
44793+ is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
44794+#else
44795+ is_textrel_rw = false;
44796+ is_textrel_rx = false;
44797+#endif
44798+
44799+ /* possible RELRO */
44800+ is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
44801+
44802+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
44803+ return;
44804+
44805+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
44806+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
44807+
44808+#ifdef CONFIG_PAX_ETEXECRELOCS
44809+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44810+#else
44811+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
44812+#endif
44813+
44814+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
44815+ !elf_check_arch(&elf_h) ||
44816+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
44817+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
44818+ return;
44819+
44820+ for (i = 0UL; i < elf_h.e_phnum; i++) {
44821+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
44822+ return;
44823+ switch (elf_p.p_type) {
44824+ case PT_DYNAMIC:
44825+ if (!is_textrel_rw && !is_textrel_rx)
44826+ continue;
44827+ i = 0UL;
44828+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
44829+ elf_dyn dyn;
44830+
44831+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
44832+ return;
44833+ if (dyn.d_tag == DT_NULL)
44834+ return;
44835+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
44836+ gr_log_textrel(vma);
44837+ if (is_textrel_rw)
44838+ vma->vm_flags |= VM_MAYWRITE;
44839+ else
44840+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
44841+ vma->vm_flags &= ~VM_MAYWRITE;
44842+ return;
44843+ }
44844+ i++;
44845+ }
44846+ return;
44847+
44848+ case PT_GNU_RELRO:
44849+ if (!is_relro)
44850+ continue;
44851+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
44852+ vma->vm_flags &= ~VM_MAYWRITE;
44853+ return;
44854+ }
44855+ }
44856+}
44857+#endif
44858+
44859 static int __init init_elf_binfmt(void)
44860 {
44861 return register_binfmt(&elf_format);
44862diff -urNp linux-2.6.32.48/fs/binfmt_flat.c linux-2.6.32.48/fs/binfmt_flat.c
44863--- linux-2.6.32.48/fs/binfmt_flat.c 2011-11-08 19:02:43.000000000 -0500
44864+++ linux-2.6.32.48/fs/binfmt_flat.c 2011-11-15 19:59:43.000000000 -0500
44865@@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
44866 realdatastart = (unsigned long) -ENOMEM;
44867 printk("Unable to allocate RAM for process data, errno %d\n",
44868 (int)-realdatastart);
44869+ down_write(&current->mm->mmap_sem);
44870 do_munmap(current->mm, textpos, text_len);
44871+ up_write(&current->mm->mmap_sem);
44872 ret = realdatastart;
44873 goto err;
44874 }
44875@@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
44876 }
44877 if (IS_ERR_VALUE(result)) {
44878 printk("Unable to read data+bss, errno %d\n", (int)-result);
44879+ down_write(&current->mm->mmap_sem);
44880 do_munmap(current->mm, textpos, text_len);
44881 do_munmap(current->mm, realdatastart, data_len + extra);
44882+ up_write(&current->mm->mmap_sem);
44883 ret = result;
44884 goto err;
44885 }
44886@@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
44887 }
44888 if (IS_ERR_VALUE(result)) {
44889 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
44890+ down_write(&current->mm->mmap_sem);
44891 do_munmap(current->mm, textpos, text_len + data_len + extra +
44892 MAX_SHARED_LIBS * sizeof(unsigned long));
44893+ up_write(&current->mm->mmap_sem);
44894 ret = result;
44895 goto err;
44896 }
44897diff -urNp linux-2.6.32.48/fs/bio.c linux-2.6.32.48/fs/bio.c
44898--- linux-2.6.32.48/fs/bio.c 2011-11-08 19:02:43.000000000 -0500
44899+++ linux-2.6.32.48/fs/bio.c 2011-11-15 19:59:43.000000000 -0500
44900@@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
44901
44902 i = 0;
44903 while (i < bio_slab_nr) {
44904- struct bio_slab *bslab = &bio_slabs[i];
44905+ bslab = &bio_slabs[i];
44906
44907 if (!bslab->slab && entry == -1)
44908 entry = i;
44909@@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
44910 const int read = bio_data_dir(bio) == READ;
44911 struct bio_map_data *bmd = bio->bi_private;
44912 int i;
44913- char *p = bmd->sgvecs[0].iov_base;
44914+ char *p = (char __force_kernel *)bmd->sgvecs[0].iov_base;
44915
44916 __bio_for_each_segment(bvec, bio, i, 0) {
44917 char *addr = page_address(bvec->bv_page);
44918diff -urNp linux-2.6.32.48/fs/block_dev.c linux-2.6.32.48/fs/block_dev.c
44919--- linux-2.6.32.48/fs/block_dev.c 2011-11-08 19:02:43.000000000 -0500
44920+++ linux-2.6.32.48/fs/block_dev.c 2011-11-15 19:59:43.000000000 -0500
44921@@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
44922 else if (bdev->bd_contains == bdev)
44923 res = 0; /* is a whole device which isn't held */
44924
44925- else if (bdev->bd_contains->bd_holder == bd_claim)
44926+ else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
44927 res = 0; /* is a partition of a device that is being partitioned */
44928 else if (bdev->bd_contains->bd_holder != NULL)
44929 res = -EBUSY; /* is a partition of a held device */
44930diff -urNp linux-2.6.32.48/fs/btrfs/ctree.c linux-2.6.32.48/fs/btrfs/ctree.c
44931--- linux-2.6.32.48/fs/btrfs/ctree.c 2011-11-08 19:02:43.000000000 -0500
44932+++ linux-2.6.32.48/fs/btrfs/ctree.c 2011-11-15 19:59:43.000000000 -0500
44933@@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
44934 free_extent_buffer(buf);
44935 add_root_to_dirty_list(root);
44936 } else {
44937- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
44938- parent_start = parent->start;
44939- else
44940+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
44941+ if (parent)
44942+ parent_start = parent->start;
44943+ else
44944+ parent_start = 0;
44945+ } else
44946 parent_start = 0;
44947
44948 WARN_ON(trans->transid != btrfs_header_generation(parent));
44949@@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
44950
44951 ret = 0;
44952 if (slot == 0) {
44953- struct btrfs_disk_key disk_key;
44954 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
44955 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
44956 }
44957diff -urNp linux-2.6.32.48/fs/btrfs/disk-io.c linux-2.6.32.48/fs/btrfs/disk-io.c
44958--- linux-2.6.32.48/fs/btrfs/disk-io.c 2011-11-08 19:02:43.000000000 -0500
44959+++ linux-2.6.32.48/fs/btrfs/disk-io.c 2011-11-15 19:59:43.000000000 -0500
44960@@ -39,7 +39,7 @@
44961 #include "tree-log.h"
44962 #include "free-space-cache.h"
44963
44964-static struct extent_io_ops btree_extent_io_ops;
44965+static const struct extent_io_ops btree_extent_io_ops;
44966 static void end_workqueue_fn(struct btrfs_work *work);
44967 static void free_fs_root(struct btrfs_root *root);
44968
44969@@ -2607,7 +2607,7 @@ out:
44970 return 0;
44971 }
44972
44973-static struct extent_io_ops btree_extent_io_ops = {
44974+static const struct extent_io_ops btree_extent_io_ops = {
44975 .write_cache_pages_lock_hook = btree_lock_page_hook,
44976 .readpage_end_io_hook = btree_readpage_end_io_hook,
44977 .submit_bio_hook = btree_submit_bio_hook,
44978diff -urNp linux-2.6.32.48/fs/btrfs/extent_io.h linux-2.6.32.48/fs/btrfs/extent_io.h
44979--- linux-2.6.32.48/fs/btrfs/extent_io.h 2011-11-08 19:02:43.000000000 -0500
44980+++ linux-2.6.32.48/fs/btrfs/extent_io.h 2011-11-15 19:59:43.000000000 -0500
44981@@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
44982 struct bio *bio, int mirror_num,
44983 unsigned long bio_flags);
44984 struct extent_io_ops {
44985- int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
44986+ int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
44987 u64 start, u64 end, int *page_started,
44988 unsigned long *nr_written);
44989- int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
44990- int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
44991+ int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
44992+ int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
44993 extent_submit_bio_hook_t *submit_bio_hook;
44994- int (*merge_bio_hook)(struct page *page, unsigned long offset,
44995+ int (* const merge_bio_hook)(struct page *page, unsigned long offset,
44996 size_t size, struct bio *bio,
44997 unsigned long bio_flags);
44998- int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
44999- int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
45000+ int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
45001+ int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
45002 u64 start, u64 end,
45003 struct extent_state *state);
45004- int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
45005+ int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
45006 u64 start, u64 end,
45007 struct extent_state *state);
45008- int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
45009+ int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
45010 struct extent_state *state);
45011- int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
45012+ int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
45013 struct extent_state *state, int uptodate);
45014- int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
45015+ int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
45016 unsigned long old, unsigned long bits);
45017- int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
45018+ int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
45019 unsigned long bits);
45020- int (*merge_extent_hook)(struct inode *inode,
45021+ int (* const merge_extent_hook)(struct inode *inode,
45022 struct extent_state *new,
45023 struct extent_state *other);
45024- int (*split_extent_hook)(struct inode *inode,
45025+ int (* const split_extent_hook)(struct inode *inode,
45026 struct extent_state *orig, u64 split);
45027- int (*write_cache_pages_lock_hook)(struct page *page);
45028+ int (* const write_cache_pages_lock_hook)(struct page *page);
45029 };
45030
45031 struct extent_io_tree {
45032@@ -88,7 +88,7 @@ struct extent_io_tree {
45033 u64 dirty_bytes;
45034 spinlock_t lock;
45035 spinlock_t buffer_lock;
45036- struct extent_io_ops *ops;
45037+ const struct extent_io_ops *ops;
45038 };
45039
45040 struct extent_state {
45041diff -urNp linux-2.6.32.48/fs/btrfs/extent-tree.c linux-2.6.32.48/fs/btrfs/extent-tree.c
45042--- linux-2.6.32.48/fs/btrfs/extent-tree.c 2011-11-08 19:02:43.000000000 -0500
45043+++ linux-2.6.32.48/fs/btrfs/extent-tree.c 2011-11-15 19:59:43.000000000 -0500
45044@@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
45045 u64 group_start = group->key.objectid;
45046 new_extents = kmalloc(sizeof(*new_extents),
45047 GFP_NOFS);
45048+ if (!new_extents) {
45049+ ret = -ENOMEM;
45050+ goto out;
45051+ }
45052 nr_extents = 1;
45053 ret = get_new_locations(reloc_inode,
45054 extent_key,
45055diff -urNp linux-2.6.32.48/fs/btrfs/free-space-cache.c linux-2.6.32.48/fs/btrfs/free-space-cache.c
45056--- linux-2.6.32.48/fs/btrfs/free-space-cache.c 2011-11-08 19:02:43.000000000 -0500
45057+++ linux-2.6.32.48/fs/btrfs/free-space-cache.c 2011-11-15 19:59:43.000000000 -0500
45058@@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
45059
45060 while(1) {
45061 if (entry->bytes < bytes || entry->offset < min_start) {
45062- struct rb_node *node;
45063-
45064 node = rb_next(&entry->offset_index);
45065 if (!node)
45066 break;
45067@@ -1226,7 +1224,7 @@ again:
45068 */
45069 while (entry->bitmap || found_bitmap ||
45070 (!entry->bitmap && entry->bytes < min_bytes)) {
45071- struct rb_node *node = rb_next(&entry->offset_index);
45072+ node = rb_next(&entry->offset_index);
45073
45074 if (entry->bitmap && entry->bytes > bytes + empty_size) {
45075 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
45076diff -urNp linux-2.6.32.48/fs/btrfs/inode.c linux-2.6.32.48/fs/btrfs/inode.c
45077--- linux-2.6.32.48/fs/btrfs/inode.c 2011-11-08 19:02:43.000000000 -0500
45078+++ linux-2.6.32.48/fs/btrfs/inode.c 2011-11-15 19:59:43.000000000 -0500
45079@@ -63,7 +63,7 @@ static const struct inode_operations btr
45080 static const struct address_space_operations btrfs_aops;
45081 static const struct address_space_operations btrfs_symlink_aops;
45082 static const struct file_operations btrfs_dir_file_operations;
45083-static struct extent_io_ops btrfs_extent_io_ops;
45084+static const struct extent_io_ops btrfs_extent_io_ops;
45085
45086 static struct kmem_cache *btrfs_inode_cachep;
45087 struct kmem_cache *btrfs_trans_handle_cachep;
45088@@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
45089 1, 0, NULL, GFP_NOFS);
45090 while (start < end) {
45091 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
45092+ BUG_ON(!async_cow);
45093 async_cow->inode = inode;
45094 async_cow->root = root;
45095 async_cow->locked_page = locked_page;
45096@@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
45097 inline_size = btrfs_file_extent_inline_item_len(leaf,
45098 btrfs_item_nr(leaf, path->slots[0]));
45099 tmp = kmalloc(inline_size, GFP_NOFS);
45100+ if (!tmp)
45101+ return -ENOMEM;
45102 ptr = btrfs_file_extent_inline_start(item);
45103
45104 read_extent_buffer(leaf, tmp, ptr, inline_size);
45105@@ -5410,7 +5413,7 @@ fail:
45106 return -ENOMEM;
45107 }
45108
45109-static int btrfs_getattr(struct vfsmount *mnt,
45110+int btrfs_getattr(struct vfsmount *mnt,
45111 struct dentry *dentry, struct kstat *stat)
45112 {
45113 struct inode *inode = dentry->d_inode;
45114@@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
45115 return 0;
45116 }
45117
45118+EXPORT_SYMBOL(btrfs_getattr);
45119+
45120+dev_t get_btrfs_dev_from_inode(struct inode *inode)
45121+{
45122+ return BTRFS_I(inode)->root->anon_super.s_dev;
45123+}
45124+EXPORT_SYMBOL(get_btrfs_dev_from_inode);
45125+
45126 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
45127 struct inode *new_dir, struct dentry *new_dentry)
45128 {
45129@@ -5972,7 +5983,7 @@ static const struct file_operations btrf
45130 .fsync = btrfs_sync_file,
45131 };
45132
45133-static struct extent_io_ops btrfs_extent_io_ops = {
45134+static const struct extent_io_ops btrfs_extent_io_ops = {
45135 .fill_delalloc = run_delalloc_range,
45136 .submit_bio_hook = btrfs_submit_bio_hook,
45137 .merge_bio_hook = btrfs_merge_bio_hook,
45138diff -urNp linux-2.6.32.48/fs/btrfs/relocation.c linux-2.6.32.48/fs/btrfs/relocation.c
45139--- linux-2.6.32.48/fs/btrfs/relocation.c 2011-11-08 19:02:43.000000000 -0500
45140+++ linux-2.6.32.48/fs/btrfs/relocation.c 2011-11-15 19:59:43.000000000 -0500
45141@@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
45142 }
45143 spin_unlock(&rc->reloc_root_tree.lock);
45144
45145- BUG_ON((struct btrfs_root *)node->data != root);
45146+ BUG_ON(!node || (struct btrfs_root *)node->data != root);
45147
45148 if (!del) {
45149 spin_lock(&rc->reloc_root_tree.lock);
45150diff -urNp linux-2.6.32.48/fs/btrfs/sysfs.c linux-2.6.32.48/fs/btrfs/sysfs.c
45151--- linux-2.6.32.48/fs/btrfs/sysfs.c 2011-11-08 19:02:43.000000000 -0500
45152+++ linux-2.6.32.48/fs/btrfs/sysfs.c 2011-11-15 19:59:43.000000000 -0500
45153@@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
45154 complete(&root->kobj_unregister);
45155 }
45156
45157-static struct sysfs_ops btrfs_super_attr_ops = {
45158+static const struct sysfs_ops btrfs_super_attr_ops = {
45159 .show = btrfs_super_attr_show,
45160 .store = btrfs_super_attr_store,
45161 };
45162
45163-static struct sysfs_ops btrfs_root_attr_ops = {
45164+static const struct sysfs_ops btrfs_root_attr_ops = {
45165 .show = btrfs_root_attr_show,
45166 .store = btrfs_root_attr_store,
45167 };
45168diff -urNp linux-2.6.32.48/fs/buffer.c linux-2.6.32.48/fs/buffer.c
45169--- linux-2.6.32.48/fs/buffer.c 2011-11-08 19:02:43.000000000 -0500
45170+++ linux-2.6.32.48/fs/buffer.c 2011-11-15 19:59:43.000000000 -0500
45171@@ -25,6 +25,7 @@
45172 #include <linux/percpu.h>
45173 #include <linux/slab.h>
45174 #include <linux/capability.h>
45175+#include <linux/security.h>
45176 #include <linux/blkdev.h>
45177 #include <linux/file.h>
45178 #include <linux/quotaops.h>
45179diff -urNp linux-2.6.32.48/fs/cachefiles/bind.c linux-2.6.32.48/fs/cachefiles/bind.c
45180--- linux-2.6.32.48/fs/cachefiles/bind.c 2011-11-08 19:02:43.000000000 -0500
45181+++ linux-2.6.32.48/fs/cachefiles/bind.c 2011-11-15 19:59:43.000000000 -0500
45182@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
45183 args);
45184
45185 /* start by checking things over */
45186- ASSERT(cache->fstop_percent >= 0 &&
45187- cache->fstop_percent < cache->fcull_percent &&
45188+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
45189 cache->fcull_percent < cache->frun_percent &&
45190 cache->frun_percent < 100);
45191
45192- ASSERT(cache->bstop_percent >= 0 &&
45193- cache->bstop_percent < cache->bcull_percent &&
45194+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
45195 cache->bcull_percent < cache->brun_percent &&
45196 cache->brun_percent < 100);
45197
45198diff -urNp linux-2.6.32.48/fs/cachefiles/daemon.c linux-2.6.32.48/fs/cachefiles/daemon.c
45199--- linux-2.6.32.48/fs/cachefiles/daemon.c 2011-11-08 19:02:43.000000000 -0500
45200+++ linux-2.6.32.48/fs/cachefiles/daemon.c 2011-11-15 19:59:43.000000000 -0500
45201@@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
45202 if (test_bit(CACHEFILES_DEAD, &cache->flags))
45203 return -EIO;
45204
45205- if (datalen < 0 || datalen > PAGE_SIZE - 1)
45206+ if (datalen > PAGE_SIZE - 1)
45207 return -EOPNOTSUPP;
45208
45209 /* drag the command string into the kernel so we can parse it */
45210@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
45211 if (args[0] != '%' || args[1] != '\0')
45212 return -EINVAL;
45213
45214- if (fstop < 0 || fstop >= cache->fcull_percent)
45215+ if (fstop >= cache->fcull_percent)
45216 return cachefiles_daemon_range_error(cache, args);
45217
45218 cache->fstop_percent = fstop;
45219@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
45220 if (args[0] != '%' || args[1] != '\0')
45221 return -EINVAL;
45222
45223- if (bstop < 0 || bstop >= cache->bcull_percent)
45224+ if (bstop >= cache->bcull_percent)
45225 return cachefiles_daemon_range_error(cache, args);
45226
45227 cache->bstop_percent = bstop;
45228diff -urNp linux-2.6.32.48/fs/cachefiles/internal.h linux-2.6.32.48/fs/cachefiles/internal.h
45229--- linux-2.6.32.48/fs/cachefiles/internal.h 2011-11-08 19:02:43.000000000 -0500
45230+++ linux-2.6.32.48/fs/cachefiles/internal.h 2011-11-15 19:59:43.000000000 -0500
45231@@ -56,7 +56,7 @@ struct cachefiles_cache {
45232 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
45233 struct rb_root active_nodes; /* active nodes (can't be culled) */
45234 rwlock_t active_lock; /* lock for active_nodes */
45235- atomic_t gravecounter; /* graveyard uniquifier */
45236+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
45237 unsigned frun_percent; /* when to stop culling (% files) */
45238 unsigned fcull_percent; /* when to start culling (% files) */
45239 unsigned fstop_percent; /* when to stop allocating (% files) */
45240@@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
45241 * proc.c
45242 */
45243 #ifdef CONFIG_CACHEFILES_HISTOGRAM
45244-extern atomic_t cachefiles_lookup_histogram[HZ];
45245-extern atomic_t cachefiles_mkdir_histogram[HZ];
45246-extern atomic_t cachefiles_create_histogram[HZ];
45247+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
45248+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
45249+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
45250
45251 extern int __init cachefiles_proc_init(void);
45252 extern void cachefiles_proc_cleanup(void);
45253 static inline
45254-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
45255+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
45256 {
45257 unsigned long jif = jiffies - start_jif;
45258 if (jif >= HZ)
45259 jif = HZ - 1;
45260- atomic_inc(&histogram[jif]);
45261+ atomic_inc_unchecked(&histogram[jif]);
45262 }
45263
45264 #else
45265diff -urNp linux-2.6.32.48/fs/cachefiles/namei.c linux-2.6.32.48/fs/cachefiles/namei.c
45266--- linux-2.6.32.48/fs/cachefiles/namei.c 2011-11-08 19:02:43.000000000 -0500
45267+++ linux-2.6.32.48/fs/cachefiles/namei.c 2011-11-15 19:59:43.000000000 -0500
45268@@ -250,7 +250,7 @@ try_again:
45269 /* first step is to make up a grave dentry in the graveyard */
45270 sprintf(nbuffer, "%08x%08x",
45271 (uint32_t) get_seconds(),
45272- (uint32_t) atomic_inc_return(&cache->gravecounter));
45273+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
45274
45275 /* do the multiway lock magic */
45276 trap = lock_rename(cache->graveyard, dir);
45277diff -urNp linux-2.6.32.48/fs/cachefiles/proc.c linux-2.6.32.48/fs/cachefiles/proc.c
45278--- linux-2.6.32.48/fs/cachefiles/proc.c 2011-11-08 19:02:43.000000000 -0500
45279+++ linux-2.6.32.48/fs/cachefiles/proc.c 2011-11-15 19:59:43.000000000 -0500
45280@@ -14,9 +14,9 @@
45281 #include <linux/seq_file.h>
45282 #include "internal.h"
45283
45284-atomic_t cachefiles_lookup_histogram[HZ];
45285-atomic_t cachefiles_mkdir_histogram[HZ];
45286-atomic_t cachefiles_create_histogram[HZ];
45287+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
45288+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
45289+atomic_unchecked_t cachefiles_create_histogram[HZ];
45290
45291 /*
45292 * display the latency histogram
45293@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
45294 return 0;
45295 default:
45296 index = (unsigned long) v - 3;
45297- x = atomic_read(&cachefiles_lookup_histogram[index]);
45298- y = atomic_read(&cachefiles_mkdir_histogram[index]);
45299- z = atomic_read(&cachefiles_create_histogram[index]);
45300+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
45301+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
45302+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
45303 if (x == 0 && y == 0 && z == 0)
45304 return 0;
45305
45306diff -urNp linux-2.6.32.48/fs/cachefiles/rdwr.c linux-2.6.32.48/fs/cachefiles/rdwr.c
45307--- linux-2.6.32.48/fs/cachefiles/rdwr.c 2011-11-08 19:02:43.000000000 -0500
45308+++ linux-2.6.32.48/fs/cachefiles/rdwr.c 2011-11-15 19:59:43.000000000 -0500
45309@@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
45310 old_fs = get_fs();
45311 set_fs(KERNEL_DS);
45312 ret = file->f_op->write(
45313- file, (const void __user *) data, len, &pos);
45314+ file, (const void __force_user *) data, len, &pos);
45315 set_fs(old_fs);
45316 kunmap(page);
45317 if (ret != len)
45318diff -urNp linux-2.6.32.48/fs/cifs/cifs_debug.c linux-2.6.32.48/fs/cifs/cifs_debug.c
45319--- linux-2.6.32.48/fs/cifs/cifs_debug.c 2011-11-08 19:02:43.000000000 -0500
45320+++ linux-2.6.32.48/fs/cifs/cifs_debug.c 2011-11-15 19:59:43.000000000 -0500
45321@@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
45322 tcon = list_entry(tmp3,
45323 struct cifsTconInfo,
45324 tcon_list);
45325- atomic_set(&tcon->num_smbs_sent, 0);
45326- atomic_set(&tcon->num_writes, 0);
45327- atomic_set(&tcon->num_reads, 0);
45328- atomic_set(&tcon->num_oplock_brks, 0);
45329- atomic_set(&tcon->num_opens, 0);
45330- atomic_set(&tcon->num_posixopens, 0);
45331- atomic_set(&tcon->num_posixmkdirs, 0);
45332- atomic_set(&tcon->num_closes, 0);
45333- atomic_set(&tcon->num_deletes, 0);
45334- atomic_set(&tcon->num_mkdirs, 0);
45335- atomic_set(&tcon->num_rmdirs, 0);
45336- atomic_set(&tcon->num_renames, 0);
45337- atomic_set(&tcon->num_t2renames, 0);
45338- atomic_set(&tcon->num_ffirst, 0);
45339- atomic_set(&tcon->num_fnext, 0);
45340- atomic_set(&tcon->num_fclose, 0);
45341- atomic_set(&tcon->num_hardlinks, 0);
45342- atomic_set(&tcon->num_symlinks, 0);
45343- atomic_set(&tcon->num_locks, 0);
45344+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
45345+ atomic_set_unchecked(&tcon->num_writes, 0);
45346+ atomic_set_unchecked(&tcon->num_reads, 0);
45347+ atomic_set_unchecked(&tcon->num_oplock_brks, 0);
45348+ atomic_set_unchecked(&tcon->num_opens, 0);
45349+ atomic_set_unchecked(&tcon->num_posixopens, 0);
45350+ atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
45351+ atomic_set_unchecked(&tcon->num_closes, 0);
45352+ atomic_set_unchecked(&tcon->num_deletes, 0);
45353+ atomic_set_unchecked(&tcon->num_mkdirs, 0);
45354+ atomic_set_unchecked(&tcon->num_rmdirs, 0);
45355+ atomic_set_unchecked(&tcon->num_renames, 0);
45356+ atomic_set_unchecked(&tcon->num_t2renames, 0);
45357+ atomic_set_unchecked(&tcon->num_ffirst, 0);
45358+ atomic_set_unchecked(&tcon->num_fnext, 0);
45359+ atomic_set_unchecked(&tcon->num_fclose, 0);
45360+ atomic_set_unchecked(&tcon->num_hardlinks, 0);
45361+ atomic_set_unchecked(&tcon->num_symlinks, 0);
45362+ atomic_set_unchecked(&tcon->num_locks, 0);
45363 }
45364 }
45365 }
45366@@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
45367 if (tcon->need_reconnect)
45368 seq_puts(m, "\tDISCONNECTED ");
45369 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
45370- atomic_read(&tcon->num_smbs_sent),
45371- atomic_read(&tcon->num_oplock_brks));
45372+ atomic_read_unchecked(&tcon->num_smbs_sent),
45373+ atomic_read_unchecked(&tcon->num_oplock_brks));
45374 seq_printf(m, "\nReads: %d Bytes: %lld",
45375- atomic_read(&tcon->num_reads),
45376+ atomic_read_unchecked(&tcon->num_reads),
45377 (long long)(tcon->bytes_read));
45378 seq_printf(m, "\nWrites: %d Bytes: %lld",
45379- atomic_read(&tcon->num_writes),
45380+ atomic_read_unchecked(&tcon->num_writes),
45381 (long long)(tcon->bytes_written));
45382 seq_printf(m, "\nFlushes: %d",
45383- atomic_read(&tcon->num_flushes));
45384+ atomic_read_unchecked(&tcon->num_flushes));
45385 seq_printf(m, "\nLocks: %d HardLinks: %d "
45386 "Symlinks: %d",
45387- atomic_read(&tcon->num_locks),
45388- atomic_read(&tcon->num_hardlinks),
45389- atomic_read(&tcon->num_symlinks));
45390+ atomic_read_unchecked(&tcon->num_locks),
45391+ atomic_read_unchecked(&tcon->num_hardlinks),
45392+ atomic_read_unchecked(&tcon->num_symlinks));
45393 seq_printf(m, "\nOpens: %d Closes: %d "
45394 "Deletes: %d",
45395- atomic_read(&tcon->num_opens),
45396- atomic_read(&tcon->num_closes),
45397- atomic_read(&tcon->num_deletes));
45398+ atomic_read_unchecked(&tcon->num_opens),
45399+ atomic_read_unchecked(&tcon->num_closes),
45400+ atomic_read_unchecked(&tcon->num_deletes));
45401 seq_printf(m, "\nPosix Opens: %d "
45402 "Posix Mkdirs: %d",
45403- atomic_read(&tcon->num_posixopens),
45404- atomic_read(&tcon->num_posixmkdirs));
45405+ atomic_read_unchecked(&tcon->num_posixopens),
45406+ atomic_read_unchecked(&tcon->num_posixmkdirs));
45407 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
45408- atomic_read(&tcon->num_mkdirs),
45409- atomic_read(&tcon->num_rmdirs));
45410+ atomic_read_unchecked(&tcon->num_mkdirs),
45411+ atomic_read_unchecked(&tcon->num_rmdirs));
45412 seq_printf(m, "\nRenames: %d T2 Renames %d",
45413- atomic_read(&tcon->num_renames),
45414- atomic_read(&tcon->num_t2renames));
45415+ atomic_read_unchecked(&tcon->num_renames),
45416+ atomic_read_unchecked(&tcon->num_t2renames));
45417 seq_printf(m, "\nFindFirst: %d FNext %d "
45418 "FClose %d",
45419- atomic_read(&tcon->num_ffirst),
45420- atomic_read(&tcon->num_fnext),
45421- atomic_read(&tcon->num_fclose));
45422+ atomic_read_unchecked(&tcon->num_ffirst),
45423+ atomic_read_unchecked(&tcon->num_fnext),
45424+ atomic_read_unchecked(&tcon->num_fclose));
45425 }
45426 }
45427 }
45428diff -urNp linux-2.6.32.48/fs/cifs/cifsfs.c linux-2.6.32.48/fs/cifs/cifsfs.c
45429--- linux-2.6.32.48/fs/cifs/cifsfs.c 2011-11-08 19:02:43.000000000 -0500
45430+++ linux-2.6.32.48/fs/cifs/cifsfs.c 2011-11-15 19:59:43.000000000 -0500
45431@@ -869,7 +869,7 @@ cifs_init_request_bufs(void)
45432 cifs_req_cachep = kmem_cache_create("cifs_request",
45433 CIFSMaxBufSize +
45434 MAX_CIFS_HDR_SIZE, 0,
45435- SLAB_HWCACHE_ALIGN, NULL);
45436+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
45437 if (cifs_req_cachep == NULL)
45438 return -ENOMEM;
45439
45440@@ -896,7 +896,7 @@ cifs_init_request_bufs(void)
45441 efficient to alloc 1 per page off the slab compared to 17K (5page)
45442 alloc of large cifs buffers even when page debugging is on */
45443 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
45444- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
45445+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
45446 NULL);
45447 if (cifs_sm_req_cachep == NULL) {
45448 mempool_destroy(cifs_req_poolp);
45449@@ -991,8 +991,8 @@ init_cifs(void)
45450 atomic_set(&bufAllocCount, 0);
45451 atomic_set(&smBufAllocCount, 0);
45452 #ifdef CONFIG_CIFS_STATS2
45453- atomic_set(&totBufAllocCount, 0);
45454- atomic_set(&totSmBufAllocCount, 0);
45455+ atomic_set_unchecked(&totBufAllocCount, 0);
45456+ atomic_set_unchecked(&totSmBufAllocCount, 0);
45457 #endif /* CONFIG_CIFS_STATS2 */
45458
45459 atomic_set(&midCount, 0);
45460diff -urNp linux-2.6.32.48/fs/cifs/cifsglob.h linux-2.6.32.48/fs/cifs/cifsglob.h
45461--- linux-2.6.32.48/fs/cifs/cifsglob.h 2011-11-08 19:02:43.000000000 -0500
45462+++ linux-2.6.32.48/fs/cifs/cifsglob.h 2011-11-15 19:59:43.000000000 -0500
45463@@ -252,28 +252,28 @@ struct cifsTconInfo {
45464 __u16 Flags; /* optional support bits */
45465 enum statusEnum tidStatus;
45466 #ifdef CONFIG_CIFS_STATS
45467- atomic_t num_smbs_sent;
45468- atomic_t num_writes;
45469- atomic_t num_reads;
45470- atomic_t num_flushes;
45471- atomic_t num_oplock_brks;
45472- atomic_t num_opens;
45473- atomic_t num_closes;
45474- atomic_t num_deletes;
45475- atomic_t num_mkdirs;
45476- atomic_t num_posixopens;
45477- atomic_t num_posixmkdirs;
45478- atomic_t num_rmdirs;
45479- atomic_t num_renames;
45480- atomic_t num_t2renames;
45481- atomic_t num_ffirst;
45482- atomic_t num_fnext;
45483- atomic_t num_fclose;
45484- atomic_t num_hardlinks;
45485- atomic_t num_symlinks;
45486- atomic_t num_locks;
45487- atomic_t num_acl_get;
45488- atomic_t num_acl_set;
45489+ atomic_unchecked_t num_smbs_sent;
45490+ atomic_unchecked_t num_writes;
45491+ atomic_unchecked_t num_reads;
45492+ atomic_unchecked_t num_flushes;
45493+ atomic_unchecked_t num_oplock_brks;
45494+ atomic_unchecked_t num_opens;
45495+ atomic_unchecked_t num_closes;
45496+ atomic_unchecked_t num_deletes;
45497+ atomic_unchecked_t num_mkdirs;
45498+ atomic_unchecked_t num_posixopens;
45499+ atomic_unchecked_t num_posixmkdirs;
45500+ atomic_unchecked_t num_rmdirs;
45501+ atomic_unchecked_t num_renames;
45502+ atomic_unchecked_t num_t2renames;
45503+ atomic_unchecked_t num_ffirst;
45504+ atomic_unchecked_t num_fnext;
45505+ atomic_unchecked_t num_fclose;
45506+ atomic_unchecked_t num_hardlinks;
45507+ atomic_unchecked_t num_symlinks;
45508+ atomic_unchecked_t num_locks;
45509+ atomic_unchecked_t num_acl_get;
45510+ atomic_unchecked_t num_acl_set;
45511 #ifdef CONFIG_CIFS_STATS2
45512 unsigned long long time_writes;
45513 unsigned long long time_reads;
45514@@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
45515 }
45516
45517 #ifdef CONFIG_CIFS_STATS
45518-#define cifs_stats_inc atomic_inc
45519+#define cifs_stats_inc atomic_inc_unchecked
45520
45521 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
45522 unsigned int bytes)
45523@@ -701,8 +701,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnect
45524 /* Various Debug counters */
45525 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
45526 #ifdef CONFIG_CIFS_STATS2
45527-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
45528-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
45529+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
45530+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
45531 #endif
45532 GLOBAL_EXTERN atomic_t smBufAllocCount;
45533 GLOBAL_EXTERN atomic_t midCount;
45534diff -urNp linux-2.6.32.48/fs/cifs/link.c linux-2.6.32.48/fs/cifs/link.c
45535--- linux-2.6.32.48/fs/cifs/link.c 2011-11-08 19:02:43.000000000 -0500
45536+++ linux-2.6.32.48/fs/cifs/link.c 2011-11-15 19:59:43.000000000 -0500
45537@@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
45538
45539 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
45540 {
45541- char *p = nd_get_link(nd);
45542+ const char *p = nd_get_link(nd);
45543 if (!IS_ERR(p))
45544 kfree(p);
45545 }
45546diff -urNp linux-2.6.32.48/fs/cifs/misc.c linux-2.6.32.48/fs/cifs/misc.c
45547--- linux-2.6.32.48/fs/cifs/misc.c 2011-11-08 19:02:43.000000000 -0500
45548+++ linux-2.6.32.48/fs/cifs/misc.c 2011-11-15 19:59:43.000000000 -0500
45549@@ -155,7 +155,7 @@ cifs_buf_get(void)
45550 memset(ret_buf, 0, sizeof(struct smb_hdr) + 3);
45551 atomic_inc(&bufAllocCount);
45552 #ifdef CONFIG_CIFS_STATS2
45553- atomic_inc(&totBufAllocCount);
45554+ atomic_inc_unchecked(&totBufAllocCount);
45555 #endif /* CONFIG_CIFS_STATS2 */
45556 }
45557
45558@@ -190,7 +190,7 @@ cifs_small_buf_get(void)
45559 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
45560 atomic_inc(&smBufAllocCount);
45561 #ifdef CONFIG_CIFS_STATS2
45562- atomic_inc(&totSmBufAllocCount);
45563+ atomic_inc_unchecked(&totSmBufAllocCount);
45564 #endif /* CONFIG_CIFS_STATS2 */
45565
45566 }
45567diff -urNp linux-2.6.32.48/fs/coda/cache.c linux-2.6.32.48/fs/coda/cache.c
45568--- linux-2.6.32.48/fs/coda/cache.c 2011-11-08 19:02:43.000000000 -0500
45569+++ linux-2.6.32.48/fs/coda/cache.c 2011-11-15 19:59:43.000000000 -0500
45570@@ -24,14 +24,14 @@
45571 #include <linux/coda_fs_i.h>
45572 #include <linux/coda_cache.h>
45573
45574-static atomic_t permission_epoch = ATOMIC_INIT(0);
45575+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
45576
45577 /* replace or extend an acl cache hit */
45578 void coda_cache_enter(struct inode *inode, int mask)
45579 {
45580 struct coda_inode_info *cii = ITOC(inode);
45581
45582- cii->c_cached_epoch = atomic_read(&permission_epoch);
45583+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
45584 if (cii->c_uid != current_fsuid()) {
45585 cii->c_uid = current_fsuid();
45586 cii->c_cached_perm = mask;
45587@@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
45588 void coda_cache_clear_inode(struct inode *inode)
45589 {
45590 struct coda_inode_info *cii = ITOC(inode);
45591- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
45592+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
45593 }
45594
45595 /* remove all acl caches */
45596 void coda_cache_clear_all(struct super_block *sb)
45597 {
45598- atomic_inc(&permission_epoch);
45599+ atomic_inc_unchecked(&permission_epoch);
45600 }
45601
45602
45603@@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
45604
45605 hit = (mask & cii->c_cached_perm) == mask &&
45606 cii->c_uid == current_fsuid() &&
45607- cii->c_cached_epoch == atomic_read(&permission_epoch);
45608+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
45609
45610 return hit;
45611 }
45612diff -urNp linux-2.6.32.48/fs/compat_binfmt_elf.c linux-2.6.32.48/fs/compat_binfmt_elf.c
45613--- linux-2.6.32.48/fs/compat_binfmt_elf.c 2011-11-08 19:02:43.000000000 -0500
45614+++ linux-2.6.32.48/fs/compat_binfmt_elf.c 2011-11-15 19:59:43.000000000 -0500
45615@@ -29,10 +29,12 @@
45616 #undef elfhdr
45617 #undef elf_phdr
45618 #undef elf_note
45619+#undef elf_dyn
45620 #undef elf_addr_t
45621 #define elfhdr elf32_hdr
45622 #define elf_phdr elf32_phdr
45623 #define elf_note elf32_note
45624+#define elf_dyn Elf32_Dyn
45625 #define elf_addr_t Elf32_Addr
45626
45627 /*
45628diff -urNp linux-2.6.32.48/fs/compat.c linux-2.6.32.48/fs/compat.c
45629--- linux-2.6.32.48/fs/compat.c 2011-11-08 19:02:43.000000000 -0500
45630+++ linux-2.6.32.48/fs/compat.c 2011-11-15 19:59:43.000000000 -0500
45631@@ -133,8 +133,8 @@ asmlinkage long compat_sys_utimes(char _
45632 static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf)
45633 {
45634 compat_ino_t ino = stat->ino;
45635- typeof(ubuf->st_uid) uid = 0;
45636- typeof(ubuf->st_gid) gid = 0;
45637+ typeof(((struct compat_stat *)0)->st_uid) uid = 0;
45638+ typeof(((struct compat_stat *)0)->st_gid) gid = 0;
45639 int err;
45640
45641 SET_UID(uid, stat->uid);
45642@@ -533,7 +533,7 @@ compat_sys_io_setup(unsigned nr_reqs, u3
45643
45644 set_fs(KERNEL_DS);
45645 /* The __user pointer cast is valid because of the set_fs() */
45646- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
45647+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
45648 set_fs(oldfs);
45649 /* truncating is ok because it's a user address */
45650 if (!ret)
45651@@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
45652
45653 struct compat_readdir_callback {
45654 struct compat_old_linux_dirent __user *dirent;
45655+ struct file * file;
45656 int result;
45657 };
45658
45659@@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
45660 buf->result = -EOVERFLOW;
45661 return -EOVERFLOW;
45662 }
45663+
45664+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45665+ return 0;
45666+
45667 buf->result++;
45668 dirent = buf->dirent;
45669 if (!access_ok(VERIFY_WRITE, dirent,
45670@@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
45671
45672 buf.result = 0;
45673 buf.dirent = dirent;
45674+ buf.file = file;
45675
45676 error = vfs_readdir(file, compat_fillonedir, &buf);
45677 if (buf.result)
45678@@ -899,6 +905,7 @@ struct compat_linux_dirent {
45679 struct compat_getdents_callback {
45680 struct compat_linux_dirent __user *current_dir;
45681 struct compat_linux_dirent __user *previous;
45682+ struct file * file;
45683 int count;
45684 int error;
45685 };
45686@@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
45687 buf->error = -EOVERFLOW;
45688 return -EOVERFLOW;
45689 }
45690+
45691+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45692+ return 0;
45693+
45694 dirent = buf->previous;
45695 if (dirent) {
45696 if (__put_user(offset, &dirent->d_off))
45697@@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
45698 buf.previous = NULL;
45699 buf.count = count;
45700 buf.error = 0;
45701+ buf.file = file;
45702
45703 error = vfs_readdir(file, compat_filldir, &buf);
45704 if (error >= 0)
45705@@ -987,6 +999,7 @@ out:
45706 struct compat_getdents_callback64 {
45707 struct linux_dirent64 __user *current_dir;
45708 struct linux_dirent64 __user *previous;
45709+ struct file * file;
45710 int count;
45711 int error;
45712 };
45713@@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
45714 buf->error = -EINVAL; /* only used if we fail.. */
45715 if (reclen > buf->count)
45716 return -EINVAL;
45717+
45718+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
45719+ return 0;
45720+
45721 dirent = buf->previous;
45722
45723 if (dirent) {
45724@@ -1054,13 +1071,14 @@ asmlinkage long compat_sys_getdents64(un
45725 buf.previous = NULL;
45726 buf.count = count;
45727 buf.error = 0;
45728+ buf.file = file;
45729
45730 error = vfs_readdir(file, compat_filldir64, &buf);
45731 if (error >= 0)
45732 error = buf.error;
45733 lastdirent = buf.previous;
45734 if (lastdirent) {
45735- typeof(lastdirent->d_off) d_off = file->f_pos;
45736+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
45737 if (__put_user_unaligned(d_off, &lastdirent->d_off))
45738 error = -EFAULT;
45739 else
45740@@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
45741 * verify all the pointers
45742 */
45743 ret = -EINVAL;
45744- if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
45745+ if (nr_segs > UIO_MAXIOV)
45746 goto out;
45747 if (!file->f_op)
45748 goto out;
45749@@ -1463,11 +1481,35 @@ int compat_do_execve(char * filename,
45750 compat_uptr_t __user *envp,
45751 struct pt_regs * regs)
45752 {
45753+#ifdef CONFIG_GRKERNSEC
45754+ struct file *old_exec_file;
45755+ struct acl_subject_label *old_acl;
45756+ struct rlimit old_rlim[RLIM_NLIMITS];
45757+#endif
45758 struct linux_binprm *bprm;
45759 struct file *file;
45760 struct files_struct *displaced;
45761 bool clear_in_exec;
45762 int retval;
45763+ const struct cred *cred = current_cred();
45764+
45765+ /*
45766+ * We move the actual failure in case of RLIMIT_NPROC excess from
45767+ * set*uid() to execve() because too many poorly written programs
45768+ * don't check setuid() return code. Here we additionally recheck
45769+ * whether NPROC limit is still exceeded.
45770+ */
45771+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
45772+
45773+ if ((current->flags & PF_NPROC_EXCEEDED) &&
45774+ atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
45775+ retval = -EAGAIN;
45776+ goto out_ret;
45777+ }
45778+
45779+ /* We're below the limit (still or again), so we don't want to make
45780+ * further execve() calls fail. */
45781+ current->flags &= ~PF_NPROC_EXCEEDED;
45782
45783 retval = unshare_files(&displaced);
45784 if (retval)
45785@@ -1499,6 +1541,15 @@ int compat_do_execve(char * filename,
45786 bprm->filename = filename;
45787 bprm->interp = filename;
45788
45789+ if (gr_process_user_ban()) {
45790+ retval = -EPERM;
45791+ goto out_file;
45792+ }
45793+
45794+ retval = -EACCES;
45795+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
45796+ goto out_file;
45797+
45798 retval = bprm_mm_init(bprm);
45799 if (retval)
45800 goto out_file;
45801@@ -1528,9 +1579,40 @@ int compat_do_execve(char * filename,
45802 if (retval < 0)
45803 goto out;
45804
45805+ if (!gr_tpe_allow(file)) {
45806+ retval = -EACCES;
45807+ goto out;
45808+ }
45809+
45810+ if (gr_check_crash_exec(file)) {
45811+ retval = -EACCES;
45812+ goto out;
45813+ }
45814+
45815+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
45816+
45817+ gr_handle_exec_args_compat(bprm, argv);
45818+
45819+#ifdef CONFIG_GRKERNSEC
45820+ old_acl = current->acl;
45821+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
45822+ old_exec_file = current->exec_file;
45823+ get_file(file);
45824+ current->exec_file = file;
45825+#endif
45826+
45827+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
45828+ bprm->unsafe & LSM_UNSAFE_SHARE);
45829+ if (retval < 0)
45830+ goto out_fail;
45831+
45832 retval = search_binary_handler(bprm, regs);
45833 if (retval < 0)
45834- goto out;
45835+ goto out_fail;
45836+#ifdef CONFIG_GRKERNSEC
45837+ if (old_exec_file)
45838+ fput(old_exec_file);
45839+#endif
45840
45841 /* execve succeeded */
45842 current->fs->in_exec = 0;
45843@@ -1541,6 +1623,14 @@ int compat_do_execve(char * filename,
45844 put_files_struct(displaced);
45845 return retval;
45846
45847+out_fail:
45848+#ifdef CONFIG_GRKERNSEC
45849+ current->acl = old_acl;
45850+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
45851+ fput(current->exec_file);
45852+ current->exec_file = old_exec_file;
45853+#endif
45854+
45855 out:
45856 if (bprm->mm) {
45857 acct_arg_size(bprm, 0);
45858@@ -1711,6 +1801,8 @@ int compat_core_sys_select(int n, compat
45859 struct fdtable *fdt;
45860 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
45861
45862+ pax_track_stack();
45863+
45864 if (n < 0)
45865 goto out_nofds;
45866
45867@@ -2151,7 +2243,7 @@ asmlinkage long compat_sys_nfsservctl(in
45868 oldfs = get_fs();
45869 set_fs(KERNEL_DS);
45870 /* The __user pointer casts are valid because of the set_fs() */
45871- err = sys_nfsservctl(cmd, (void __user *) karg, (void __user *) kres);
45872+ err = sys_nfsservctl(cmd, (void __force_user *) karg, (void __force_user *) kres);
45873 set_fs(oldfs);
45874
45875 if (err)
45876diff -urNp linux-2.6.32.48/fs/compat_ioctl.c linux-2.6.32.48/fs/compat_ioctl.c
45877--- linux-2.6.32.48/fs/compat_ioctl.c 2011-11-08 19:02:43.000000000 -0500
45878+++ linux-2.6.32.48/fs/compat_ioctl.c 2011-11-15 19:59:43.000000000 -0500
45879@@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
45880 up = (struct compat_video_spu_palette __user *) arg;
45881 err = get_user(palp, &up->palette);
45882 err |= get_user(length, &up->length);
45883+ if (err)
45884+ return -EFAULT;
45885
45886 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
45887 err = put_user(compat_ptr(palp), &up_native->palette);
45888@@ -1513,7 +1515,7 @@ static int serial_struct_ioctl(unsigned
45889 return -EFAULT;
45890 if (__get_user(udata, &ss32->iomem_base))
45891 return -EFAULT;
45892- ss.iomem_base = compat_ptr(udata);
45893+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
45894 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
45895 __get_user(ss.port_high, &ss32->port_high))
45896 return -EFAULT;
45897@@ -1809,7 +1811,7 @@ static int compat_ioctl_preallocate(stru
45898 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
45899 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
45900 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
45901- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
45902+ copy_in_user(p->l_pad, &p32->l_pad, 4*sizeof(u32)))
45903 return -EFAULT;
45904
45905 return ioctl_preallocate(file, p);
45906diff -urNp linux-2.6.32.48/fs/configfs/dir.c linux-2.6.32.48/fs/configfs/dir.c
45907--- linux-2.6.32.48/fs/configfs/dir.c 2011-11-08 19:02:43.000000000 -0500
45908+++ linux-2.6.32.48/fs/configfs/dir.c 2011-11-15 19:59:43.000000000 -0500
45909@@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
45910 }
45911 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
45912 struct configfs_dirent *next;
45913- const char * name;
45914+ const unsigned char * name;
45915+ char d_name[sizeof(next->s_dentry->d_iname)];
45916 int len;
45917
45918 next = list_entry(p, struct configfs_dirent,
45919@@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
45920 continue;
45921
45922 name = configfs_get_name(next);
45923- len = strlen(name);
45924+ if (next->s_dentry && name == next->s_dentry->d_iname) {
45925+ len = next->s_dentry->d_name.len;
45926+ memcpy(d_name, name, len);
45927+ name = d_name;
45928+ } else
45929+ len = strlen(name);
45930 if (next->s_dentry)
45931 ino = next->s_dentry->d_inode->i_ino;
45932 else
45933diff -urNp linux-2.6.32.48/fs/dcache.c linux-2.6.32.48/fs/dcache.c
45934--- linux-2.6.32.48/fs/dcache.c 2011-11-08 19:02:43.000000000 -0500
45935+++ linux-2.6.32.48/fs/dcache.c 2011-11-15 19:59:43.000000000 -0500
45936@@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
45937
45938 static struct kmem_cache *dentry_cache __read_mostly;
45939
45940-#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
45941-
45942 /*
45943 * This is the single most critical data structure when it comes
45944 * to the dcache: the hashtable for lookups. Somebody should try
45945@@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
45946 mempages -= reserve;
45947
45948 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
45949- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
45950+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
45951
45952 dcache_init();
45953 inode_init();
45954diff -urNp linux-2.6.32.48/fs/dlm/lockspace.c linux-2.6.32.48/fs/dlm/lockspace.c
45955--- linux-2.6.32.48/fs/dlm/lockspace.c 2011-11-08 19:02:43.000000000 -0500
45956+++ linux-2.6.32.48/fs/dlm/lockspace.c 2011-11-15 19:59:43.000000000 -0500
45957@@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
45958 kfree(ls);
45959 }
45960
45961-static struct sysfs_ops dlm_attr_ops = {
45962+static const struct sysfs_ops dlm_attr_ops = {
45963 .show = dlm_attr_show,
45964 .store = dlm_attr_store,
45965 };
45966diff -urNp linux-2.6.32.48/fs/ecryptfs/inode.c linux-2.6.32.48/fs/ecryptfs/inode.c
45967--- linux-2.6.32.48/fs/ecryptfs/inode.c 2011-11-08 19:02:43.000000000 -0500
45968+++ linux-2.6.32.48/fs/ecryptfs/inode.c 2011-11-15 19:59:43.000000000 -0500
45969@@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
45970 old_fs = get_fs();
45971 set_fs(get_ds());
45972 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
45973- (char __user *)lower_buf,
45974+ (char __force_user *)lower_buf,
45975 lower_bufsiz);
45976 set_fs(old_fs);
45977 if (rc < 0)
45978@@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
45979 }
45980 old_fs = get_fs();
45981 set_fs(get_ds());
45982- rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
45983+ rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
45984 set_fs(old_fs);
45985 if (rc < 0)
45986 goto out_free;
45987diff -urNp linux-2.6.32.48/fs/exec.c linux-2.6.32.48/fs/exec.c
45988--- linux-2.6.32.48/fs/exec.c 2011-11-08 19:02:43.000000000 -0500
45989+++ linux-2.6.32.48/fs/exec.c 2011-11-18 18:01:52.000000000 -0500
45990@@ -56,12 +56,24 @@
45991 #include <linux/fsnotify.h>
45992 #include <linux/fs_struct.h>
45993 #include <linux/pipe_fs_i.h>
45994+#include <linux/random.h>
45995+#include <linux/seq_file.h>
45996+
45997+#ifdef CONFIG_PAX_REFCOUNT
45998+#include <linux/kallsyms.h>
45999+#include <linux/kdebug.h>
46000+#endif
46001
46002 #include <asm/uaccess.h>
46003 #include <asm/mmu_context.h>
46004 #include <asm/tlb.h>
46005 #include "internal.h"
46006
46007+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
46008+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46009+EXPORT_SYMBOL(pax_set_initial_flags_func);
46010+#endif
46011+
46012 int core_uses_pid;
46013 char core_pattern[CORENAME_MAX_SIZE] = "core";
46014 unsigned int core_pipe_limit;
46015@@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
46016 goto out;
46017
46018 file = do_filp_open(AT_FDCWD, tmp,
46019- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
46020+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
46021 MAY_READ | MAY_EXEC | MAY_OPEN);
46022 putname(tmp);
46023 error = PTR_ERR(file);
46024@@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
46025 int write)
46026 {
46027 struct page *page;
46028- int ret;
46029
46030-#ifdef CONFIG_STACK_GROWSUP
46031- if (write) {
46032- ret = expand_stack_downwards(bprm->vma, pos);
46033- if (ret < 0)
46034- return NULL;
46035- }
46036-#endif
46037- ret = get_user_pages(current, bprm->mm, pos,
46038- 1, write, 1, &page, NULL);
46039- if (ret <= 0)
46040+ if (0 > expand_stack_downwards(bprm->vma, pos))
46041+ return NULL;
46042+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
46043 return NULL;
46044
46045 if (write) {
46046@@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
46047 vma->vm_end = STACK_TOP_MAX;
46048 vma->vm_start = vma->vm_end - PAGE_SIZE;
46049 vma->vm_flags = VM_STACK_FLAGS;
46050+
46051+#ifdef CONFIG_PAX_SEGMEXEC
46052+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
46053+#endif
46054+
46055 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
46056
46057 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
46058@@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
46059 mm->stack_vm = mm->total_vm = 1;
46060 up_write(&mm->mmap_sem);
46061 bprm->p = vma->vm_end - sizeof(void *);
46062+
46063+#ifdef CONFIG_PAX_RANDUSTACK
46064+ if (randomize_va_space)
46065+ bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
46066+#endif
46067+
46068 return 0;
46069 err:
46070 up_write(&mm->mmap_sem);
46071@@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
46072 int r;
46073 mm_segment_t oldfs = get_fs();
46074 set_fs(KERNEL_DS);
46075- r = copy_strings(argc, (char __user * __user *)argv, bprm);
46076+ r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
46077 set_fs(oldfs);
46078 return r;
46079 }
46080@@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
46081 unsigned long new_end = old_end - shift;
46082 struct mmu_gather *tlb;
46083
46084- BUG_ON(new_start > new_end);
46085+ if (new_start >= new_end || new_start < mmap_min_addr)
46086+ return -ENOMEM;
46087
46088 /*
46089 * ensure there are no vmas between where we want to go
46090@@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
46091 if (vma != find_vma(mm, new_start))
46092 return -EFAULT;
46093
46094+#ifdef CONFIG_PAX_SEGMEXEC
46095+ BUG_ON(pax_find_mirror_vma(vma));
46096+#endif
46097+
46098 /*
46099 * cover the whole range: [new_start, old_end)
46100 */
46101@@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
46102 stack_top = arch_align_stack(stack_top);
46103 stack_top = PAGE_ALIGN(stack_top);
46104
46105- if (unlikely(stack_top < mmap_min_addr) ||
46106- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
46107- return -ENOMEM;
46108-
46109 stack_shift = vma->vm_end - stack_top;
46110
46111 bprm->p -= stack_shift;
46112@@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
46113 bprm->exec -= stack_shift;
46114
46115 down_write(&mm->mmap_sem);
46116+
46117+ /* Move stack pages down in memory. */
46118+ if (stack_shift) {
46119+ ret = shift_arg_pages(vma, stack_shift);
46120+ if (ret)
46121+ goto out_unlock;
46122+ }
46123+
46124 vm_flags = VM_STACK_FLAGS;
46125
46126 /*
46127@@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
46128 vm_flags &= ~VM_EXEC;
46129 vm_flags |= mm->def_flags;
46130
46131+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
46132+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
46133+ vm_flags &= ~VM_EXEC;
46134+
46135+#ifdef CONFIG_PAX_MPROTECT
46136+ if (mm->pax_flags & MF_PAX_MPROTECT)
46137+ vm_flags &= ~VM_MAYEXEC;
46138+#endif
46139+
46140+ }
46141+#endif
46142+
46143 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
46144 vm_flags);
46145 if (ret)
46146 goto out_unlock;
46147 BUG_ON(prev != vma);
46148
46149- /* Move stack pages down in memory. */
46150- if (stack_shift) {
46151- ret = shift_arg_pages(vma, stack_shift);
46152- if (ret)
46153- goto out_unlock;
46154- }
46155-
46156 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
46157 stack_size = vma->vm_end - vma->vm_start;
46158 /*
46159@@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
46160 int err;
46161
46162 file = do_filp_open(AT_FDCWD, name,
46163- O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
46164+ O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
46165 MAY_EXEC | MAY_OPEN);
46166 if (IS_ERR(file))
46167 goto out;
46168@@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
46169 old_fs = get_fs();
46170 set_fs(get_ds());
46171 /* The cast to a user pointer is valid due to the set_fs() */
46172- result = vfs_read(file, (void __user *)addr, count, &pos);
46173+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
46174 set_fs(old_fs);
46175 return result;
46176 }
46177@@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
46178 }
46179 rcu_read_unlock();
46180
46181- if (p->fs->users > n_fs) {
46182+ if (atomic_read(&p->fs->users) > n_fs) {
46183 bprm->unsafe |= LSM_UNSAFE_SHARE;
46184 } else {
46185 res = -EAGAIN;
46186@@ -1347,11 +1376,35 @@ int do_execve(char * filename,
46187 char __user *__user *envp,
46188 struct pt_regs * regs)
46189 {
46190+#ifdef CONFIG_GRKERNSEC
46191+ struct file *old_exec_file;
46192+ struct acl_subject_label *old_acl;
46193+ struct rlimit old_rlim[RLIM_NLIMITS];
46194+#endif
46195 struct linux_binprm *bprm;
46196 struct file *file;
46197 struct files_struct *displaced;
46198 bool clear_in_exec;
46199 int retval;
46200+ const struct cred *cred = current_cred();
46201+
46202+ /*
46203+ * We move the actual failure in case of RLIMIT_NPROC excess from
46204+ * set*uid() to execve() because too many poorly written programs
46205+ * don't check setuid() return code. Here we additionally recheck
46206+ * whether NPROC limit is still exceeded.
46207+ */
46208+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current->cred->user->processes), 1);
46209+
46210+ if ((current->flags & PF_NPROC_EXCEEDED) &&
46211+ atomic_read(&cred->user->processes) > current->signal->rlim[RLIMIT_NPROC].rlim_cur) {
46212+ retval = -EAGAIN;
46213+ goto out_ret;
46214+ }
46215+
46216+ /* We're below the limit (still or again), so we don't want to make
46217+ * further execve() calls fail. */
46218+ current->flags &= ~PF_NPROC_EXCEEDED;
46219
46220 retval = unshare_files(&displaced);
46221 if (retval)
46222@@ -1383,6 +1436,16 @@ int do_execve(char * filename,
46223 bprm->filename = filename;
46224 bprm->interp = filename;
46225
46226+ if (gr_process_user_ban()) {
46227+ retval = -EPERM;
46228+ goto out_file;
46229+ }
46230+
46231+ if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
46232+ retval = -EACCES;
46233+ goto out_file;
46234+ }
46235+
46236 retval = bprm_mm_init(bprm);
46237 if (retval)
46238 goto out_file;
46239@@ -1412,10 +1475,41 @@ int do_execve(char * filename,
46240 if (retval < 0)
46241 goto out;
46242
46243+ if (!gr_tpe_allow(file)) {
46244+ retval = -EACCES;
46245+ goto out;
46246+ }
46247+
46248+ if (gr_check_crash_exec(file)) {
46249+ retval = -EACCES;
46250+ goto out;
46251+ }
46252+
46253+ gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
46254+
46255+ gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
46256+
46257+#ifdef CONFIG_GRKERNSEC
46258+ old_acl = current->acl;
46259+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
46260+ old_exec_file = current->exec_file;
46261+ get_file(file);
46262+ current->exec_file = file;
46263+#endif
46264+
46265+ retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
46266+ bprm->unsafe & LSM_UNSAFE_SHARE);
46267+ if (retval < 0)
46268+ goto out_fail;
46269+
46270 current->flags &= ~PF_KTHREAD;
46271 retval = search_binary_handler(bprm,regs);
46272 if (retval < 0)
46273- goto out;
46274+ goto out_fail;
46275+#ifdef CONFIG_GRKERNSEC
46276+ if (old_exec_file)
46277+ fput(old_exec_file);
46278+#endif
46279
46280 /* execve succeeded */
46281 current->fs->in_exec = 0;
46282@@ -1426,6 +1520,14 @@ int do_execve(char * filename,
46283 put_files_struct(displaced);
46284 return retval;
46285
46286+out_fail:
46287+#ifdef CONFIG_GRKERNSEC
46288+ current->acl = old_acl;
46289+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
46290+ fput(current->exec_file);
46291+ current->exec_file = old_exec_file;
46292+#endif
46293+
46294 out:
46295 if (bprm->mm) {
46296 acct_arg_size(bprm, 0);
46297@@ -1591,6 +1693,220 @@ out:
46298 return ispipe;
46299 }
46300
46301+int pax_check_flags(unsigned long *flags)
46302+{
46303+ int retval = 0;
46304+
46305+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
46306+ if (*flags & MF_PAX_SEGMEXEC)
46307+ {
46308+ *flags &= ~MF_PAX_SEGMEXEC;
46309+ retval = -EINVAL;
46310+ }
46311+#endif
46312+
46313+ if ((*flags & MF_PAX_PAGEEXEC)
46314+
46315+#ifdef CONFIG_PAX_PAGEEXEC
46316+ && (*flags & MF_PAX_SEGMEXEC)
46317+#endif
46318+
46319+ )
46320+ {
46321+ *flags &= ~MF_PAX_PAGEEXEC;
46322+ retval = -EINVAL;
46323+ }
46324+
46325+ if ((*flags & MF_PAX_MPROTECT)
46326+
46327+#ifdef CONFIG_PAX_MPROTECT
46328+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
46329+#endif
46330+
46331+ )
46332+ {
46333+ *flags &= ~MF_PAX_MPROTECT;
46334+ retval = -EINVAL;
46335+ }
46336+
46337+ if ((*flags & MF_PAX_EMUTRAMP)
46338+
46339+#ifdef CONFIG_PAX_EMUTRAMP
46340+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
46341+#endif
46342+
46343+ )
46344+ {
46345+ *flags &= ~MF_PAX_EMUTRAMP;
46346+ retval = -EINVAL;
46347+ }
46348+
46349+ return retval;
46350+}
46351+
46352+EXPORT_SYMBOL(pax_check_flags);
46353+
46354+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
46355+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
46356+{
46357+ struct task_struct *tsk = current;
46358+ struct mm_struct *mm = current->mm;
46359+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
46360+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
46361+ char *path_exec = NULL;
46362+ char *path_fault = NULL;
46363+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
46364+
46365+ if (buffer_exec && buffer_fault) {
46366+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
46367+
46368+ down_read(&mm->mmap_sem);
46369+ vma = mm->mmap;
46370+ while (vma && (!vma_exec || !vma_fault)) {
46371+ if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
46372+ vma_exec = vma;
46373+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
46374+ vma_fault = vma;
46375+ vma = vma->vm_next;
46376+ }
46377+ if (vma_exec) {
46378+ path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
46379+ if (IS_ERR(path_exec))
46380+ path_exec = "<path too long>";
46381+ else {
46382+ path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
46383+ if (path_exec) {
46384+ *path_exec = 0;
46385+ path_exec = buffer_exec;
46386+ } else
46387+ path_exec = "<path too long>";
46388+ }
46389+ }
46390+ if (vma_fault) {
46391+ start = vma_fault->vm_start;
46392+ end = vma_fault->vm_end;
46393+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
46394+ if (vma_fault->vm_file) {
46395+ path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
46396+ if (IS_ERR(path_fault))
46397+ path_fault = "<path too long>";
46398+ else {
46399+ path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
46400+ if (path_fault) {
46401+ *path_fault = 0;
46402+ path_fault = buffer_fault;
46403+ } else
46404+ path_fault = "<path too long>";
46405+ }
46406+ } else
46407+ path_fault = "<anonymous mapping>";
46408+ }
46409+ up_read(&mm->mmap_sem);
46410+ }
46411+ if (tsk->signal->curr_ip)
46412+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
46413+ else
46414+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
46415+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
46416+ "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
46417+ task_uid(tsk), task_euid(tsk), pc, sp);
46418+ free_page((unsigned long)buffer_exec);
46419+ free_page((unsigned long)buffer_fault);
46420+ pax_report_insns(regs, pc, sp);
46421+ do_coredump(SIGKILL, SIGKILL, regs);
46422+}
46423+#endif
46424+
46425+#ifdef CONFIG_PAX_REFCOUNT
46426+void pax_report_refcount_overflow(struct pt_regs *regs)
46427+{
46428+ if (current->signal->curr_ip)
46429+ printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46430+ &current->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
46431+ else
46432+ printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
46433+ current->comm, task_pid_nr(current), current_uid(), current_euid());
46434+ print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
46435+ show_regs(regs);
46436+ force_sig_specific(SIGKILL, current);
46437+}
46438+#endif
46439+
46440+#ifdef CONFIG_PAX_USERCOPY
46441+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
46442+int object_is_on_stack(const void *obj, unsigned long len)
46443+{
46444+ const void * const stack = task_stack_page(current);
46445+ const void * const stackend = stack + THREAD_SIZE;
46446+
46447+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46448+ const void *frame = NULL;
46449+ const void *oldframe;
46450+#endif
46451+
46452+ if (obj + len < obj)
46453+ return -1;
46454+
46455+ if (obj + len <= stack || stackend <= obj)
46456+ return 0;
46457+
46458+ if (obj < stack || stackend < obj + len)
46459+ return -1;
46460+
46461+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
46462+ oldframe = __builtin_frame_address(1);
46463+ if (oldframe)
46464+ frame = __builtin_frame_address(2);
46465+ /*
46466+ low ----------------------------------------------> high
46467+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
46468+ ^----------------^
46469+ allow copies only within here
46470+ */
46471+ while (stack <= frame && frame < stackend) {
46472+ /* if obj + len extends past the last frame, this
46473+ check won't pass and the next frame will be 0,
46474+ causing us to bail out and correctly report
46475+ the copy as invalid
46476+ */
46477+ if (obj + len <= frame)
46478+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
46479+ oldframe = frame;
46480+ frame = *(const void * const *)frame;
46481+ }
46482+ return -1;
46483+#else
46484+ return 1;
46485+#endif
46486+}
46487+
46488+
46489+NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
46490+{
46491+ if (current->signal->curr_ip)
46492+ printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46493+ &current->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46494+ else
46495+ printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
46496+ to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
46497+
46498+ dump_stack();
46499+ gr_handle_kernel_exploit();
46500+ do_group_exit(SIGKILL);
46501+}
46502+#endif
46503+
46504+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
46505+void pax_track_stack(void)
46506+{
46507+ unsigned long sp = (unsigned long)&sp;
46508+ if (sp < current_thread_info()->lowest_stack &&
46509+ sp > (unsigned long)task_stack_page(current))
46510+ current_thread_info()->lowest_stack = sp;
46511+}
46512+EXPORT_SYMBOL(pax_track_stack);
46513+#endif
46514+
46515 static int zap_process(struct task_struct *start)
46516 {
46517 struct task_struct *t;
46518@@ -1793,17 +2109,17 @@ static void wait_for_dump_helpers(struct
46519 pipe = file->f_path.dentry->d_inode->i_pipe;
46520
46521 pipe_lock(pipe);
46522- pipe->readers++;
46523- pipe->writers--;
46524+ atomic_inc(&pipe->readers);
46525+ atomic_dec(&pipe->writers);
46526
46527- while ((pipe->readers > 1) && (!signal_pending(current))) {
46528+ while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
46529 wake_up_interruptible_sync(&pipe->wait);
46530 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
46531 pipe_wait(pipe);
46532 }
46533
46534- pipe->readers--;
46535- pipe->writers++;
46536+ atomic_dec(&pipe->readers);
46537+ atomic_inc(&pipe->writers);
46538 pipe_unlock(pipe);
46539
46540 }
46541@@ -1826,10 +2142,13 @@ void do_coredump(long signr, int exit_co
46542 char **helper_argv = NULL;
46543 int helper_argc = 0;
46544 int dump_count = 0;
46545- static atomic_t core_dump_count = ATOMIC_INIT(0);
46546+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
46547
46548 audit_core_dumps(signr);
46549
46550+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
46551+ gr_handle_brute_attach(current, mm->flags);
46552+
46553 binfmt = mm->binfmt;
46554 if (!binfmt || !binfmt->core_dump)
46555 goto fail;
46556@@ -1874,6 +2193,8 @@ void do_coredump(long signr, int exit_co
46557 */
46558 clear_thread_flag(TIF_SIGPENDING);
46559
46560+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
46561+
46562 /*
46563 * lock_kernel() because format_corename() is controlled by sysctl, which
46564 * uses lock_kernel()
46565@@ -1908,7 +2229,7 @@ void do_coredump(long signr, int exit_co
46566 goto fail_unlock;
46567 }
46568
46569- dump_count = atomic_inc_return(&core_dump_count);
46570+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
46571 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
46572 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
46573 task_tgid_vnr(current), current->comm);
46574@@ -1972,7 +2293,7 @@ close_fail:
46575 filp_close(file, NULL);
46576 fail_dropcount:
46577 if (dump_count)
46578- atomic_dec(&core_dump_count);
46579+ atomic_dec_unchecked(&core_dump_count);
46580 fail_unlock:
46581 if (helper_argv)
46582 argv_free(helper_argv);
46583diff -urNp linux-2.6.32.48/fs/ext2/balloc.c linux-2.6.32.48/fs/ext2/balloc.c
46584--- linux-2.6.32.48/fs/ext2/balloc.c 2011-11-08 19:02:43.000000000 -0500
46585+++ linux-2.6.32.48/fs/ext2/balloc.c 2011-11-15 19:59:43.000000000 -0500
46586@@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
46587
46588 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46589 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46590- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46591+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46592 sbi->s_resuid != current_fsuid() &&
46593 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46594 return 0;
46595diff -urNp linux-2.6.32.48/fs/ext3/balloc.c linux-2.6.32.48/fs/ext3/balloc.c
46596--- linux-2.6.32.48/fs/ext3/balloc.c 2011-11-08 19:02:43.000000000 -0500
46597+++ linux-2.6.32.48/fs/ext3/balloc.c 2011-11-15 19:59:43.000000000 -0500
46598@@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
46599
46600 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
46601 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
46602- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
46603+ if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
46604 sbi->s_resuid != current_fsuid() &&
46605 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
46606 return 0;
46607diff -urNp linux-2.6.32.48/fs/ext4/balloc.c linux-2.6.32.48/fs/ext4/balloc.c
46608--- linux-2.6.32.48/fs/ext4/balloc.c 2011-11-08 19:02:43.000000000 -0500
46609+++ linux-2.6.32.48/fs/ext4/balloc.c 2011-11-15 19:59:43.000000000 -0500
46610@@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
46611 /* Hm, nope. Are (enough) root reserved blocks available? */
46612 if (sbi->s_resuid == current_fsuid() ||
46613 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
46614- capable(CAP_SYS_RESOURCE)) {
46615+ capable_nolog(CAP_SYS_RESOURCE)) {
46616 if (free_blocks >= (nblocks + dirty_blocks))
46617 return 1;
46618 }
46619diff -urNp linux-2.6.32.48/fs/ext4/ext4.h linux-2.6.32.48/fs/ext4/ext4.h
46620--- linux-2.6.32.48/fs/ext4/ext4.h 2011-11-08 19:02:43.000000000 -0500
46621+++ linux-2.6.32.48/fs/ext4/ext4.h 2011-11-15 19:59:43.000000000 -0500
46622@@ -1077,19 +1077,19 @@ struct ext4_sb_info {
46623
46624 /* stats for buddy allocator */
46625 spinlock_t s_mb_pa_lock;
46626- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
46627- atomic_t s_bal_success; /* we found long enough chunks */
46628- atomic_t s_bal_allocated; /* in blocks */
46629- atomic_t s_bal_ex_scanned; /* total extents scanned */
46630- atomic_t s_bal_goals; /* goal hits */
46631- atomic_t s_bal_breaks; /* too long searches */
46632- atomic_t s_bal_2orders; /* 2^order hits */
46633+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
46634+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
46635+ atomic_unchecked_t s_bal_allocated; /* in blocks */
46636+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
46637+ atomic_unchecked_t s_bal_goals; /* goal hits */
46638+ atomic_unchecked_t s_bal_breaks; /* too long searches */
46639+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
46640 spinlock_t s_bal_lock;
46641 unsigned long s_mb_buddies_generated;
46642 unsigned long long s_mb_generation_time;
46643- atomic_t s_mb_lost_chunks;
46644- atomic_t s_mb_preallocated;
46645- atomic_t s_mb_discarded;
46646+ atomic_unchecked_t s_mb_lost_chunks;
46647+ atomic_unchecked_t s_mb_preallocated;
46648+ atomic_unchecked_t s_mb_discarded;
46649 atomic_t s_lock_busy;
46650
46651 /* locality groups */
46652diff -urNp linux-2.6.32.48/fs/ext4/file.c linux-2.6.32.48/fs/ext4/file.c
46653--- linux-2.6.32.48/fs/ext4/file.c 2011-11-08 19:02:43.000000000 -0500
46654+++ linux-2.6.32.48/fs/ext4/file.c 2011-11-15 19:59:43.000000000 -0500
46655@@ -122,8 +122,8 @@ static int ext4_file_open(struct inode *
46656 cp = d_path(&path, buf, sizeof(buf));
46657 path_put(&path);
46658 if (!IS_ERR(cp)) {
46659- memcpy(sbi->s_es->s_last_mounted, cp,
46660- sizeof(sbi->s_es->s_last_mounted));
46661+ strlcpy(sbi->s_es->s_last_mounted, cp,
46662+ sizeof(sbi->s_es->s_last_mounted));
46663 sb->s_dirt = 1;
46664 }
46665 }
46666diff -urNp linux-2.6.32.48/fs/ext4/mballoc.c linux-2.6.32.48/fs/ext4/mballoc.c
46667--- linux-2.6.32.48/fs/ext4/mballoc.c 2011-11-08 19:02:43.000000000 -0500
46668+++ linux-2.6.32.48/fs/ext4/mballoc.c 2011-11-15 19:59:43.000000000 -0500
46669@@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
46670 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
46671
46672 if (EXT4_SB(sb)->s_mb_stats)
46673- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
46674+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
46675
46676 break;
46677 }
46678@@ -2131,7 +2131,7 @@ repeat:
46679 ac->ac_status = AC_STATUS_CONTINUE;
46680 ac->ac_flags |= EXT4_MB_HINT_FIRST;
46681 cr = 3;
46682- atomic_inc(&sbi->s_mb_lost_chunks);
46683+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
46684 goto repeat;
46685 }
46686 }
46687@@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
46688 ext4_grpblk_t counters[16];
46689 } sg;
46690
46691+ pax_track_stack();
46692+
46693 group--;
46694 if (group == 0)
46695 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
46696@@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
46697 if (sbi->s_mb_stats) {
46698 printk(KERN_INFO
46699 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
46700- atomic_read(&sbi->s_bal_allocated),
46701- atomic_read(&sbi->s_bal_reqs),
46702- atomic_read(&sbi->s_bal_success));
46703+ atomic_read_unchecked(&sbi->s_bal_allocated),
46704+ atomic_read_unchecked(&sbi->s_bal_reqs),
46705+ atomic_read_unchecked(&sbi->s_bal_success));
46706 printk(KERN_INFO
46707 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
46708 "%u 2^N hits, %u breaks, %u lost\n",
46709- atomic_read(&sbi->s_bal_ex_scanned),
46710- atomic_read(&sbi->s_bal_goals),
46711- atomic_read(&sbi->s_bal_2orders),
46712- atomic_read(&sbi->s_bal_breaks),
46713- atomic_read(&sbi->s_mb_lost_chunks));
46714+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
46715+ atomic_read_unchecked(&sbi->s_bal_goals),
46716+ atomic_read_unchecked(&sbi->s_bal_2orders),
46717+ atomic_read_unchecked(&sbi->s_bal_breaks),
46718+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
46719 printk(KERN_INFO
46720 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
46721 sbi->s_mb_buddies_generated++,
46722 sbi->s_mb_generation_time);
46723 printk(KERN_INFO
46724 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
46725- atomic_read(&sbi->s_mb_preallocated),
46726- atomic_read(&sbi->s_mb_discarded));
46727+ atomic_read_unchecked(&sbi->s_mb_preallocated),
46728+ atomic_read_unchecked(&sbi->s_mb_discarded));
46729 }
46730
46731 free_percpu(sbi->s_locality_groups);
46732@@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
46733 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
46734
46735 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
46736- atomic_inc(&sbi->s_bal_reqs);
46737- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46738+ atomic_inc_unchecked(&sbi->s_bal_reqs);
46739+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
46740 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
46741- atomic_inc(&sbi->s_bal_success);
46742- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
46743+ atomic_inc_unchecked(&sbi->s_bal_success);
46744+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
46745 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
46746 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
46747- atomic_inc(&sbi->s_bal_goals);
46748+ atomic_inc_unchecked(&sbi->s_bal_goals);
46749 if (ac->ac_found > sbi->s_mb_max_to_scan)
46750- atomic_inc(&sbi->s_bal_breaks);
46751+ atomic_inc_unchecked(&sbi->s_bal_breaks);
46752 }
46753
46754 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
46755@@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
46756 trace_ext4_mb_new_inode_pa(ac, pa);
46757
46758 ext4_mb_use_inode_pa(ac, pa);
46759- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46760+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46761
46762 ei = EXT4_I(ac->ac_inode);
46763 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46764@@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
46765 trace_ext4_mb_new_group_pa(ac, pa);
46766
46767 ext4_mb_use_group_pa(ac, pa);
46768- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46769+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
46770
46771 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
46772 lg = ac->ac_lg;
46773@@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
46774 * from the bitmap and continue.
46775 */
46776 }
46777- atomic_add(free, &sbi->s_mb_discarded);
46778+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
46779
46780 return err;
46781 }
46782@@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
46783 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
46784 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
46785 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
46786- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46787+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
46788
46789 if (ac) {
46790 ac->ac_sb = sb;
46791diff -urNp linux-2.6.32.48/fs/ext4/super.c linux-2.6.32.48/fs/ext4/super.c
46792--- linux-2.6.32.48/fs/ext4/super.c 2011-11-08 19:02:43.000000000 -0500
46793+++ linux-2.6.32.48/fs/ext4/super.c 2011-11-15 19:59:43.000000000 -0500
46794@@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
46795 }
46796
46797
46798-static struct sysfs_ops ext4_attr_ops = {
46799+static const struct sysfs_ops ext4_attr_ops = {
46800 .show = ext4_attr_show,
46801 .store = ext4_attr_store,
46802 };
46803diff -urNp linux-2.6.32.48/fs/fcntl.c linux-2.6.32.48/fs/fcntl.c
46804--- linux-2.6.32.48/fs/fcntl.c 2011-11-08 19:02:43.000000000 -0500
46805+++ linux-2.6.32.48/fs/fcntl.c 2011-11-15 19:59:43.000000000 -0500
46806@@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
46807 if (err)
46808 return err;
46809
46810+ if (gr_handle_chroot_fowner(pid, type))
46811+ return -ENOENT;
46812+ if (gr_check_protected_task_fowner(pid, type))
46813+ return -EACCES;
46814+
46815 f_modown(filp, pid, type, force);
46816 return 0;
46817 }
46818@@ -265,7 +270,7 @@ pid_t f_getown(struct file *filp)
46819
46820 static int f_setown_ex(struct file *filp, unsigned long arg)
46821 {
46822- struct f_owner_ex * __user owner_p = (void * __user)arg;
46823+ struct f_owner_ex __user *owner_p = (void __user *)arg;
46824 struct f_owner_ex owner;
46825 struct pid *pid;
46826 int type;
46827@@ -305,7 +310,7 @@ static int f_setown_ex(struct file *filp
46828
46829 static int f_getown_ex(struct file *filp, unsigned long arg)
46830 {
46831- struct f_owner_ex * __user owner_p = (void * __user)arg;
46832+ struct f_owner_ex __user *owner_p = (void __user *)arg;
46833 struct f_owner_ex owner;
46834 int ret = 0;
46835
46836@@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
46837 switch (cmd) {
46838 case F_DUPFD:
46839 case F_DUPFD_CLOEXEC:
46840+ gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
46841 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
46842 break;
46843 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
46844diff -urNp linux-2.6.32.48/fs/fifo.c linux-2.6.32.48/fs/fifo.c
46845--- linux-2.6.32.48/fs/fifo.c 2011-11-08 19:02:43.000000000 -0500
46846+++ linux-2.6.32.48/fs/fifo.c 2011-11-15 19:59:43.000000000 -0500
46847@@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
46848 */
46849 filp->f_op = &read_pipefifo_fops;
46850 pipe->r_counter++;
46851- if (pipe->readers++ == 0)
46852+ if (atomic_inc_return(&pipe->readers) == 1)
46853 wake_up_partner(inode);
46854
46855- if (!pipe->writers) {
46856+ if (!atomic_read(&pipe->writers)) {
46857 if ((filp->f_flags & O_NONBLOCK)) {
46858 /* suppress POLLHUP until we have
46859 * seen a writer */
46860@@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
46861 * errno=ENXIO when there is no process reading the FIFO.
46862 */
46863 ret = -ENXIO;
46864- if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
46865+ if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
46866 goto err;
46867
46868 filp->f_op = &write_pipefifo_fops;
46869 pipe->w_counter++;
46870- if (!pipe->writers++)
46871+ if (atomic_inc_return(&pipe->writers) == 1)
46872 wake_up_partner(inode);
46873
46874- if (!pipe->readers) {
46875+ if (!atomic_read(&pipe->readers)) {
46876 wait_for_partner(inode, &pipe->r_counter);
46877 if (signal_pending(current))
46878 goto err_wr;
46879@@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
46880 */
46881 filp->f_op = &rdwr_pipefifo_fops;
46882
46883- pipe->readers++;
46884- pipe->writers++;
46885+ atomic_inc(&pipe->readers);
46886+ atomic_inc(&pipe->writers);
46887 pipe->r_counter++;
46888 pipe->w_counter++;
46889- if (pipe->readers == 1 || pipe->writers == 1)
46890+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
46891 wake_up_partner(inode);
46892 break;
46893
46894@@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
46895 return 0;
46896
46897 err_rd:
46898- if (!--pipe->readers)
46899+ if (atomic_dec_and_test(&pipe->readers))
46900 wake_up_interruptible(&pipe->wait);
46901 ret = -ERESTARTSYS;
46902 goto err;
46903
46904 err_wr:
46905- if (!--pipe->writers)
46906+ if (atomic_dec_and_test(&pipe->writers))
46907 wake_up_interruptible(&pipe->wait);
46908 ret = -ERESTARTSYS;
46909 goto err;
46910
46911 err:
46912- if (!pipe->readers && !pipe->writers)
46913+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
46914 free_pipe_info(inode);
46915
46916 err_nocleanup:
46917diff -urNp linux-2.6.32.48/fs/file.c linux-2.6.32.48/fs/file.c
46918--- linux-2.6.32.48/fs/file.c 2011-11-08 19:02:43.000000000 -0500
46919+++ linux-2.6.32.48/fs/file.c 2011-11-15 19:59:43.000000000 -0500
46920@@ -14,6 +14,7 @@
46921 #include <linux/slab.h>
46922 #include <linux/vmalloc.h>
46923 #include <linux/file.h>
46924+#include <linux/security.h>
46925 #include <linux/fdtable.h>
46926 #include <linux/bitops.h>
46927 #include <linux/interrupt.h>
46928@@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
46929 * N.B. For clone tasks sharing a files structure, this test
46930 * will limit the total number of files that can be opened.
46931 */
46932+
46933+ gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
46934 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
46935 return -EMFILE;
46936
46937diff -urNp linux-2.6.32.48/fs/filesystems.c linux-2.6.32.48/fs/filesystems.c
46938--- linux-2.6.32.48/fs/filesystems.c 2011-11-08 19:02:43.000000000 -0500
46939+++ linux-2.6.32.48/fs/filesystems.c 2011-11-15 19:59:43.000000000 -0500
46940@@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
46941 int len = dot ? dot - name : strlen(name);
46942
46943 fs = __get_fs_type(name, len);
46944+
46945+#ifdef CONFIG_GRKERNSEC_MODHARDEN
46946+ if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
46947+#else
46948 if (!fs && (request_module("%.*s", len, name) == 0))
46949+#endif
46950 fs = __get_fs_type(name, len);
46951
46952 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
46953diff -urNp linux-2.6.32.48/fs/fscache/cookie.c linux-2.6.32.48/fs/fscache/cookie.c
46954--- linux-2.6.32.48/fs/fscache/cookie.c 2011-11-08 19:02:43.000000000 -0500
46955+++ linux-2.6.32.48/fs/fscache/cookie.c 2011-11-15 19:59:43.000000000 -0500
46956@@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
46957 parent ? (char *) parent->def->name : "<no-parent>",
46958 def->name, netfs_data);
46959
46960- fscache_stat(&fscache_n_acquires);
46961+ fscache_stat_unchecked(&fscache_n_acquires);
46962
46963 /* if there's no parent cookie, then we don't create one here either */
46964 if (!parent) {
46965- fscache_stat(&fscache_n_acquires_null);
46966+ fscache_stat_unchecked(&fscache_n_acquires_null);
46967 _leave(" [no parent]");
46968 return NULL;
46969 }
46970@@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
46971 /* allocate and initialise a cookie */
46972 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
46973 if (!cookie) {
46974- fscache_stat(&fscache_n_acquires_oom);
46975+ fscache_stat_unchecked(&fscache_n_acquires_oom);
46976 _leave(" [ENOMEM]");
46977 return NULL;
46978 }
46979@@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
46980
46981 switch (cookie->def->type) {
46982 case FSCACHE_COOKIE_TYPE_INDEX:
46983- fscache_stat(&fscache_n_cookie_index);
46984+ fscache_stat_unchecked(&fscache_n_cookie_index);
46985 break;
46986 case FSCACHE_COOKIE_TYPE_DATAFILE:
46987- fscache_stat(&fscache_n_cookie_data);
46988+ fscache_stat_unchecked(&fscache_n_cookie_data);
46989 break;
46990 default:
46991- fscache_stat(&fscache_n_cookie_special);
46992+ fscache_stat_unchecked(&fscache_n_cookie_special);
46993 break;
46994 }
46995
46996@@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
46997 if (fscache_acquire_non_index_cookie(cookie) < 0) {
46998 atomic_dec(&parent->n_children);
46999 __fscache_cookie_put(cookie);
47000- fscache_stat(&fscache_n_acquires_nobufs);
47001+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
47002 _leave(" = NULL");
47003 return NULL;
47004 }
47005 }
47006
47007- fscache_stat(&fscache_n_acquires_ok);
47008+ fscache_stat_unchecked(&fscache_n_acquires_ok);
47009 _leave(" = %p", cookie);
47010 return cookie;
47011 }
47012@@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
47013 cache = fscache_select_cache_for_object(cookie->parent);
47014 if (!cache) {
47015 up_read(&fscache_addremove_sem);
47016- fscache_stat(&fscache_n_acquires_no_cache);
47017+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
47018 _leave(" = -ENOMEDIUM [no cache]");
47019 return -ENOMEDIUM;
47020 }
47021@@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
47022 object = cache->ops->alloc_object(cache, cookie);
47023 fscache_stat_d(&fscache_n_cop_alloc_object);
47024 if (IS_ERR(object)) {
47025- fscache_stat(&fscache_n_object_no_alloc);
47026+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
47027 ret = PTR_ERR(object);
47028 goto error;
47029 }
47030
47031- fscache_stat(&fscache_n_object_alloc);
47032+ fscache_stat_unchecked(&fscache_n_object_alloc);
47033
47034 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
47035
47036@@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
47037 struct fscache_object *object;
47038 struct hlist_node *_p;
47039
47040- fscache_stat(&fscache_n_updates);
47041+ fscache_stat_unchecked(&fscache_n_updates);
47042
47043 if (!cookie) {
47044- fscache_stat(&fscache_n_updates_null);
47045+ fscache_stat_unchecked(&fscache_n_updates_null);
47046 _leave(" [no cookie]");
47047 return;
47048 }
47049@@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
47050 struct fscache_object *object;
47051 unsigned long event;
47052
47053- fscache_stat(&fscache_n_relinquishes);
47054+ fscache_stat_unchecked(&fscache_n_relinquishes);
47055 if (retire)
47056- fscache_stat(&fscache_n_relinquishes_retire);
47057+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
47058
47059 if (!cookie) {
47060- fscache_stat(&fscache_n_relinquishes_null);
47061+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
47062 _leave(" [no cookie]");
47063 return;
47064 }
47065@@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
47066
47067 /* wait for the cookie to finish being instantiated (or to fail) */
47068 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
47069- fscache_stat(&fscache_n_relinquishes_waitcrt);
47070+ fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
47071 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
47072 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
47073 }
47074diff -urNp linux-2.6.32.48/fs/fscache/internal.h linux-2.6.32.48/fs/fscache/internal.h
47075--- linux-2.6.32.48/fs/fscache/internal.h 2011-11-08 19:02:43.000000000 -0500
47076+++ linux-2.6.32.48/fs/fscache/internal.h 2011-11-15 19:59:43.000000000 -0500
47077@@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
47078 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
47079 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
47080
47081-extern atomic_t fscache_n_op_pend;
47082-extern atomic_t fscache_n_op_run;
47083-extern atomic_t fscache_n_op_enqueue;
47084-extern atomic_t fscache_n_op_deferred_release;
47085-extern atomic_t fscache_n_op_release;
47086-extern atomic_t fscache_n_op_gc;
47087-extern atomic_t fscache_n_op_cancelled;
47088-extern atomic_t fscache_n_op_rejected;
47089-
47090-extern atomic_t fscache_n_attr_changed;
47091-extern atomic_t fscache_n_attr_changed_ok;
47092-extern atomic_t fscache_n_attr_changed_nobufs;
47093-extern atomic_t fscache_n_attr_changed_nomem;
47094-extern atomic_t fscache_n_attr_changed_calls;
47095-
47096-extern atomic_t fscache_n_allocs;
47097-extern atomic_t fscache_n_allocs_ok;
47098-extern atomic_t fscache_n_allocs_wait;
47099-extern atomic_t fscache_n_allocs_nobufs;
47100-extern atomic_t fscache_n_allocs_intr;
47101-extern atomic_t fscache_n_allocs_object_dead;
47102-extern atomic_t fscache_n_alloc_ops;
47103-extern atomic_t fscache_n_alloc_op_waits;
47104-
47105-extern atomic_t fscache_n_retrievals;
47106-extern atomic_t fscache_n_retrievals_ok;
47107-extern atomic_t fscache_n_retrievals_wait;
47108-extern atomic_t fscache_n_retrievals_nodata;
47109-extern atomic_t fscache_n_retrievals_nobufs;
47110-extern atomic_t fscache_n_retrievals_intr;
47111-extern atomic_t fscache_n_retrievals_nomem;
47112-extern atomic_t fscache_n_retrievals_object_dead;
47113-extern atomic_t fscache_n_retrieval_ops;
47114-extern atomic_t fscache_n_retrieval_op_waits;
47115-
47116-extern atomic_t fscache_n_stores;
47117-extern atomic_t fscache_n_stores_ok;
47118-extern atomic_t fscache_n_stores_again;
47119-extern atomic_t fscache_n_stores_nobufs;
47120-extern atomic_t fscache_n_stores_oom;
47121-extern atomic_t fscache_n_store_ops;
47122-extern atomic_t fscache_n_store_calls;
47123-extern atomic_t fscache_n_store_pages;
47124-extern atomic_t fscache_n_store_radix_deletes;
47125-extern atomic_t fscache_n_store_pages_over_limit;
47126-
47127-extern atomic_t fscache_n_store_vmscan_not_storing;
47128-extern atomic_t fscache_n_store_vmscan_gone;
47129-extern atomic_t fscache_n_store_vmscan_busy;
47130-extern atomic_t fscache_n_store_vmscan_cancelled;
47131-
47132-extern atomic_t fscache_n_marks;
47133-extern atomic_t fscache_n_uncaches;
47134-
47135-extern atomic_t fscache_n_acquires;
47136-extern atomic_t fscache_n_acquires_null;
47137-extern atomic_t fscache_n_acquires_no_cache;
47138-extern atomic_t fscache_n_acquires_ok;
47139-extern atomic_t fscache_n_acquires_nobufs;
47140-extern atomic_t fscache_n_acquires_oom;
47141-
47142-extern atomic_t fscache_n_updates;
47143-extern atomic_t fscache_n_updates_null;
47144-extern atomic_t fscache_n_updates_run;
47145-
47146-extern atomic_t fscache_n_relinquishes;
47147-extern atomic_t fscache_n_relinquishes_null;
47148-extern atomic_t fscache_n_relinquishes_waitcrt;
47149-extern atomic_t fscache_n_relinquishes_retire;
47150-
47151-extern atomic_t fscache_n_cookie_index;
47152-extern atomic_t fscache_n_cookie_data;
47153-extern atomic_t fscache_n_cookie_special;
47154-
47155-extern atomic_t fscache_n_object_alloc;
47156-extern atomic_t fscache_n_object_no_alloc;
47157-extern atomic_t fscache_n_object_lookups;
47158-extern atomic_t fscache_n_object_lookups_negative;
47159-extern atomic_t fscache_n_object_lookups_positive;
47160-extern atomic_t fscache_n_object_lookups_timed_out;
47161-extern atomic_t fscache_n_object_created;
47162-extern atomic_t fscache_n_object_avail;
47163-extern atomic_t fscache_n_object_dead;
47164-
47165-extern atomic_t fscache_n_checkaux_none;
47166-extern atomic_t fscache_n_checkaux_okay;
47167-extern atomic_t fscache_n_checkaux_update;
47168-extern atomic_t fscache_n_checkaux_obsolete;
47169+extern atomic_unchecked_t fscache_n_op_pend;
47170+extern atomic_unchecked_t fscache_n_op_run;
47171+extern atomic_unchecked_t fscache_n_op_enqueue;
47172+extern atomic_unchecked_t fscache_n_op_deferred_release;
47173+extern atomic_unchecked_t fscache_n_op_release;
47174+extern atomic_unchecked_t fscache_n_op_gc;
47175+extern atomic_unchecked_t fscache_n_op_cancelled;
47176+extern atomic_unchecked_t fscache_n_op_rejected;
47177+
47178+extern atomic_unchecked_t fscache_n_attr_changed;
47179+extern atomic_unchecked_t fscache_n_attr_changed_ok;
47180+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
47181+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
47182+extern atomic_unchecked_t fscache_n_attr_changed_calls;
47183+
47184+extern atomic_unchecked_t fscache_n_allocs;
47185+extern atomic_unchecked_t fscache_n_allocs_ok;
47186+extern atomic_unchecked_t fscache_n_allocs_wait;
47187+extern atomic_unchecked_t fscache_n_allocs_nobufs;
47188+extern atomic_unchecked_t fscache_n_allocs_intr;
47189+extern atomic_unchecked_t fscache_n_allocs_object_dead;
47190+extern atomic_unchecked_t fscache_n_alloc_ops;
47191+extern atomic_unchecked_t fscache_n_alloc_op_waits;
47192+
47193+extern atomic_unchecked_t fscache_n_retrievals;
47194+extern atomic_unchecked_t fscache_n_retrievals_ok;
47195+extern atomic_unchecked_t fscache_n_retrievals_wait;
47196+extern atomic_unchecked_t fscache_n_retrievals_nodata;
47197+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
47198+extern atomic_unchecked_t fscache_n_retrievals_intr;
47199+extern atomic_unchecked_t fscache_n_retrievals_nomem;
47200+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
47201+extern atomic_unchecked_t fscache_n_retrieval_ops;
47202+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
47203+
47204+extern atomic_unchecked_t fscache_n_stores;
47205+extern atomic_unchecked_t fscache_n_stores_ok;
47206+extern atomic_unchecked_t fscache_n_stores_again;
47207+extern atomic_unchecked_t fscache_n_stores_nobufs;
47208+extern atomic_unchecked_t fscache_n_stores_oom;
47209+extern atomic_unchecked_t fscache_n_store_ops;
47210+extern atomic_unchecked_t fscache_n_store_calls;
47211+extern atomic_unchecked_t fscache_n_store_pages;
47212+extern atomic_unchecked_t fscache_n_store_radix_deletes;
47213+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
47214+
47215+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
47216+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
47217+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
47218+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
47219+
47220+extern atomic_unchecked_t fscache_n_marks;
47221+extern atomic_unchecked_t fscache_n_uncaches;
47222+
47223+extern atomic_unchecked_t fscache_n_acquires;
47224+extern atomic_unchecked_t fscache_n_acquires_null;
47225+extern atomic_unchecked_t fscache_n_acquires_no_cache;
47226+extern atomic_unchecked_t fscache_n_acquires_ok;
47227+extern atomic_unchecked_t fscache_n_acquires_nobufs;
47228+extern atomic_unchecked_t fscache_n_acquires_oom;
47229+
47230+extern atomic_unchecked_t fscache_n_updates;
47231+extern atomic_unchecked_t fscache_n_updates_null;
47232+extern atomic_unchecked_t fscache_n_updates_run;
47233+
47234+extern atomic_unchecked_t fscache_n_relinquishes;
47235+extern atomic_unchecked_t fscache_n_relinquishes_null;
47236+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
47237+extern atomic_unchecked_t fscache_n_relinquishes_retire;
47238+
47239+extern atomic_unchecked_t fscache_n_cookie_index;
47240+extern atomic_unchecked_t fscache_n_cookie_data;
47241+extern atomic_unchecked_t fscache_n_cookie_special;
47242+
47243+extern atomic_unchecked_t fscache_n_object_alloc;
47244+extern atomic_unchecked_t fscache_n_object_no_alloc;
47245+extern atomic_unchecked_t fscache_n_object_lookups;
47246+extern atomic_unchecked_t fscache_n_object_lookups_negative;
47247+extern atomic_unchecked_t fscache_n_object_lookups_positive;
47248+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
47249+extern atomic_unchecked_t fscache_n_object_created;
47250+extern atomic_unchecked_t fscache_n_object_avail;
47251+extern atomic_unchecked_t fscache_n_object_dead;
47252+
47253+extern atomic_unchecked_t fscache_n_checkaux_none;
47254+extern atomic_unchecked_t fscache_n_checkaux_okay;
47255+extern atomic_unchecked_t fscache_n_checkaux_update;
47256+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
47257
47258 extern atomic_t fscache_n_cop_alloc_object;
47259 extern atomic_t fscache_n_cop_lookup_object;
47260@@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
47261 atomic_inc(stat);
47262 }
47263
47264+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
47265+{
47266+ atomic_inc_unchecked(stat);
47267+}
47268+
47269 static inline void fscache_stat_d(atomic_t *stat)
47270 {
47271 atomic_dec(stat);
47272@@ -259,6 +264,7 @@ extern const struct file_operations fsca
47273
47274 #define __fscache_stat(stat) (NULL)
47275 #define fscache_stat(stat) do {} while (0)
47276+#define fscache_stat_unchecked(stat) do {} while (0)
47277 #define fscache_stat_d(stat) do {} while (0)
47278 #endif
47279
47280diff -urNp linux-2.6.32.48/fs/fscache/object.c linux-2.6.32.48/fs/fscache/object.c
47281--- linux-2.6.32.48/fs/fscache/object.c 2011-11-08 19:02:43.000000000 -0500
47282+++ linux-2.6.32.48/fs/fscache/object.c 2011-11-15 19:59:43.000000000 -0500
47283@@ -144,7 +144,7 @@ static void fscache_object_state_machine
47284 /* update the object metadata on disk */
47285 case FSCACHE_OBJECT_UPDATING:
47286 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
47287- fscache_stat(&fscache_n_updates_run);
47288+ fscache_stat_unchecked(&fscache_n_updates_run);
47289 fscache_stat(&fscache_n_cop_update_object);
47290 object->cache->ops->update_object(object);
47291 fscache_stat_d(&fscache_n_cop_update_object);
47292@@ -233,7 +233,7 @@ static void fscache_object_state_machine
47293 spin_lock(&object->lock);
47294 object->state = FSCACHE_OBJECT_DEAD;
47295 spin_unlock(&object->lock);
47296- fscache_stat(&fscache_n_object_dead);
47297+ fscache_stat_unchecked(&fscache_n_object_dead);
47298 goto terminal_transit;
47299
47300 /* handle the parent cache of this object being withdrawn from
47301@@ -248,7 +248,7 @@ static void fscache_object_state_machine
47302 spin_lock(&object->lock);
47303 object->state = FSCACHE_OBJECT_DEAD;
47304 spin_unlock(&object->lock);
47305- fscache_stat(&fscache_n_object_dead);
47306+ fscache_stat_unchecked(&fscache_n_object_dead);
47307 goto terminal_transit;
47308
47309 /* complain about the object being woken up once it is
47310@@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
47311 parent->cookie->def->name, cookie->def->name,
47312 object->cache->tag->name);
47313
47314- fscache_stat(&fscache_n_object_lookups);
47315+ fscache_stat_unchecked(&fscache_n_object_lookups);
47316 fscache_stat(&fscache_n_cop_lookup_object);
47317 ret = object->cache->ops->lookup_object(object);
47318 fscache_stat_d(&fscache_n_cop_lookup_object);
47319@@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
47320 if (ret == -ETIMEDOUT) {
47321 /* probably stuck behind another object, so move this one to
47322 * the back of the queue */
47323- fscache_stat(&fscache_n_object_lookups_timed_out);
47324+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
47325 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
47326 }
47327
47328@@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
47329
47330 spin_lock(&object->lock);
47331 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
47332- fscache_stat(&fscache_n_object_lookups_negative);
47333+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
47334
47335 /* transit here to allow write requests to begin stacking up
47336 * and read requests to begin returning ENODATA */
47337@@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
47338 * result, in which case there may be data available */
47339 spin_lock(&object->lock);
47340 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
47341- fscache_stat(&fscache_n_object_lookups_positive);
47342+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
47343
47344 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
47345
47346@@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
47347 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
47348 } else {
47349 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
47350- fscache_stat(&fscache_n_object_created);
47351+ fscache_stat_unchecked(&fscache_n_object_created);
47352
47353 object->state = FSCACHE_OBJECT_AVAILABLE;
47354 spin_unlock(&object->lock);
47355@@ -633,7 +633,7 @@ static void fscache_object_available(str
47356 fscache_enqueue_dependents(object);
47357
47358 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
47359- fscache_stat(&fscache_n_object_avail);
47360+ fscache_stat_unchecked(&fscache_n_object_avail);
47361
47362 _leave("");
47363 }
47364@@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
47365 enum fscache_checkaux result;
47366
47367 if (!object->cookie->def->check_aux) {
47368- fscache_stat(&fscache_n_checkaux_none);
47369+ fscache_stat_unchecked(&fscache_n_checkaux_none);
47370 return FSCACHE_CHECKAUX_OKAY;
47371 }
47372
47373@@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
47374 switch (result) {
47375 /* entry okay as is */
47376 case FSCACHE_CHECKAUX_OKAY:
47377- fscache_stat(&fscache_n_checkaux_okay);
47378+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
47379 break;
47380
47381 /* entry requires update */
47382 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
47383- fscache_stat(&fscache_n_checkaux_update);
47384+ fscache_stat_unchecked(&fscache_n_checkaux_update);
47385 break;
47386
47387 /* entry requires deletion */
47388 case FSCACHE_CHECKAUX_OBSOLETE:
47389- fscache_stat(&fscache_n_checkaux_obsolete);
47390+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
47391 break;
47392
47393 default:
47394diff -urNp linux-2.6.32.48/fs/fscache/operation.c linux-2.6.32.48/fs/fscache/operation.c
47395--- linux-2.6.32.48/fs/fscache/operation.c 2011-11-08 19:02:43.000000000 -0500
47396+++ linux-2.6.32.48/fs/fscache/operation.c 2011-11-15 19:59:43.000000000 -0500
47397@@ -16,7 +16,7 @@
47398 #include <linux/seq_file.h>
47399 #include "internal.h"
47400
47401-atomic_t fscache_op_debug_id;
47402+atomic_unchecked_t fscache_op_debug_id;
47403 EXPORT_SYMBOL(fscache_op_debug_id);
47404
47405 /**
47406@@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
47407 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
47408 ASSERTCMP(atomic_read(&op->usage), >, 0);
47409
47410- fscache_stat(&fscache_n_op_enqueue);
47411+ fscache_stat_unchecked(&fscache_n_op_enqueue);
47412 switch (op->flags & FSCACHE_OP_TYPE) {
47413 case FSCACHE_OP_FAST:
47414 _debug("queue fast");
47415@@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
47416 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
47417 if (op->processor)
47418 fscache_enqueue_operation(op);
47419- fscache_stat(&fscache_n_op_run);
47420+ fscache_stat_unchecked(&fscache_n_op_run);
47421 }
47422
47423 /*
47424@@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
47425 if (object->n_ops > 0) {
47426 atomic_inc(&op->usage);
47427 list_add_tail(&op->pend_link, &object->pending_ops);
47428- fscache_stat(&fscache_n_op_pend);
47429+ fscache_stat_unchecked(&fscache_n_op_pend);
47430 } else if (!list_empty(&object->pending_ops)) {
47431 atomic_inc(&op->usage);
47432 list_add_tail(&op->pend_link, &object->pending_ops);
47433- fscache_stat(&fscache_n_op_pend);
47434+ fscache_stat_unchecked(&fscache_n_op_pend);
47435 fscache_start_operations(object);
47436 } else {
47437 ASSERTCMP(object->n_in_progress, ==, 0);
47438@@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
47439 object->n_exclusive++; /* reads and writes must wait */
47440 atomic_inc(&op->usage);
47441 list_add_tail(&op->pend_link, &object->pending_ops);
47442- fscache_stat(&fscache_n_op_pend);
47443+ fscache_stat_unchecked(&fscache_n_op_pend);
47444 ret = 0;
47445 } else {
47446 /* not allowed to submit ops in any other state */
47447@@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
47448 if (object->n_exclusive > 0) {
47449 atomic_inc(&op->usage);
47450 list_add_tail(&op->pend_link, &object->pending_ops);
47451- fscache_stat(&fscache_n_op_pend);
47452+ fscache_stat_unchecked(&fscache_n_op_pend);
47453 } else if (!list_empty(&object->pending_ops)) {
47454 atomic_inc(&op->usage);
47455 list_add_tail(&op->pend_link, &object->pending_ops);
47456- fscache_stat(&fscache_n_op_pend);
47457+ fscache_stat_unchecked(&fscache_n_op_pend);
47458 fscache_start_operations(object);
47459 } else {
47460 ASSERTCMP(object->n_exclusive, ==, 0);
47461@@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
47462 object->n_ops++;
47463 atomic_inc(&op->usage);
47464 list_add_tail(&op->pend_link, &object->pending_ops);
47465- fscache_stat(&fscache_n_op_pend);
47466+ fscache_stat_unchecked(&fscache_n_op_pend);
47467 ret = 0;
47468 } else if (object->state == FSCACHE_OBJECT_DYING ||
47469 object->state == FSCACHE_OBJECT_LC_DYING ||
47470 object->state == FSCACHE_OBJECT_WITHDRAWING) {
47471- fscache_stat(&fscache_n_op_rejected);
47472+ fscache_stat_unchecked(&fscache_n_op_rejected);
47473 ret = -ENOBUFS;
47474 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
47475 fscache_report_unexpected_submission(object, op, ostate);
47476@@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
47477
47478 ret = -EBUSY;
47479 if (!list_empty(&op->pend_link)) {
47480- fscache_stat(&fscache_n_op_cancelled);
47481+ fscache_stat_unchecked(&fscache_n_op_cancelled);
47482 list_del_init(&op->pend_link);
47483 object->n_ops--;
47484 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
47485@@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
47486 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
47487 BUG();
47488
47489- fscache_stat(&fscache_n_op_release);
47490+ fscache_stat_unchecked(&fscache_n_op_release);
47491
47492 if (op->release) {
47493 op->release(op);
47494@@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
47495 * lock, and defer it otherwise */
47496 if (!spin_trylock(&object->lock)) {
47497 _debug("defer put");
47498- fscache_stat(&fscache_n_op_deferred_release);
47499+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
47500
47501 cache = object->cache;
47502 spin_lock(&cache->op_gc_list_lock);
47503@@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
47504
47505 _debug("GC DEFERRED REL OBJ%x OP%x",
47506 object->debug_id, op->debug_id);
47507- fscache_stat(&fscache_n_op_gc);
47508+ fscache_stat_unchecked(&fscache_n_op_gc);
47509
47510 ASSERTCMP(atomic_read(&op->usage), ==, 0);
47511
47512diff -urNp linux-2.6.32.48/fs/fscache/page.c linux-2.6.32.48/fs/fscache/page.c
47513--- linux-2.6.32.48/fs/fscache/page.c 2011-11-08 19:02:43.000000000 -0500
47514+++ linux-2.6.32.48/fs/fscache/page.c 2011-11-15 19:59:43.000000000 -0500
47515@@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
47516 val = radix_tree_lookup(&cookie->stores, page->index);
47517 if (!val) {
47518 rcu_read_unlock();
47519- fscache_stat(&fscache_n_store_vmscan_not_storing);
47520+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
47521 __fscache_uncache_page(cookie, page);
47522 return true;
47523 }
47524@@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
47525 spin_unlock(&cookie->stores_lock);
47526
47527 if (xpage) {
47528- fscache_stat(&fscache_n_store_vmscan_cancelled);
47529- fscache_stat(&fscache_n_store_radix_deletes);
47530+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
47531+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47532 ASSERTCMP(xpage, ==, page);
47533 } else {
47534- fscache_stat(&fscache_n_store_vmscan_gone);
47535+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
47536 }
47537
47538 wake_up_bit(&cookie->flags, 0);
47539@@ -106,7 +106,7 @@ page_busy:
47540 /* we might want to wait here, but that could deadlock the allocator as
47541 * the slow-work threads writing to the cache may all end up sleeping
47542 * on memory allocation */
47543- fscache_stat(&fscache_n_store_vmscan_busy);
47544+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
47545 return false;
47546 }
47547 EXPORT_SYMBOL(__fscache_maybe_release_page);
47548@@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
47549 FSCACHE_COOKIE_STORING_TAG);
47550 if (!radix_tree_tag_get(&cookie->stores, page->index,
47551 FSCACHE_COOKIE_PENDING_TAG)) {
47552- fscache_stat(&fscache_n_store_radix_deletes);
47553+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
47554 xpage = radix_tree_delete(&cookie->stores, page->index);
47555 }
47556 spin_unlock(&cookie->stores_lock);
47557@@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
47558
47559 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
47560
47561- fscache_stat(&fscache_n_attr_changed_calls);
47562+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
47563
47564 if (fscache_object_is_active(object)) {
47565 fscache_set_op_state(op, "CallFS");
47566@@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
47567
47568 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47569
47570- fscache_stat(&fscache_n_attr_changed);
47571+ fscache_stat_unchecked(&fscache_n_attr_changed);
47572
47573 op = kzalloc(sizeof(*op), GFP_KERNEL);
47574 if (!op) {
47575- fscache_stat(&fscache_n_attr_changed_nomem);
47576+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
47577 _leave(" = -ENOMEM");
47578 return -ENOMEM;
47579 }
47580@@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
47581 if (fscache_submit_exclusive_op(object, op) < 0)
47582 goto nobufs;
47583 spin_unlock(&cookie->lock);
47584- fscache_stat(&fscache_n_attr_changed_ok);
47585+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
47586 fscache_put_operation(op);
47587 _leave(" = 0");
47588 return 0;
47589@@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
47590 nobufs:
47591 spin_unlock(&cookie->lock);
47592 kfree(op);
47593- fscache_stat(&fscache_n_attr_changed_nobufs);
47594+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
47595 _leave(" = %d", -ENOBUFS);
47596 return -ENOBUFS;
47597 }
47598@@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
47599 /* allocate a retrieval operation and attempt to submit it */
47600 op = kzalloc(sizeof(*op), GFP_NOIO);
47601 if (!op) {
47602- fscache_stat(&fscache_n_retrievals_nomem);
47603+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47604 return NULL;
47605 }
47606
47607@@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
47608 return 0;
47609 }
47610
47611- fscache_stat(&fscache_n_retrievals_wait);
47612+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
47613
47614 jif = jiffies;
47615 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
47616 fscache_wait_bit_interruptible,
47617 TASK_INTERRUPTIBLE) != 0) {
47618- fscache_stat(&fscache_n_retrievals_intr);
47619+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
47620 _leave(" = -ERESTARTSYS");
47621 return -ERESTARTSYS;
47622 }
47623@@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
47624 */
47625 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
47626 struct fscache_retrieval *op,
47627- atomic_t *stat_op_waits,
47628- atomic_t *stat_object_dead)
47629+ atomic_unchecked_t *stat_op_waits,
47630+ atomic_unchecked_t *stat_object_dead)
47631 {
47632 int ret;
47633
47634@@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
47635 goto check_if_dead;
47636
47637 _debug(">>> WT");
47638- fscache_stat(stat_op_waits);
47639+ fscache_stat_unchecked(stat_op_waits);
47640 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
47641 fscache_wait_bit_interruptible,
47642 TASK_INTERRUPTIBLE) < 0) {
47643@@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
47644
47645 check_if_dead:
47646 if (unlikely(fscache_object_is_dead(object))) {
47647- fscache_stat(stat_object_dead);
47648+ fscache_stat_unchecked(stat_object_dead);
47649 return -ENOBUFS;
47650 }
47651 return 0;
47652@@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
47653
47654 _enter("%p,%p,,,", cookie, page);
47655
47656- fscache_stat(&fscache_n_retrievals);
47657+ fscache_stat_unchecked(&fscache_n_retrievals);
47658
47659 if (hlist_empty(&cookie->backing_objects))
47660 goto nobufs;
47661@@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
47662 goto nobufs_unlock;
47663 spin_unlock(&cookie->lock);
47664
47665- fscache_stat(&fscache_n_retrieval_ops);
47666+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
47667
47668 /* pin the netfs read context in case we need to do the actual netfs
47669 * read because we've encountered a cache read failure */
47670@@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
47671
47672 error:
47673 if (ret == -ENOMEM)
47674- fscache_stat(&fscache_n_retrievals_nomem);
47675+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47676 else if (ret == -ERESTARTSYS)
47677- fscache_stat(&fscache_n_retrievals_intr);
47678+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
47679 else if (ret == -ENODATA)
47680- fscache_stat(&fscache_n_retrievals_nodata);
47681+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47682 else if (ret < 0)
47683- fscache_stat(&fscache_n_retrievals_nobufs);
47684+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47685 else
47686- fscache_stat(&fscache_n_retrievals_ok);
47687+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
47688
47689 fscache_put_retrieval(op);
47690 _leave(" = %d", ret);
47691@@ -453,7 +453,7 @@ nobufs_unlock:
47692 spin_unlock(&cookie->lock);
47693 kfree(op);
47694 nobufs:
47695- fscache_stat(&fscache_n_retrievals_nobufs);
47696+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47697 _leave(" = -ENOBUFS");
47698 return -ENOBUFS;
47699 }
47700@@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
47701
47702 _enter("%p,,%d,,,", cookie, *nr_pages);
47703
47704- fscache_stat(&fscache_n_retrievals);
47705+ fscache_stat_unchecked(&fscache_n_retrievals);
47706
47707 if (hlist_empty(&cookie->backing_objects))
47708 goto nobufs;
47709@@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
47710 goto nobufs_unlock;
47711 spin_unlock(&cookie->lock);
47712
47713- fscache_stat(&fscache_n_retrieval_ops);
47714+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
47715
47716 /* pin the netfs read context in case we need to do the actual netfs
47717 * read because we've encountered a cache read failure */
47718@@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
47719
47720 error:
47721 if (ret == -ENOMEM)
47722- fscache_stat(&fscache_n_retrievals_nomem);
47723+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
47724 else if (ret == -ERESTARTSYS)
47725- fscache_stat(&fscache_n_retrievals_intr);
47726+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
47727 else if (ret == -ENODATA)
47728- fscache_stat(&fscache_n_retrievals_nodata);
47729+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
47730 else if (ret < 0)
47731- fscache_stat(&fscache_n_retrievals_nobufs);
47732+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47733 else
47734- fscache_stat(&fscache_n_retrievals_ok);
47735+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
47736
47737 fscache_put_retrieval(op);
47738 _leave(" = %d", ret);
47739@@ -570,7 +570,7 @@ nobufs_unlock:
47740 spin_unlock(&cookie->lock);
47741 kfree(op);
47742 nobufs:
47743- fscache_stat(&fscache_n_retrievals_nobufs);
47744+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
47745 _leave(" = -ENOBUFS");
47746 return -ENOBUFS;
47747 }
47748@@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
47749
47750 _enter("%p,%p,,,", cookie, page);
47751
47752- fscache_stat(&fscache_n_allocs);
47753+ fscache_stat_unchecked(&fscache_n_allocs);
47754
47755 if (hlist_empty(&cookie->backing_objects))
47756 goto nobufs;
47757@@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
47758 goto nobufs_unlock;
47759 spin_unlock(&cookie->lock);
47760
47761- fscache_stat(&fscache_n_alloc_ops);
47762+ fscache_stat_unchecked(&fscache_n_alloc_ops);
47763
47764 ret = fscache_wait_for_retrieval_activation(
47765 object, op,
47766@@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
47767
47768 error:
47769 if (ret == -ERESTARTSYS)
47770- fscache_stat(&fscache_n_allocs_intr);
47771+ fscache_stat_unchecked(&fscache_n_allocs_intr);
47772 else if (ret < 0)
47773- fscache_stat(&fscache_n_allocs_nobufs);
47774+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47775 else
47776- fscache_stat(&fscache_n_allocs_ok);
47777+ fscache_stat_unchecked(&fscache_n_allocs_ok);
47778
47779 fscache_put_retrieval(op);
47780 _leave(" = %d", ret);
47781@@ -651,7 +651,7 @@ nobufs_unlock:
47782 spin_unlock(&cookie->lock);
47783 kfree(op);
47784 nobufs:
47785- fscache_stat(&fscache_n_allocs_nobufs);
47786+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
47787 _leave(" = -ENOBUFS");
47788 return -ENOBUFS;
47789 }
47790@@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
47791
47792 spin_lock(&cookie->stores_lock);
47793
47794- fscache_stat(&fscache_n_store_calls);
47795+ fscache_stat_unchecked(&fscache_n_store_calls);
47796
47797 /* find a page to store */
47798 page = NULL;
47799@@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
47800 page = results[0];
47801 _debug("gang %d [%lx]", n, page->index);
47802 if (page->index > op->store_limit) {
47803- fscache_stat(&fscache_n_store_pages_over_limit);
47804+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
47805 goto superseded;
47806 }
47807
47808@@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
47809
47810 if (page) {
47811 fscache_set_op_state(&op->op, "Store");
47812- fscache_stat(&fscache_n_store_pages);
47813+ fscache_stat_unchecked(&fscache_n_store_pages);
47814 fscache_stat(&fscache_n_cop_write_page);
47815 ret = object->cache->ops->write_page(op, page);
47816 fscache_stat_d(&fscache_n_cop_write_page);
47817@@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
47818 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47819 ASSERT(PageFsCache(page));
47820
47821- fscache_stat(&fscache_n_stores);
47822+ fscache_stat_unchecked(&fscache_n_stores);
47823
47824 op = kzalloc(sizeof(*op), GFP_NOIO);
47825 if (!op)
47826@@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
47827 spin_unlock(&cookie->stores_lock);
47828 spin_unlock(&object->lock);
47829
47830- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
47831+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
47832 op->store_limit = object->store_limit;
47833
47834 if (fscache_submit_op(object, &op->op) < 0)
47835@@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
47836
47837 spin_unlock(&cookie->lock);
47838 radix_tree_preload_end();
47839- fscache_stat(&fscache_n_store_ops);
47840- fscache_stat(&fscache_n_stores_ok);
47841+ fscache_stat_unchecked(&fscache_n_store_ops);
47842+ fscache_stat_unchecked(&fscache_n_stores_ok);
47843
47844 /* the slow work queue now carries its own ref on the object */
47845 fscache_put_operation(&op->op);
47846@@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
47847 return 0;
47848
47849 already_queued:
47850- fscache_stat(&fscache_n_stores_again);
47851+ fscache_stat_unchecked(&fscache_n_stores_again);
47852 already_pending:
47853 spin_unlock(&cookie->stores_lock);
47854 spin_unlock(&object->lock);
47855 spin_unlock(&cookie->lock);
47856 radix_tree_preload_end();
47857 kfree(op);
47858- fscache_stat(&fscache_n_stores_ok);
47859+ fscache_stat_unchecked(&fscache_n_stores_ok);
47860 _leave(" = 0");
47861 return 0;
47862
47863@@ -886,14 +886,14 @@ nobufs:
47864 spin_unlock(&cookie->lock);
47865 radix_tree_preload_end();
47866 kfree(op);
47867- fscache_stat(&fscache_n_stores_nobufs);
47868+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
47869 _leave(" = -ENOBUFS");
47870 return -ENOBUFS;
47871
47872 nomem_free:
47873 kfree(op);
47874 nomem:
47875- fscache_stat(&fscache_n_stores_oom);
47876+ fscache_stat_unchecked(&fscache_n_stores_oom);
47877 _leave(" = -ENOMEM");
47878 return -ENOMEM;
47879 }
47880@@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
47881 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
47882 ASSERTCMP(page, !=, NULL);
47883
47884- fscache_stat(&fscache_n_uncaches);
47885+ fscache_stat_unchecked(&fscache_n_uncaches);
47886
47887 /* cache withdrawal may beat us to it */
47888 if (!PageFsCache(page))
47889@@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
47890 unsigned long loop;
47891
47892 #ifdef CONFIG_FSCACHE_STATS
47893- atomic_add(pagevec->nr, &fscache_n_marks);
47894+ atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
47895 #endif
47896
47897 for (loop = 0; loop < pagevec->nr; loop++) {
47898diff -urNp linux-2.6.32.48/fs/fscache/stats.c linux-2.6.32.48/fs/fscache/stats.c
47899--- linux-2.6.32.48/fs/fscache/stats.c 2011-11-08 19:02:43.000000000 -0500
47900+++ linux-2.6.32.48/fs/fscache/stats.c 2011-11-15 19:59:43.000000000 -0500
47901@@ -18,95 +18,95 @@
47902 /*
47903 * operation counters
47904 */
47905-atomic_t fscache_n_op_pend;
47906-atomic_t fscache_n_op_run;
47907-atomic_t fscache_n_op_enqueue;
47908-atomic_t fscache_n_op_requeue;
47909-atomic_t fscache_n_op_deferred_release;
47910-atomic_t fscache_n_op_release;
47911-atomic_t fscache_n_op_gc;
47912-atomic_t fscache_n_op_cancelled;
47913-atomic_t fscache_n_op_rejected;
47914-
47915-atomic_t fscache_n_attr_changed;
47916-atomic_t fscache_n_attr_changed_ok;
47917-atomic_t fscache_n_attr_changed_nobufs;
47918-atomic_t fscache_n_attr_changed_nomem;
47919-atomic_t fscache_n_attr_changed_calls;
47920-
47921-atomic_t fscache_n_allocs;
47922-atomic_t fscache_n_allocs_ok;
47923-atomic_t fscache_n_allocs_wait;
47924-atomic_t fscache_n_allocs_nobufs;
47925-atomic_t fscache_n_allocs_intr;
47926-atomic_t fscache_n_allocs_object_dead;
47927-atomic_t fscache_n_alloc_ops;
47928-atomic_t fscache_n_alloc_op_waits;
47929-
47930-atomic_t fscache_n_retrievals;
47931-atomic_t fscache_n_retrievals_ok;
47932-atomic_t fscache_n_retrievals_wait;
47933-atomic_t fscache_n_retrievals_nodata;
47934-atomic_t fscache_n_retrievals_nobufs;
47935-atomic_t fscache_n_retrievals_intr;
47936-atomic_t fscache_n_retrievals_nomem;
47937-atomic_t fscache_n_retrievals_object_dead;
47938-atomic_t fscache_n_retrieval_ops;
47939-atomic_t fscache_n_retrieval_op_waits;
47940-
47941-atomic_t fscache_n_stores;
47942-atomic_t fscache_n_stores_ok;
47943-atomic_t fscache_n_stores_again;
47944-atomic_t fscache_n_stores_nobufs;
47945-atomic_t fscache_n_stores_oom;
47946-atomic_t fscache_n_store_ops;
47947-atomic_t fscache_n_store_calls;
47948-atomic_t fscache_n_store_pages;
47949-atomic_t fscache_n_store_radix_deletes;
47950-atomic_t fscache_n_store_pages_over_limit;
47951-
47952-atomic_t fscache_n_store_vmscan_not_storing;
47953-atomic_t fscache_n_store_vmscan_gone;
47954-atomic_t fscache_n_store_vmscan_busy;
47955-atomic_t fscache_n_store_vmscan_cancelled;
47956-
47957-atomic_t fscache_n_marks;
47958-atomic_t fscache_n_uncaches;
47959-
47960-atomic_t fscache_n_acquires;
47961-atomic_t fscache_n_acquires_null;
47962-atomic_t fscache_n_acquires_no_cache;
47963-atomic_t fscache_n_acquires_ok;
47964-atomic_t fscache_n_acquires_nobufs;
47965-atomic_t fscache_n_acquires_oom;
47966-
47967-atomic_t fscache_n_updates;
47968-atomic_t fscache_n_updates_null;
47969-atomic_t fscache_n_updates_run;
47970-
47971-atomic_t fscache_n_relinquishes;
47972-atomic_t fscache_n_relinquishes_null;
47973-atomic_t fscache_n_relinquishes_waitcrt;
47974-atomic_t fscache_n_relinquishes_retire;
47975-
47976-atomic_t fscache_n_cookie_index;
47977-atomic_t fscache_n_cookie_data;
47978-atomic_t fscache_n_cookie_special;
47979-
47980-atomic_t fscache_n_object_alloc;
47981-atomic_t fscache_n_object_no_alloc;
47982-atomic_t fscache_n_object_lookups;
47983-atomic_t fscache_n_object_lookups_negative;
47984-atomic_t fscache_n_object_lookups_positive;
47985-atomic_t fscache_n_object_lookups_timed_out;
47986-atomic_t fscache_n_object_created;
47987-atomic_t fscache_n_object_avail;
47988-atomic_t fscache_n_object_dead;
47989-
47990-atomic_t fscache_n_checkaux_none;
47991-atomic_t fscache_n_checkaux_okay;
47992-atomic_t fscache_n_checkaux_update;
47993-atomic_t fscache_n_checkaux_obsolete;
47994+atomic_unchecked_t fscache_n_op_pend;
47995+atomic_unchecked_t fscache_n_op_run;
47996+atomic_unchecked_t fscache_n_op_enqueue;
47997+atomic_unchecked_t fscache_n_op_requeue;
47998+atomic_unchecked_t fscache_n_op_deferred_release;
47999+atomic_unchecked_t fscache_n_op_release;
48000+atomic_unchecked_t fscache_n_op_gc;
48001+atomic_unchecked_t fscache_n_op_cancelled;
48002+atomic_unchecked_t fscache_n_op_rejected;
48003+
48004+atomic_unchecked_t fscache_n_attr_changed;
48005+atomic_unchecked_t fscache_n_attr_changed_ok;
48006+atomic_unchecked_t fscache_n_attr_changed_nobufs;
48007+atomic_unchecked_t fscache_n_attr_changed_nomem;
48008+atomic_unchecked_t fscache_n_attr_changed_calls;
48009+
48010+atomic_unchecked_t fscache_n_allocs;
48011+atomic_unchecked_t fscache_n_allocs_ok;
48012+atomic_unchecked_t fscache_n_allocs_wait;
48013+atomic_unchecked_t fscache_n_allocs_nobufs;
48014+atomic_unchecked_t fscache_n_allocs_intr;
48015+atomic_unchecked_t fscache_n_allocs_object_dead;
48016+atomic_unchecked_t fscache_n_alloc_ops;
48017+atomic_unchecked_t fscache_n_alloc_op_waits;
48018+
48019+atomic_unchecked_t fscache_n_retrievals;
48020+atomic_unchecked_t fscache_n_retrievals_ok;
48021+atomic_unchecked_t fscache_n_retrievals_wait;
48022+atomic_unchecked_t fscache_n_retrievals_nodata;
48023+atomic_unchecked_t fscache_n_retrievals_nobufs;
48024+atomic_unchecked_t fscache_n_retrievals_intr;
48025+atomic_unchecked_t fscache_n_retrievals_nomem;
48026+atomic_unchecked_t fscache_n_retrievals_object_dead;
48027+atomic_unchecked_t fscache_n_retrieval_ops;
48028+atomic_unchecked_t fscache_n_retrieval_op_waits;
48029+
48030+atomic_unchecked_t fscache_n_stores;
48031+atomic_unchecked_t fscache_n_stores_ok;
48032+atomic_unchecked_t fscache_n_stores_again;
48033+atomic_unchecked_t fscache_n_stores_nobufs;
48034+atomic_unchecked_t fscache_n_stores_oom;
48035+atomic_unchecked_t fscache_n_store_ops;
48036+atomic_unchecked_t fscache_n_store_calls;
48037+atomic_unchecked_t fscache_n_store_pages;
48038+atomic_unchecked_t fscache_n_store_radix_deletes;
48039+atomic_unchecked_t fscache_n_store_pages_over_limit;
48040+
48041+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
48042+atomic_unchecked_t fscache_n_store_vmscan_gone;
48043+atomic_unchecked_t fscache_n_store_vmscan_busy;
48044+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
48045+
48046+atomic_unchecked_t fscache_n_marks;
48047+atomic_unchecked_t fscache_n_uncaches;
48048+
48049+atomic_unchecked_t fscache_n_acquires;
48050+atomic_unchecked_t fscache_n_acquires_null;
48051+atomic_unchecked_t fscache_n_acquires_no_cache;
48052+atomic_unchecked_t fscache_n_acquires_ok;
48053+atomic_unchecked_t fscache_n_acquires_nobufs;
48054+atomic_unchecked_t fscache_n_acquires_oom;
48055+
48056+atomic_unchecked_t fscache_n_updates;
48057+atomic_unchecked_t fscache_n_updates_null;
48058+atomic_unchecked_t fscache_n_updates_run;
48059+
48060+atomic_unchecked_t fscache_n_relinquishes;
48061+atomic_unchecked_t fscache_n_relinquishes_null;
48062+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
48063+atomic_unchecked_t fscache_n_relinquishes_retire;
48064+
48065+atomic_unchecked_t fscache_n_cookie_index;
48066+atomic_unchecked_t fscache_n_cookie_data;
48067+atomic_unchecked_t fscache_n_cookie_special;
48068+
48069+atomic_unchecked_t fscache_n_object_alloc;
48070+atomic_unchecked_t fscache_n_object_no_alloc;
48071+atomic_unchecked_t fscache_n_object_lookups;
48072+atomic_unchecked_t fscache_n_object_lookups_negative;
48073+atomic_unchecked_t fscache_n_object_lookups_positive;
48074+atomic_unchecked_t fscache_n_object_lookups_timed_out;
48075+atomic_unchecked_t fscache_n_object_created;
48076+atomic_unchecked_t fscache_n_object_avail;
48077+atomic_unchecked_t fscache_n_object_dead;
48078+
48079+atomic_unchecked_t fscache_n_checkaux_none;
48080+atomic_unchecked_t fscache_n_checkaux_okay;
48081+atomic_unchecked_t fscache_n_checkaux_update;
48082+atomic_unchecked_t fscache_n_checkaux_obsolete;
48083
48084 atomic_t fscache_n_cop_alloc_object;
48085 atomic_t fscache_n_cop_lookup_object;
48086@@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
48087 seq_puts(m, "FS-Cache statistics\n");
48088
48089 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
48090- atomic_read(&fscache_n_cookie_index),
48091- atomic_read(&fscache_n_cookie_data),
48092- atomic_read(&fscache_n_cookie_special));
48093+ atomic_read_unchecked(&fscache_n_cookie_index),
48094+ atomic_read_unchecked(&fscache_n_cookie_data),
48095+ atomic_read_unchecked(&fscache_n_cookie_special));
48096
48097 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
48098- atomic_read(&fscache_n_object_alloc),
48099- atomic_read(&fscache_n_object_no_alloc),
48100- atomic_read(&fscache_n_object_avail),
48101- atomic_read(&fscache_n_object_dead));
48102+ atomic_read_unchecked(&fscache_n_object_alloc),
48103+ atomic_read_unchecked(&fscache_n_object_no_alloc),
48104+ atomic_read_unchecked(&fscache_n_object_avail),
48105+ atomic_read_unchecked(&fscache_n_object_dead));
48106 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
48107- atomic_read(&fscache_n_checkaux_none),
48108- atomic_read(&fscache_n_checkaux_okay),
48109- atomic_read(&fscache_n_checkaux_update),
48110- atomic_read(&fscache_n_checkaux_obsolete));
48111+ atomic_read_unchecked(&fscache_n_checkaux_none),
48112+ atomic_read_unchecked(&fscache_n_checkaux_okay),
48113+ atomic_read_unchecked(&fscache_n_checkaux_update),
48114+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
48115
48116 seq_printf(m, "Pages : mrk=%u unc=%u\n",
48117- atomic_read(&fscache_n_marks),
48118- atomic_read(&fscache_n_uncaches));
48119+ atomic_read_unchecked(&fscache_n_marks),
48120+ atomic_read_unchecked(&fscache_n_uncaches));
48121
48122 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
48123 " oom=%u\n",
48124- atomic_read(&fscache_n_acquires),
48125- atomic_read(&fscache_n_acquires_null),
48126- atomic_read(&fscache_n_acquires_no_cache),
48127- atomic_read(&fscache_n_acquires_ok),
48128- atomic_read(&fscache_n_acquires_nobufs),
48129- atomic_read(&fscache_n_acquires_oom));
48130+ atomic_read_unchecked(&fscache_n_acquires),
48131+ atomic_read_unchecked(&fscache_n_acquires_null),
48132+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
48133+ atomic_read_unchecked(&fscache_n_acquires_ok),
48134+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
48135+ atomic_read_unchecked(&fscache_n_acquires_oom));
48136
48137 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
48138- atomic_read(&fscache_n_object_lookups),
48139- atomic_read(&fscache_n_object_lookups_negative),
48140- atomic_read(&fscache_n_object_lookups_positive),
48141- atomic_read(&fscache_n_object_lookups_timed_out),
48142- atomic_read(&fscache_n_object_created));
48143+ atomic_read_unchecked(&fscache_n_object_lookups),
48144+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
48145+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
48146+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
48147+ atomic_read_unchecked(&fscache_n_object_created));
48148
48149 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
48150- atomic_read(&fscache_n_updates),
48151- atomic_read(&fscache_n_updates_null),
48152- atomic_read(&fscache_n_updates_run));
48153+ atomic_read_unchecked(&fscache_n_updates),
48154+ atomic_read_unchecked(&fscache_n_updates_null),
48155+ atomic_read_unchecked(&fscache_n_updates_run));
48156
48157 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
48158- atomic_read(&fscache_n_relinquishes),
48159- atomic_read(&fscache_n_relinquishes_null),
48160- atomic_read(&fscache_n_relinquishes_waitcrt),
48161- atomic_read(&fscache_n_relinquishes_retire));
48162+ atomic_read_unchecked(&fscache_n_relinquishes),
48163+ atomic_read_unchecked(&fscache_n_relinquishes_null),
48164+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
48165+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
48166
48167 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
48168- atomic_read(&fscache_n_attr_changed),
48169- atomic_read(&fscache_n_attr_changed_ok),
48170- atomic_read(&fscache_n_attr_changed_nobufs),
48171- atomic_read(&fscache_n_attr_changed_nomem),
48172- atomic_read(&fscache_n_attr_changed_calls));
48173+ atomic_read_unchecked(&fscache_n_attr_changed),
48174+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
48175+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
48176+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
48177+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
48178
48179 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
48180- atomic_read(&fscache_n_allocs),
48181- atomic_read(&fscache_n_allocs_ok),
48182- atomic_read(&fscache_n_allocs_wait),
48183- atomic_read(&fscache_n_allocs_nobufs),
48184- atomic_read(&fscache_n_allocs_intr));
48185+ atomic_read_unchecked(&fscache_n_allocs),
48186+ atomic_read_unchecked(&fscache_n_allocs_ok),
48187+ atomic_read_unchecked(&fscache_n_allocs_wait),
48188+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
48189+ atomic_read_unchecked(&fscache_n_allocs_intr));
48190 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
48191- atomic_read(&fscache_n_alloc_ops),
48192- atomic_read(&fscache_n_alloc_op_waits),
48193- atomic_read(&fscache_n_allocs_object_dead));
48194+ atomic_read_unchecked(&fscache_n_alloc_ops),
48195+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
48196+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
48197
48198 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
48199 " int=%u oom=%u\n",
48200- atomic_read(&fscache_n_retrievals),
48201- atomic_read(&fscache_n_retrievals_ok),
48202- atomic_read(&fscache_n_retrievals_wait),
48203- atomic_read(&fscache_n_retrievals_nodata),
48204- atomic_read(&fscache_n_retrievals_nobufs),
48205- atomic_read(&fscache_n_retrievals_intr),
48206- atomic_read(&fscache_n_retrievals_nomem));
48207+ atomic_read_unchecked(&fscache_n_retrievals),
48208+ atomic_read_unchecked(&fscache_n_retrievals_ok),
48209+ atomic_read_unchecked(&fscache_n_retrievals_wait),
48210+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
48211+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
48212+ atomic_read_unchecked(&fscache_n_retrievals_intr),
48213+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
48214 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
48215- atomic_read(&fscache_n_retrieval_ops),
48216- atomic_read(&fscache_n_retrieval_op_waits),
48217- atomic_read(&fscache_n_retrievals_object_dead));
48218+ atomic_read_unchecked(&fscache_n_retrieval_ops),
48219+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
48220+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
48221
48222 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
48223- atomic_read(&fscache_n_stores),
48224- atomic_read(&fscache_n_stores_ok),
48225- atomic_read(&fscache_n_stores_again),
48226- atomic_read(&fscache_n_stores_nobufs),
48227- atomic_read(&fscache_n_stores_oom));
48228+ atomic_read_unchecked(&fscache_n_stores),
48229+ atomic_read_unchecked(&fscache_n_stores_ok),
48230+ atomic_read_unchecked(&fscache_n_stores_again),
48231+ atomic_read_unchecked(&fscache_n_stores_nobufs),
48232+ atomic_read_unchecked(&fscache_n_stores_oom));
48233 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
48234- atomic_read(&fscache_n_store_ops),
48235- atomic_read(&fscache_n_store_calls),
48236- atomic_read(&fscache_n_store_pages),
48237- atomic_read(&fscache_n_store_radix_deletes),
48238- atomic_read(&fscache_n_store_pages_over_limit));
48239+ atomic_read_unchecked(&fscache_n_store_ops),
48240+ atomic_read_unchecked(&fscache_n_store_calls),
48241+ atomic_read_unchecked(&fscache_n_store_pages),
48242+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
48243+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
48244
48245 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
48246- atomic_read(&fscache_n_store_vmscan_not_storing),
48247- atomic_read(&fscache_n_store_vmscan_gone),
48248- atomic_read(&fscache_n_store_vmscan_busy),
48249- atomic_read(&fscache_n_store_vmscan_cancelled));
48250+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
48251+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
48252+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
48253+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
48254
48255 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
48256- atomic_read(&fscache_n_op_pend),
48257- atomic_read(&fscache_n_op_run),
48258- atomic_read(&fscache_n_op_enqueue),
48259- atomic_read(&fscache_n_op_cancelled),
48260- atomic_read(&fscache_n_op_rejected));
48261+ atomic_read_unchecked(&fscache_n_op_pend),
48262+ atomic_read_unchecked(&fscache_n_op_run),
48263+ atomic_read_unchecked(&fscache_n_op_enqueue),
48264+ atomic_read_unchecked(&fscache_n_op_cancelled),
48265+ atomic_read_unchecked(&fscache_n_op_rejected));
48266 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
48267- atomic_read(&fscache_n_op_deferred_release),
48268- atomic_read(&fscache_n_op_release),
48269- atomic_read(&fscache_n_op_gc));
48270+ atomic_read_unchecked(&fscache_n_op_deferred_release),
48271+ atomic_read_unchecked(&fscache_n_op_release),
48272+ atomic_read_unchecked(&fscache_n_op_gc));
48273
48274 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
48275 atomic_read(&fscache_n_cop_alloc_object),
48276diff -urNp linux-2.6.32.48/fs/fs_struct.c linux-2.6.32.48/fs/fs_struct.c
48277--- linux-2.6.32.48/fs/fs_struct.c 2011-11-08 19:02:43.000000000 -0500
48278+++ linux-2.6.32.48/fs/fs_struct.c 2011-11-15 19:59:43.000000000 -0500
48279@@ -4,6 +4,7 @@
48280 #include <linux/path.h>
48281 #include <linux/slab.h>
48282 #include <linux/fs_struct.h>
48283+#include <linux/grsecurity.h>
48284
48285 /*
48286 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
48287@@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
48288 old_root = fs->root;
48289 fs->root = *path;
48290 path_get(path);
48291+ gr_set_chroot_entries(current, path);
48292 write_unlock(&fs->lock);
48293 if (old_root.dentry)
48294 path_put(&old_root);
48295@@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
48296 && fs->root.mnt == old_root->mnt) {
48297 path_get(new_root);
48298 fs->root = *new_root;
48299+ gr_set_chroot_entries(p, new_root);
48300 count++;
48301 }
48302 if (fs->pwd.dentry == old_root->dentry
48303@@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
48304 task_lock(tsk);
48305 write_lock(&fs->lock);
48306 tsk->fs = NULL;
48307- kill = !--fs->users;
48308+ gr_clear_chroot_entries(tsk);
48309+ kill = !atomic_dec_return(&fs->users);
48310 write_unlock(&fs->lock);
48311 task_unlock(tsk);
48312 if (kill)
48313@@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
48314 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
48315 /* We don't need to lock fs - think why ;-) */
48316 if (fs) {
48317- fs->users = 1;
48318+ atomic_set(&fs->users, 1);
48319 fs->in_exec = 0;
48320 rwlock_init(&fs->lock);
48321 fs->umask = old->umask;
48322@@ -127,8 +131,9 @@ int unshare_fs_struct(void)
48323
48324 task_lock(current);
48325 write_lock(&fs->lock);
48326- kill = !--fs->users;
48327+ kill = !atomic_dec_return(&fs->users);
48328 current->fs = new_fs;
48329+ gr_set_chroot_entries(current, &new_fs->root);
48330 write_unlock(&fs->lock);
48331 task_unlock(current);
48332
48333@@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
48334
48335 /* to be mentioned only in INIT_TASK */
48336 struct fs_struct init_fs = {
48337- .users = 1,
48338+ .users = ATOMIC_INIT(1),
48339 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
48340 .umask = 0022,
48341 };
48342@@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
48343 task_lock(current);
48344
48345 write_lock(&init_fs.lock);
48346- init_fs.users++;
48347+ atomic_inc(&init_fs.users);
48348 write_unlock(&init_fs.lock);
48349
48350 write_lock(&fs->lock);
48351 current->fs = &init_fs;
48352- kill = !--fs->users;
48353+ gr_set_chroot_entries(current, &current->fs->root);
48354+ kill = !atomic_dec_return(&fs->users);
48355 write_unlock(&fs->lock);
48356
48357 task_unlock(current);
48358diff -urNp linux-2.6.32.48/fs/fuse/cuse.c linux-2.6.32.48/fs/fuse/cuse.c
48359--- linux-2.6.32.48/fs/fuse/cuse.c 2011-11-08 19:02:43.000000000 -0500
48360+++ linux-2.6.32.48/fs/fuse/cuse.c 2011-11-15 19:59:43.000000000 -0500
48361@@ -576,10 +576,12 @@ static int __init cuse_init(void)
48362 INIT_LIST_HEAD(&cuse_conntbl[i]);
48363
48364 /* inherit and extend fuse_dev_operations */
48365- cuse_channel_fops = fuse_dev_operations;
48366- cuse_channel_fops.owner = THIS_MODULE;
48367- cuse_channel_fops.open = cuse_channel_open;
48368- cuse_channel_fops.release = cuse_channel_release;
48369+ pax_open_kernel();
48370+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
48371+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
48372+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
48373+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
48374+ pax_close_kernel();
48375
48376 cuse_class = class_create(THIS_MODULE, "cuse");
48377 if (IS_ERR(cuse_class))
48378diff -urNp linux-2.6.32.48/fs/fuse/dev.c linux-2.6.32.48/fs/fuse/dev.c
48379--- linux-2.6.32.48/fs/fuse/dev.c 2011-11-08 19:02:43.000000000 -0500
48380+++ linux-2.6.32.48/fs/fuse/dev.c 2011-11-15 19:59:43.000000000 -0500
48381@@ -885,7 +885,7 @@ static int fuse_notify_inval_entry(struc
48382 {
48383 struct fuse_notify_inval_entry_out outarg;
48384 int err = -EINVAL;
48385- char buf[FUSE_NAME_MAX+1];
48386+ char *buf = NULL;
48387 struct qstr name;
48388
48389 if (size < sizeof(outarg))
48390@@ -899,6 +899,11 @@ static int fuse_notify_inval_entry(struc
48391 if (outarg.namelen > FUSE_NAME_MAX)
48392 goto err;
48393
48394+ err = -ENOMEM;
48395+ buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
48396+ if (!buf)
48397+ goto err;
48398+
48399 err = -EINVAL;
48400 if (size != sizeof(outarg) + outarg.namelen + 1)
48401 goto err;
48402@@ -914,17 +919,15 @@ static int fuse_notify_inval_entry(struc
48403
48404 down_read(&fc->killsb);
48405 err = -ENOENT;
48406- if (!fc->sb)
48407- goto err_unlock;
48408-
48409- err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
48410-
48411-err_unlock:
48412+ if (fc->sb)
48413+ err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
48414 up_read(&fc->killsb);
48415+ kfree(buf);
48416 return err;
48417
48418 err:
48419 fuse_copy_finish(cs);
48420+ kfree(buf);
48421 return err;
48422 }
48423
48424diff -urNp linux-2.6.32.48/fs/fuse/dir.c linux-2.6.32.48/fs/fuse/dir.c
48425--- linux-2.6.32.48/fs/fuse/dir.c 2011-11-08 19:02:43.000000000 -0500
48426+++ linux-2.6.32.48/fs/fuse/dir.c 2011-11-15 19:59:43.000000000 -0500
48427@@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
48428 return link;
48429 }
48430
48431-static void free_link(char *link)
48432+static void free_link(const char *link)
48433 {
48434 if (!IS_ERR(link))
48435 free_page((unsigned long) link);
48436diff -urNp linux-2.6.32.48/fs/gfs2/ops_inode.c linux-2.6.32.48/fs/gfs2/ops_inode.c
48437--- linux-2.6.32.48/fs/gfs2/ops_inode.c 2011-11-08 19:02:43.000000000 -0500
48438+++ linux-2.6.32.48/fs/gfs2/ops_inode.c 2011-11-15 19:59:43.000000000 -0500
48439@@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
48440 unsigned int x;
48441 int error;
48442
48443+ pax_track_stack();
48444+
48445 if (ndentry->d_inode) {
48446 nip = GFS2_I(ndentry->d_inode);
48447 if (ip == nip)
48448diff -urNp linux-2.6.32.48/fs/gfs2/sys.c linux-2.6.32.48/fs/gfs2/sys.c
48449--- linux-2.6.32.48/fs/gfs2/sys.c 2011-11-08 19:02:43.000000000 -0500
48450+++ linux-2.6.32.48/fs/gfs2/sys.c 2011-11-15 19:59:43.000000000 -0500
48451@@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
48452 return a->store ? a->store(sdp, buf, len) : len;
48453 }
48454
48455-static struct sysfs_ops gfs2_attr_ops = {
48456+static const struct sysfs_ops gfs2_attr_ops = {
48457 .show = gfs2_attr_show,
48458 .store = gfs2_attr_store,
48459 };
48460@@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
48461 return 0;
48462 }
48463
48464-static struct kset_uevent_ops gfs2_uevent_ops = {
48465+static const struct kset_uevent_ops gfs2_uevent_ops = {
48466 .uevent = gfs2_uevent,
48467 };
48468
48469diff -urNp linux-2.6.32.48/fs/hfs/btree.c linux-2.6.32.48/fs/hfs/btree.c
48470--- linux-2.6.32.48/fs/hfs/btree.c 2011-11-08 19:02:43.000000000 -0500
48471+++ linux-2.6.32.48/fs/hfs/btree.c 2011-11-18 18:49:57.000000000 -0500
48472@@ -45,11 +45,27 @@ struct hfs_btree *hfs_btree_open(struct
48473 case HFS_EXT_CNID:
48474 hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
48475 mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
48476+
48477+ if (HFS_I(tree->inode)->alloc_blocks >
48478+ HFS_I(tree->inode)->first_blocks) {
48479+ printk(KERN_ERR "hfs: invalid btree extent records\n");
48480+ unlock_new_inode(tree->inode);
48481+ goto free_inode;
48482+ }
48483+
48484 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
48485 break;
48486 case HFS_CAT_CNID:
48487 hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
48488 mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
48489+
48490+ if (!HFS_I(tree->inode)->first_blocks) {
48491+ printk(KERN_ERR "hfs: invalid btree extent records "
48492+ "(0 size).\n");
48493+ unlock_new_inode(tree->inode);
48494+ goto free_inode;
48495+ }
48496+
48497 tree->inode->i_mapping->a_ops = &hfs_btree_aops;
48498 break;
48499 default:
48500@@ -58,11 +74,6 @@ struct hfs_btree *hfs_btree_open(struct
48501 }
48502 unlock_new_inode(tree->inode);
48503
48504- if (!HFS_I(tree->inode)->first_blocks) {
48505- printk(KERN_ERR "hfs: invalid btree extent records (0 size).\n");
48506- goto free_inode;
48507- }
48508-
48509 mapping = tree->inode->i_mapping;
48510 page = read_mapping_page(mapping, 0, NULL);
48511 if (IS_ERR(page))
48512diff -urNp linux-2.6.32.48/fs/hfs/trans.c linux-2.6.32.48/fs/hfs/trans.c
48513--- linux-2.6.32.48/fs/hfs/trans.c 2011-11-08 19:02:43.000000000 -0500
48514+++ linux-2.6.32.48/fs/hfs/trans.c 2011-11-18 18:37:06.000000000 -0500
48515@@ -40,6 +40,8 @@ int hfs_mac2asc(struct super_block *sb,
48516
48517 src = in->name;
48518 srclen = in->len;
48519+ if (srclen > HFS_NAMELEN)
48520+ srclen = HFS_NAMELEN;
48521 dst = out;
48522 dstlen = HFS_MAX_NAMELEN;
48523 if (nls_io) {
48524diff -urNp linux-2.6.32.48/fs/hfsplus/catalog.c linux-2.6.32.48/fs/hfsplus/catalog.c
48525--- linux-2.6.32.48/fs/hfsplus/catalog.c 2011-11-08 19:02:43.000000000 -0500
48526+++ linux-2.6.32.48/fs/hfsplus/catalog.c 2011-11-15 19:59:43.000000000 -0500
48527@@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
48528 int err;
48529 u16 type;
48530
48531+ pax_track_stack();
48532+
48533 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
48534 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
48535 if (err)
48536@@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
48537 int entry_size;
48538 int err;
48539
48540+ pax_track_stack();
48541+
48542 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
48543 sb = dir->i_sb;
48544 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
48545@@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
48546 int entry_size, type;
48547 int err = 0;
48548
48549+ pax_track_stack();
48550+
48551 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
48552 dst_dir->i_ino, dst_name->name);
48553 sb = src_dir->i_sb;
48554diff -urNp linux-2.6.32.48/fs/hfsplus/dir.c linux-2.6.32.48/fs/hfsplus/dir.c
48555--- linux-2.6.32.48/fs/hfsplus/dir.c 2011-11-08 19:02:43.000000000 -0500
48556+++ linux-2.6.32.48/fs/hfsplus/dir.c 2011-11-15 19:59:43.000000000 -0500
48557@@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
48558 struct hfsplus_readdir_data *rd;
48559 u16 type;
48560
48561+ pax_track_stack();
48562+
48563 if (filp->f_pos >= inode->i_size)
48564 return 0;
48565
48566diff -urNp linux-2.6.32.48/fs/hfsplus/inode.c linux-2.6.32.48/fs/hfsplus/inode.c
48567--- linux-2.6.32.48/fs/hfsplus/inode.c 2011-11-08 19:02:43.000000000 -0500
48568+++ linux-2.6.32.48/fs/hfsplus/inode.c 2011-11-15 19:59:43.000000000 -0500
48569@@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
48570 int res = 0;
48571 u16 type;
48572
48573+ pax_track_stack();
48574+
48575 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
48576
48577 HFSPLUS_I(inode).dev = 0;
48578@@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
48579 struct hfs_find_data fd;
48580 hfsplus_cat_entry entry;
48581
48582+ pax_track_stack();
48583+
48584 if (HFSPLUS_IS_RSRC(inode))
48585 main_inode = HFSPLUS_I(inode).rsrc_inode;
48586
48587diff -urNp linux-2.6.32.48/fs/hfsplus/ioctl.c linux-2.6.32.48/fs/hfsplus/ioctl.c
48588--- linux-2.6.32.48/fs/hfsplus/ioctl.c 2011-11-08 19:02:43.000000000 -0500
48589+++ linux-2.6.32.48/fs/hfsplus/ioctl.c 2011-11-15 19:59:43.000000000 -0500
48590@@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
48591 struct hfsplus_cat_file *file;
48592 int res;
48593
48594+ pax_track_stack();
48595+
48596 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48597 return -EOPNOTSUPP;
48598
48599@@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
48600 struct hfsplus_cat_file *file;
48601 ssize_t res = 0;
48602
48603+ pax_track_stack();
48604+
48605 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
48606 return -EOPNOTSUPP;
48607
48608diff -urNp linux-2.6.32.48/fs/hfsplus/super.c linux-2.6.32.48/fs/hfsplus/super.c
48609--- linux-2.6.32.48/fs/hfsplus/super.c 2011-11-08 19:02:43.000000000 -0500
48610+++ linux-2.6.32.48/fs/hfsplus/super.c 2011-11-15 19:59:43.000000000 -0500
48611@@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
48612 struct nls_table *nls = NULL;
48613 int err = -EINVAL;
48614
48615+ pax_track_stack();
48616+
48617 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
48618 if (!sbi)
48619 return -ENOMEM;
48620diff -urNp linux-2.6.32.48/fs/hugetlbfs/inode.c linux-2.6.32.48/fs/hugetlbfs/inode.c
48621--- linux-2.6.32.48/fs/hugetlbfs/inode.c 2011-11-08 19:02:43.000000000 -0500
48622+++ linux-2.6.32.48/fs/hugetlbfs/inode.c 2011-11-15 19:59:43.000000000 -0500
48623@@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
48624 .kill_sb = kill_litter_super,
48625 };
48626
48627-static struct vfsmount *hugetlbfs_vfsmount;
48628+struct vfsmount *hugetlbfs_vfsmount;
48629
48630 static int can_do_hugetlb_shm(void)
48631 {
48632diff -urNp linux-2.6.32.48/fs/ioctl.c linux-2.6.32.48/fs/ioctl.c
48633--- linux-2.6.32.48/fs/ioctl.c 2011-11-08 19:02:43.000000000 -0500
48634+++ linux-2.6.32.48/fs/ioctl.c 2011-11-15 19:59:43.000000000 -0500
48635@@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
48636 u64 phys, u64 len, u32 flags)
48637 {
48638 struct fiemap_extent extent;
48639- struct fiemap_extent *dest = fieinfo->fi_extents_start;
48640+ struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
48641
48642 /* only count the extents */
48643 if (fieinfo->fi_extents_max == 0) {
48644@@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
48645
48646 fieinfo.fi_flags = fiemap.fm_flags;
48647 fieinfo.fi_extents_max = fiemap.fm_extent_count;
48648- fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
48649+ fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
48650
48651 if (fiemap.fm_extent_count != 0 &&
48652 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
48653@@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
48654 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
48655 fiemap.fm_flags = fieinfo.fi_flags;
48656 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
48657- if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
48658+ if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
48659 error = -EFAULT;
48660
48661 return error;
48662diff -urNp linux-2.6.32.48/fs/jbd/checkpoint.c linux-2.6.32.48/fs/jbd/checkpoint.c
48663--- linux-2.6.32.48/fs/jbd/checkpoint.c 2011-11-08 19:02:43.000000000 -0500
48664+++ linux-2.6.32.48/fs/jbd/checkpoint.c 2011-11-15 19:59:43.000000000 -0500
48665@@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
48666 tid_t this_tid;
48667 int result;
48668
48669+ pax_track_stack();
48670+
48671 jbd_debug(1, "Start checkpoint\n");
48672
48673 /*
48674diff -urNp linux-2.6.32.48/fs/jffs2/compr_rtime.c linux-2.6.32.48/fs/jffs2/compr_rtime.c
48675--- linux-2.6.32.48/fs/jffs2/compr_rtime.c 2011-11-08 19:02:43.000000000 -0500
48676+++ linux-2.6.32.48/fs/jffs2/compr_rtime.c 2011-11-15 19:59:43.000000000 -0500
48677@@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
48678 int outpos = 0;
48679 int pos=0;
48680
48681+ pax_track_stack();
48682+
48683 memset(positions,0,sizeof(positions));
48684
48685 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
48686@@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
48687 int outpos = 0;
48688 int pos=0;
48689
48690+ pax_track_stack();
48691+
48692 memset(positions,0,sizeof(positions));
48693
48694 while (outpos<destlen) {
48695diff -urNp linux-2.6.32.48/fs/jffs2/compr_rubin.c linux-2.6.32.48/fs/jffs2/compr_rubin.c
48696--- linux-2.6.32.48/fs/jffs2/compr_rubin.c 2011-11-08 19:02:43.000000000 -0500
48697+++ linux-2.6.32.48/fs/jffs2/compr_rubin.c 2011-11-15 19:59:43.000000000 -0500
48698@@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
48699 int ret;
48700 uint32_t mysrclen, mydstlen;
48701
48702+ pax_track_stack();
48703+
48704 mysrclen = *sourcelen;
48705 mydstlen = *dstlen - 8;
48706
48707diff -urNp linux-2.6.32.48/fs/jffs2/erase.c linux-2.6.32.48/fs/jffs2/erase.c
48708--- linux-2.6.32.48/fs/jffs2/erase.c 2011-11-08 19:02:43.000000000 -0500
48709+++ linux-2.6.32.48/fs/jffs2/erase.c 2011-11-15 19:59:43.000000000 -0500
48710@@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
48711 struct jffs2_unknown_node marker = {
48712 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
48713 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48714- .totlen = cpu_to_je32(c->cleanmarker_size)
48715+ .totlen = cpu_to_je32(c->cleanmarker_size),
48716+ .hdr_crc = cpu_to_je32(0)
48717 };
48718
48719 jffs2_prealloc_raw_node_refs(c, jeb, 1);
48720diff -urNp linux-2.6.32.48/fs/jffs2/wbuf.c linux-2.6.32.48/fs/jffs2/wbuf.c
48721--- linux-2.6.32.48/fs/jffs2/wbuf.c 2011-11-08 19:02:43.000000000 -0500
48722+++ linux-2.6.32.48/fs/jffs2/wbuf.c 2011-11-15 19:59:43.000000000 -0500
48723@@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
48724 {
48725 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
48726 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
48727- .totlen = constant_cpu_to_je32(8)
48728+ .totlen = constant_cpu_to_je32(8),
48729+ .hdr_crc = constant_cpu_to_je32(0)
48730 };
48731
48732 /*
48733diff -urNp linux-2.6.32.48/fs/jffs2/xattr.c linux-2.6.32.48/fs/jffs2/xattr.c
48734--- linux-2.6.32.48/fs/jffs2/xattr.c 2011-11-08 19:02:43.000000000 -0500
48735+++ linux-2.6.32.48/fs/jffs2/xattr.c 2011-11-15 19:59:43.000000000 -0500
48736@@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
48737
48738 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
48739
48740+ pax_track_stack();
48741+
48742 /* Phase.1 : Merge same xref */
48743 for (i=0; i < XREF_TMPHASH_SIZE; i++)
48744 xref_tmphash[i] = NULL;
48745diff -urNp linux-2.6.32.48/fs/jfs/super.c linux-2.6.32.48/fs/jfs/super.c
48746--- linux-2.6.32.48/fs/jfs/super.c 2011-11-08 19:02:43.000000000 -0500
48747+++ linux-2.6.32.48/fs/jfs/super.c 2011-11-15 19:59:43.000000000 -0500
48748@@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
48749
48750 jfs_inode_cachep =
48751 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
48752- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
48753+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
48754 init_once);
48755 if (jfs_inode_cachep == NULL)
48756 return -ENOMEM;
48757diff -urNp linux-2.6.32.48/fs/Kconfig.binfmt linux-2.6.32.48/fs/Kconfig.binfmt
48758--- linux-2.6.32.48/fs/Kconfig.binfmt 2011-11-08 19:02:43.000000000 -0500
48759+++ linux-2.6.32.48/fs/Kconfig.binfmt 2011-11-15 19:59:43.000000000 -0500
48760@@ -86,7 +86,7 @@ config HAVE_AOUT
48761
48762 config BINFMT_AOUT
48763 tristate "Kernel support for a.out and ECOFF binaries"
48764- depends on HAVE_AOUT
48765+ depends on HAVE_AOUT && BROKEN
48766 ---help---
48767 A.out (Assembler.OUTput) is a set of formats for libraries and
48768 executables used in the earliest versions of UNIX. Linux used
48769diff -urNp linux-2.6.32.48/fs/libfs.c linux-2.6.32.48/fs/libfs.c
48770--- linux-2.6.32.48/fs/libfs.c 2011-11-08 19:02:43.000000000 -0500
48771+++ linux-2.6.32.48/fs/libfs.c 2011-11-15 19:59:43.000000000 -0500
48772@@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
48773
48774 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
48775 struct dentry *next;
48776+ char d_name[sizeof(next->d_iname)];
48777+ const unsigned char *name;
48778+
48779 next = list_entry(p, struct dentry, d_u.d_child);
48780 if (d_unhashed(next) || !next->d_inode)
48781 continue;
48782
48783 spin_unlock(&dcache_lock);
48784- if (filldir(dirent, next->d_name.name,
48785+ name = next->d_name.name;
48786+ if (name == next->d_iname) {
48787+ memcpy(d_name, name, next->d_name.len);
48788+ name = d_name;
48789+ }
48790+ if (filldir(dirent, name,
48791 next->d_name.len, filp->f_pos,
48792 next->d_inode->i_ino,
48793 dt_type(next->d_inode)) < 0)
48794diff -urNp linux-2.6.32.48/fs/lockd/clntproc.c linux-2.6.32.48/fs/lockd/clntproc.c
48795--- linux-2.6.32.48/fs/lockd/clntproc.c 2011-11-08 19:02:43.000000000 -0500
48796+++ linux-2.6.32.48/fs/lockd/clntproc.c 2011-11-15 19:59:43.000000000 -0500
48797@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
48798 /*
48799 * Cookie counter for NLM requests
48800 */
48801-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
48802+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
48803
48804 void nlmclnt_next_cookie(struct nlm_cookie *c)
48805 {
48806- u32 cookie = atomic_inc_return(&nlm_cookie);
48807+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
48808
48809 memcpy(c->data, &cookie, 4);
48810 c->len=4;
48811@@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
48812 struct nlm_rqst reqst, *req;
48813 int status;
48814
48815+ pax_track_stack();
48816+
48817 req = &reqst;
48818 memset(req, 0, sizeof(*req));
48819 locks_init_lock(&req->a_args.lock.fl);
48820diff -urNp linux-2.6.32.48/fs/lockd/svc.c linux-2.6.32.48/fs/lockd/svc.c
48821--- linux-2.6.32.48/fs/lockd/svc.c 2011-11-08 19:02:43.000000000 -0500
48822+++ linux-2.6.32.48/fs/lockd/svc.c 2011-11-15 19:59:43.000000000 -0500
48823@@ -43,7 +43,7 @@
48824
48825 static struct svc_program nlmsvc_program;
48826
48827-struct nlmsvc_binding * nlmsvc_ops;
48828+const struct nlmsvc_binding * nlmsvc_ops;
48829 EXPORT_SYMBOL_GPL(nlmsvc_ops);
48830
48831 static DEFINE_MUTEX(nlmsvc_mutex);
48832diff -urNp linux-2.6.32.48/fs/locks.c linux-2.6.32.48/fs/locks.c
48833--- linux-2.6.32.48/fs/locks.c 2011-11-08 19:02:43.000000000 -0500
48834+++ linux-2.6.32.48/fs/locks.c 2011-11-15 19:59:43.000000000 -0500
48835@@ -145,10 +145,28 @@ static LIST_HEAD(blocked_list);
48836
48837 static struct kmem_cache *filelock_cache __read_mostly;
48838
48839+static void locks_init_lock_always(struct file_lock *fl)
48840+{
48841+ fl->fl_next = NULL;
48842+ fl->fl_fasync = NULL;
48843+ fl->fl_owner = NULL;
48844+ fl->fl_pid = 0;
48845+ fl->fl_nspid = NULL;
48846+ fl->fl_file = NULL;
48847+ fl->fl_flags = 0;
48848+ fl->fl_type = 0;
48849+ fl->fl_start = fl->fl_end = 0;
48850+}
48851+
48852 /* Allocate an empty lock structure. */
48853 static struct file_lock *locks_alloc_lock(void)
48854 {
48855- return kmem_cache_alloc(filelock_cache, GFP_KERNEL);
48856+ struct file_lock *fl = kmem_cache_alloc(filelock_cache, GFP_KERNEL);
48857+
48858+ if (fl)
48859+ locks_init_lock_always(fl);
48860+
48861+ return fl;
48862 }
48863
48864 void locks_release_private(struct file_lock *fl)
48865@@ -183,17 +201,9 @@ void locks_init_lock(struct file_lock *f
48866 INIT_LIST_HEAD(&fl->fl_link);
48867 INIT_LIST_HEAD(&fl->fl_block);
48868 init_waitqueue_head(&fl->fl_wait);
48869- fl->fl_next = NULL;
48870- fl->fl_fasync = NULL;
48871- fl->fl_owner = NULL;
48872- fl->fl_pid = 0;
48873- fl->fl_nspid = NULL;
48874- fl->fl_file = NULL;
48875- fl->fl_flags = 0;
48876- fl->fl_type = 0;
48877- fl->fl_start = fl->fl_end = 0;
48878 fl->fl_ops = NULL;
48879 fl->fl_lmops = NULL;
48880+ locks_init_lock_always(fl);
48881 }
48882
48883 EXPORT_SYMBOL(locks_init_lock);
48884@@ -2007,16 +2017,16 @@ void locks_remove_flock(struct file *fil
48885 return;
48886
48887 if (filp->f_op && filp->f_op->flock) {
48888- struct file_lock fl = {
48889+ struct file_lock flock = {
48890 .fl_pid = current->tgid,
48891 .fl_file = filp,
48892 .fl_flags = FL_FLOCK,
48893 .fl_type = F_UNLCK,
48894 .fl_end = OFFSET_MAX,
48895 };
48896- filp->f_op->flock(filp, F_SETLKW, &fl);
48897- if (fl.fl_ops && fl.fl_ops->fl_release_private)
48898- fl.fl_ops->fl_release_private(&fl);
48899+ filp->f_op->flock(filp, F_SETLKW, &flock);
48900+ if (flock.fl_ops && flock.fl_ops->fl_release_private)
48901+ flock.fl_ops->fl_release_private(&flock);
48902 }
48903
48904 lock_kernel();
48905diff -urNp linux-2.6.32.48/fs/mbcache.c linux-2.6.32.48/fs/mbcache.c
48906--- linux-2.6.32.48/fs/mbcache.c 2011-11-08 19:02:43.000000000 -0500
48907+++ linux-2.6.32.48/fs/mbcache.c 2011-11-15 19:59:43.000000000 -0500
48908@@ -266,9 +266,9 @@ mb_cache_create(const char *name, struct
48909 if (!cache)
48910 goto fail;
48911 cache->c_name = name;
48912- cache->c_op.free = NULL;
48913+ *(void **)&cache->c_op.free = NULL;
48914 if (cache_op)
48915- cache->c_op.free = cache_op->free;
48916+ *(void **)&cache->c_op.free = cache_op->free;
48917 atomic_set(&cache->c_entry_count, 0);
48918 cache->c_bucket_bits = bucket_bits;
48919 #ifdef MB_CACHE_INDEXES_COUNT
48920diff -urNp linux-2.6.32.48/fs/namei.c linux-2.6.32.48/fs/namei.c
48921--- linux-2.6.32.48/fs/namei.c 2011-11-08 19:02:43.000000000 -0500
48922+++ linux-2.6.32.48/fs/namei.c 2011-11-16 17:53:55.000000000 -0500
48923@@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
48924 return ret;
48925
48926 /*
48927- * Read/write DACs are always overridable.
48928- * Executable DACs are overridable if at least one exec bit is set.
48929- */
48930- if (!(mask & MAY_EXEC) || execute_ok(inode))
48931- if (capable(CAP_DAC_OVERRIDE))
48932- return 0;
48933-
48934- /*
48935 * Searching includes executable on directories, else just read.
48936 */
48937 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
48938@@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
48939 if (capable(CAP_DAC_READ_SEARCH))
48940 return 0;
48941
48942+ /*
48943+ * Read/write DACs are always overridable.
48944+ * Executable DACs are overridable if at least one exec bit is set.
48945+ */
48946+ if (!(mask & MAY_EXEC) || execute_ok(inode))
48947+ if (capable(CAP_DAC_OVERRIDE))
48948+ return 0;
48949+
48950 return -EACCES;
48951 }
48952
48953@@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
48954 if (!ret)
48955 goto ok;
48956
48957- if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
48958+ if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
48959+ capable(CAP_DAC_OVERRIDE))
48960 goto ok;
48961
48962 return ret;
48963@@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
48964 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
48965 error = PTR_ERR(cookie);
48966 if (!IS_ERR(cookie)) {
48967- char *s = nd_get_link(nd);
48968+ const char *s = nd_get_link(nd);
48969 error = 0;
48970 if (s)
48971 error = __vfs_follow_link(nd, s);
48972@@ -669,6 +670,13 @@ static inline int do_follow_link(struct
48973 err = security_inode_follow_link(path->dentry, nd);
48974 if (err)
48975 goto loop;
48976+
48977+ if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
48978+ path->dentry->d_inode, path->dentry, nd->path.mnt)) {
48979+ err = -EACCES;
48980+ goto loop;
48981+ }
48982+
48983 current->link_count++;
48984 current->total_link_count++;
48985 nd->depth++;
48986@@ -1016,11 +1024,19 @@ return_reval:
48987 break;
48988 }
48989 return_base:
48990+ if (!(nd->flags & (LOOKUP_CONTINUE | LOOKUP_PARENT)) &&
48991+ !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
48992+ path_put(&nd->path);
48993+ return -ENOENT;
48994+ }
48995 return 0;
48996 out_dput:
48997 path_put_conditional(&next, nd);
48998 break;
48999 }
49000+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
49001+ err = -ENOENT;
49002+
49003 path_put(&nd->path);
49004 return_err:
49005 return err;
49006@@ -1091,13 +1107,20 @@ static int do_path_lookup(int dfd, const
49007 int retval = path_init(dfd, name, flags, nd);
49008 if (!retval)
49009 retval = path_walk(name, nd);
49010- if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
49011- nd->path.dentry->d_inode))
49012- audit_inode(name, nd->path.dentry);
49013+
49014+ if (likely(!retval)) {
49015+ if (nd->path.dentry && nd->path.dentry->d_inode) {
49016+ if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
49017+ retval = -ENOENT;
49018+ if (!audit_dummy_context())
49019+ audit_inode(name, nd->path.dentry);
49020+ }
49021+ }
49022 if (nd->root.mnt) {
49023 path_put(&nd->root);
49024 nd->root.mnt = NULL;
49025 }
49026+
49027 return retval;
49028 }
49029
49030@@ -1576,6 +1599,20 @@ int may_open(struct path *path, int acc_
49031 if (error)
49032 goto err_out;
49033
49034+
49035+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
49036+ error = -EPERM;
49037+ goto err_out;
49038+ }
49039+ if (gr_handle_rawio(inode)) {
49040+ error = -EPERM;
49041+ goto err_out;
49042+ }
49043+ if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
49044+ error = -EACCES;
49045+ goto err_out;
49046+ }
49047+
49048 if (flag & O_TRUNC) {
49049 error = get_write_access(inode);
49050 if (error)
49051@@ -1621,12 +1658,19 @@ static int __open_namei_create(struct na
49052 int error;
49053 struct dentry *dir = nd->path.dentry;
49054
49055+ if (!gr_acl_handle_creat(path->dentry, dir, nd->path.mnt, flag, mode)) {
49056+ error = -EACCES;
49057+ goto out_unlock;
49058+ }
49059+
49060 if (!IS_POSIXACL(dir->d_inode))
49061 mode &= ~current_umask();
49062 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
49063 if (error)
49064 goto out_unlock;
49065 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
49066+ if (!error)
49067+ gr_handle_create(path->dentry, nd->path.mnt);
49068 out_unlock:
49069 mutex_unlock(&dir->d_inode->i_mutex);
49070 dput(nd->path.dentry);
49071@@ -1709,6 +1753,22 @@ struct file *do_filp_open(int dfd, const
49072 &nd, flag);
49073 if (error)
49074 return ERR_PTR(error);
49075+
49076+ if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
49077+ error = -EPERM;
49078+ goto exit;
49079+ }
49080+
49081+ if (gr_handle_rawio(nd.path.dentry->d_inode)) {
49082+ error = -EPERM;
49083+ goto exit;
49084+ }
49085+
49086+ if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
49087+ error = -EACCES;
49088+ goto exit;
49089+ }
49090+
49091 goto ok;
49092 }
49093
49094@@ -1795,6 +1855,19 @@ do_last:
49095 /*
49096 * It already exists.
49097 */
49098+
49099+ if (!gr_acl_handle_hidden_file(path.dentry, path.mnt)) {
49100+ error = -ENOENT;
49101+ goto exit_mutex_unlock;
49102+ }
49103+
49104+ /* only check if O_CREAT is specified, all other checks need
49105+ to go into may_open */
49106+ if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
49107+ error = -EACCES;
49108+ goto exit_mutex_unlock;
49109+ }
49110+
49111 mutex_unlock(&dir->d_inode->i_mutex);
49112 audit_inode(pathname, path.dentry);
49113
49114@@ -1887,6 +1960,13 @@ do_link:
49115 error = security_inode_follow_link(path.dentry, &nd);
49116 if (error)
49117 goto exit_dput;
49118+
49119+ if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
49120+ path.dentry, nd.path.mnt)) {
49121+ error = -EACCES;
49122+ goto exit_dput;
49123+ }
49124+
49125 error = __do_follow_link(&path, &nd);
49126 if (error) {
49127 /* Does someone understand code flow here? Or it is only
49128@@ -1984,6 +2064,10 @@ struct dentry *lookup_create(struct name
49129 }
49130 return dentry;
49131 eexist:
49132+ if (!gr_acl_handle_hidden_file(dentry, nd->path.mnt)) {
49133+ dput(dentry);
49134+ return ERR_PTR(-ENOENT);
49135+ }
49136 dput(dentry);
49137 dentry = ERR_PTR(-EEXIST);
49138 fail:
49139@@ -2061,6 +2145,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
49140 error = may_mknod(mode);
49141 if (error)
49142 goto out_dput;
49143+
49144+ if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
49145+ error = -EPERM;
49146+ goto out_dput;
49147+ }
49148+
49149+ if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
49150+ error = -EACCES;
49151+ goto out_dput;
49152+ }
49153+
49154 error = mnt_want_write(nd.path.mnt);
49155 if (error)
49156 goto out_dput;
49157@@ -2081,6 +2176,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
49158 }
49159 out_drop_write:
49160 mnt_drop_write(nd.path.mnt);
49161+
49162+ if (!error)
49163+ gr_handle_create(dentry, nd.path.mnt);
49164 out_dput:
49165 dput(dentry);
49166 out_unlock:
49167@@ -2134,6 +2232,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
49168 if (IS_ERR(dentry))
49169 goto out_unlock;
49170
49171+ if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
49172+ error = -EACCES;
49173+ goto out_dput;
49174+ }
49175+
49176 if (!IS_POSIXACL(nd.path.dentry->d_inode))
49177 mode &= ~current_umask();
49178 error = mnt_want_write(nd.path.mnt);
49179@@ -2145,6 +2248,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
49180 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
49181 out_drop_write:
49182 mnt_drop_write(nd.path.mnt);
49183+
49184+ if (!error)
49185+ gr_handle_create(dentry, nd.path.mnt);
49186+
49187 out_dput:
49188 dput(dentry);
49189 out_unlock:
49190@@ -2226,6 +2333,8 @@ static long do_rmdir(int dfd, const char
49191 char * name;
49192 struct dentry *dentry;
49193 struct nameidata nd;
49194+ ino_t saved_ino = 0;
49195+ dev_t saved_dev = 0;
49196
49197 error = user_path_parent(dfd, pathname, &nd, &name);
49198 if (error)
49199@@ -2250,6 +2359,17 @@ static long do_rmdir(int dfd, const char
49200 error = PTR_ERR(dentry);
49201 if (IS_ERR(dentry))
49202 goto exit2;
49203+
49204+ if (dentry->d_inode != NULL) {
49205+ saved_ino = dentry->d_inode->i_ino;
49206+ saved_dev = gr_get_dev_from_dentry(dentry);
49207+
49208+ if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
49209+ error = -EACCES;
49210+ goto exit3;
49211+ }
49212+ }
49213+
49214 error = mnt_want_write(nd.path.mnt);
49215 if (error)
49216 goto exit3;
49217@@ -2257,6 +2377,8 @@ static long do_rmdir(int dfd, const char
49218 if (error)
49219 goto exit4;
49220 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
49221+ if (!error && (saved_dev || saved_ino))
49222+ gr_handle_delete(saved_ino, saved_dev);
49223 exit4:
49224 mnt_drop_write(nd.path.mnt);
49225 exit3:
49226@@ -2318,6 +2440,8 @@ static long do_unlinkat(int dfd, const c
49227 struct dentry *dentry;
49228 struct nameidata nd;
49229 struct inode *inode = NULL;
49230+ ino_t saved_ino = 0;
49231+ dev_t saved_dev = 0;
49232
49233 error = user_path_parent(dfd, pathname, &nd, &name);
49234 if (error)
49235@@ -2337,8 +2461,19 @@ static long do_unlinkat(int dfd, const c
49236 if (nd.last.name[nd.last.len])
49237 goto slashes;
49238 inode = dentry->d_inode;
49239- if (inode)
49240+ if (inode) {
49241+ if (inode->i_nlink <= 1) {
49242+ saved_ino = inode->i_ino;
49243+ saved_dev = gr_get_dev_from_dentry(dentry);
49244+ }
49245+
49246 atomic_inc(&inode->i_count);
49247+
49248+ if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
49249+ error = -EACCES;
49250+ goto exit2;
49251+ }
49252+ }
49253 error = mnt_want_write(nd.path.mnt);
49254 if (error)
49255 goto exit2;
49256@@ -2346,6 +2481,8 @@ static long do_unlinkat(int dfd, const c
49257 if (error)
49258 goto exit3;
49259 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
49260+ if (!error && (saved_ino || saved_dev))
49261+ gr_handle_delete(saved_ino, saved_dev);
49262 exit3:
49263 mnt_drop_write(nd.path.mnt);
49264 exit2:
49265@@ -2424,6 +2561,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
49266 if (IS_ERR(dentry))
49267 goto out_unlock;
49268
49269+ if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
49270+ error = -EACCES;
49271+ goto out_dput;
49272+ }
49273+
49274 error = mnt_want_write(nd.path.mnt);
49275 if (error)
49276 goto out_dput;
49277@@ -2431,6 +2573,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
49278 if (error)
49279 goto out_drop_write;
49280 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
49281+ if (!error)
49282+ gr_handle_create(dentry, nd.path.mnt);
49283 out_drop_write:
49284 mnt_drop_write(nd.path.mnt);
49285 out_dput:
49286@@ -2524,6 +2668,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
49287 error = PTR_ERR(new_dentry);
49288 if (IS_ERR(new_dentry))
49289 goto out_unlock;
49290+
49291+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
49292+ old_path.dentry->d_inode,
49293+ old_path.dentry->d_inode->i_mode, to)) {
49294+ error = -EACCES;
49295+ goto out_dput;
49296+ }
49297+
49298+ if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
49299+ old_path.dentry, old_path.mnt, to)) {
49300+ error = -EACCES;
49301+ goto out_dput;
49302+ }
49303+
49304 error = mnt_want_write(nd.path.mnt);
49305 if (error)
49306 goto out_dput;
49307@@ -2531,6 +2689,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
49308 if (error)
49309 goto out_drop_write;
49310 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
49311+ if (!error)
49312+ gr_handle_create(new_dentry, nd.path.mnt);
49313 out_drop_write:
49314 mnt_drop_write(nd.path.mnt);
49315 out_dput:
49316@@ -2708,6 +2868,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49317 char *to;
49318 int error;
49319
49320+ pax_track_stack();
49321+
49322 error = user_path_parent(olddfd, oldname, &oldnd, &from);
49323 if (error)
49324 goto exit;
49325@@ -2764,6 +2926,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49326 if (new_dentry == trap)
49327 goto exit5;
49328
49329+ error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
49330+ old_dentry, old_dir->d_inode, oldnd.path.mnt,
49331+ to);
49332+ if (error)
49333+ goto exit5;
49334+
49335 error = mnt_want_write(oldnd.path.mnt);
49336 if (error)
49337 goto exit5;
49338@@ -2773,6 +2941,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
49339 goto exit6;
49340 error = vfs_rename(old_dir->d_inode, old_dentry,
49341 new_dir->d_inode, new_dentry);
49342+ if (!error)
49343+ gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
49344+ new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
49345 exit6:
49346 mnt_drop_write(oldnd.path.mnt);
49347 exit5:
49348@@ -2798,6 +2969,8 @@ SYSCALL_DEFINE2(rename, const char __use
49349
49350 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
49351 {
49352+ char tmpbuf[64];
49353+ const char *newlink;
49354 int len;
49355
49356 len = PTR_ERR(link);
49357@@ -2807,7 +2980,14 @@ int vfs_readlink(struct dentry *dentry,
49358 len = strlen(link);
49359 if (len > (unsigned) buflen)
49360 len = buflen;
49361- if (copy_to_user(buffer, link, len))
49362+
49363+ if (len < sizeof(tmpbuf)) {
49364+ memcpy(tmpbuf, link, len);
49365+ newlink = tmpbuf;
49366+ } else
49367+ newlink = link;
49368+
49369+ if (copy_to_user(buffer, newlink, len))
49370 len = -EFAULT;
49371 out:
49372 return len;
49373diff -urNp linux-2.6.32.48/fs/namespace.c linux-2.6.32.48/fs/namespace.c
49374--- linux-2.6.32.48/fs/namespace.c 2011-11-08 19:02:43.000000000 -0500
49375+++ linux-2.6.32.48/fs/namespace.c 2011-11-15 19:59:43.000000000 -0500
49376@@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
49377 if (!(sb->s_flags & MS_RDONLY))
49378 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
49379 up_write(&sb->s_umount);
49380+
49381+ gr_log_remount(mnt->mnt_devname, retval);
49382+
49383 return retval;
49384 }
49385
49386@@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
49387 security_sb_umount_busy(mnt);
49388 up_write(&namespace_sem);
49389 release_mounts(&umount_list);
49390+
49391+ gr_log_unmount(mnt->mnt_devname, retval);
49392+
49393 return retval;
49394 }
49395
49396@@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
49397 if (retval)
49398 goto dput_out;
49399
49400+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
49401+ retval = -EPERM;
49402+ goto dput_out;
49403+ }
49404+
49405+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
49406+ retval = -EPERM;
49407+ goto dput_out;
49408+ }
49409+
49410 if (flags & MS_REMOUNT)
49411 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
49412 data_page);
49413@@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
49414 dev_name, data_page);
49415 dput_out:
49416 path_put(&path);
49417+
49418+ gr_log_mount(dev_name, dir_name, retval);
49419+
49420 return retval;
49421 }
49422
49423@@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
49424 goto out1;
49425 }
49426
49427+ if (gr_handle_chroot_pivot()) {
49428+ error = -EPERM;
49429+ path_put(&old);
49430+ goto out1;
49431+ }
49432+
49433 read_lock(&current->fs->lock);
49434 root = current->fs->root;
49435 path_get(&current->fs->root);
49436diff -urNp linux-2.6.32.48/fs/ncpfs/dir.c linux-2.6.32.48/fs/ncpfs/dir.c
49437--- linux-2.6.32.48/fs/ncpfs/dir.c 2011-11-08 19:02:43.000000000 -0500
49438+++ linux-2.6.32.48/fs/ncpfs/dir.c 2011-11-15 19:59:43.000000000 -0500
49439@@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
49440 int res, val = 0, len;
49441 __u8 __name[NCP_MAXPATHLEN + 1];
49442
49443+ pax_track_stack();
49444+
49445 parent = dget_parent(dentry);
49446 dir = parent->d_inode;
49447
49448@@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
49449 int error, res, len;
49450 __u8 __name[NCP_MAXPATHLEN + 1];
49451
49452+ pax_track_stack();
49453+
49454 lock_kernel();
49455 error = -EIO;
49456 if (!ncp_conn_valid(server))
49457@@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
49458 int error, result, len;
49459 int opmode;
49460 __u8 __name[NCP_MAXPATHLEN + 1];
49461-
49462+
49463 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
49464 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
49465
49466+ pax_track_stack();
49467+
49468 error = -EIO;
49469 lock_kernel();
49470 if (!ncp_conn_valid(server))
49471@@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
49472 int error, len;
49473 __u8 __name[NCP_MAXPATHLEN + 1];
49474
49475+ pax_track_stack();
49476+
49477 DPRINTK("ncp_mkdir: making %s/%s\n",
49478 dentry->d_parent->d_name.name, dentry->d_name.name);
49479
49480@@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
49481 if (!ncp_conn_valid(server))
49482 goto out;
49483
49484+ pax_track_stack();
49485+
49486 ncp_age_dentry(server, dentry);
49487 len = sizeof(__name);
49488 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
49489@@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
49490 int old_len, new_len;
49491 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
49492
49493+ pax_track_stack();
49494+
49495 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
49496 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
49497 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
49498diff -urNp linux-2.6.32.48/fs/ncpfs/inode.c linux-2.6.32.48/fs/ncpfs/inode.c
49499--- linux-2.6.32.48/fs/ncpfs/inode.c 2011-11-08 19:02:43.000000000 -0500
49500+++ linux-2.6.32.48/fs/ncpfs/inode.c 2011-11-15 19:59:43.000000000 -0500
49501@@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
49502 #endif
49503 struct ncp_entry_info finfo;
49504
49505+ pax_track_stack();
49506+
49507 data.wdog_pid = NULL;
49508 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
49509 if (!server)
49510diff -urNp linux-2.6.32.48/fs/nfs/inode.c linux-2.6.32.48/fs/nfs/inode.c
49511--- linux-2.6.32.48/fs/nfs/inode.c 2011-11-08 19:02:43.000000000 -0500
49512+++ linux-2.6.32.48/fs/nfs/inode.c 2011-11-15 19:59:43.000000000 -0500
49513@@ -156,7 +156,7 @@ static void nfs_zap_caches_locked(struct
49514 nfsi->attrtimeo = NFS_MINATTRTIMEO(inode);
49515 nfsi->attrtimeo_timestamp = jiffies;
49516
49517- memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_COOKIEVERF(inode)));
49518+ memset(NFS_COOKIEVERF(inode), 0, sizeof(NFS_I(inode)->cookieverf));
49519 if (S_ISREG(mode) || S_ISDIR(mode) || S_ISLNK(mode))
49520 nfsi->cache_validity |= NFS_INO_INVALID_ATTR|NFS_INO_INVALID_DATA|NFS_INO_INVALID_ACCESS|NFS_INO_INVALID_ACL|NFS_INO_REVAL_PAGECACHE;
49521 else
49522@@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
49523 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
49524 }
49525
49526-static atomic_long_t nfs_attr_generation_counter;
49527+static atomic_long_unchecked_t nfs_attr_generation_counter;
49528
49529 static unsigned long nfs_read_attr_generation_counter(void)
49530 {
49531- return atomic_long_read(&nfs_attr_generation_counter);
49532+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
49533 }
49534
49535 unsigned long nfs_inc_attr_generation_counter(void)
49536 {
49537- return atomic_long_inc_return(&nfs_attr_generation_counter);
49538+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
49539 }
49540
49541 void nfs_fattr_init(struct nfs_fattr *fattr)
49542diff -urNp linux-2.6.32.48/fs/nfsd/lockd.c linux-2.6.32.48/fs/nfsd/lockd.c
49543--- linux-2.6.32.48/fs/nfsd/lockd.c 2011-11-08 19:02:43.000000000 -0500
49544+++ linux-2.6.32.48/fs/nfsd/lockd.c 2011-11-15 19:59:43.000000000 -0500
49545@@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
49546 fput(filp);
49547 }
49548
49549-static struct nlmsvc_binding nfsd_nlm_ops = {
49550+static const struct nlmsvc_binding nfsd_nlm_ops = {
49551 .fopen = nlm_fopen, /* open file for locking */
49552 .fclose = nlm_fclose, /* close file */
49553 };
49554diff -urNp linux-2.6.32.48/fs/nfsd/nfs4state.c linux-2.6.32.48/fs/nfsd/nfs4state.c
49555--- linux-2.6.32.48/fs/nfsd/nfs4state.c 2011-11-08 19:02:43.000000000 -0500
49556+++ linux-2.6.32.48/fs/nfsd/nfs4state.c 2011-11-15 19:59:43.000000000 -0500
49557@@ -3459,6 +3459,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
49558 unsigned int cmd;
49559 int err;
49560
49561+ pax_track_stack();
49562+
49563 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
49564 (long long) lock->lk_offset,
49565 (long long) lock->lk_length);
49566diff -urNp linux-2.6.32.48/fs/nfsd/nfs4xdr.c linux-2.6.32.48/fs/nfsd/nfs4xdr.c
49567--- linux-2.6.32.48/fs/nfsd/nfs4xdr.c 2011-11-08 19:02:43.000000000 -0500
49568+++ linux-2.6.32.48/fs/nfsd/nfs4xdr.c 2011-11-15 19:59:43.000000000 -0500
49569@@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
49570 struct nfsd4_compoundres *resp = rqstp->rq_resp;
49571 u32 minorversion = resp->cstate.minorversion;
49572
49573+ pax_track_stack();
49574+
49575 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
49576 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
49577 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
49578diff -urNp linux-2.6.32.48/fs/nfsd/vfs.c linux-2.6.32.48/fs/nfsd/vfs.c
49579--- linux-2.6.32.48/fs/nfsd/vfs.c 2011-11-08 19:02:43.000000000 -0500
49580+++ linux-2.6.32.48/fs/nfsd/vfs.c 2011-11-15 19:59:43.000000000 -0500
49581@@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
49582 } else {
49583 oldfs = get_fs();
49584 set_fs(KERNEL_DS);
49585- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
49586+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
49587 set_fs(oldfs);
49588 }
49589
49590@@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
49591
49592 /* Write the data. */
49593 oldfs = get_fs(); set_fs(KERNEL_DS);
49594- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
49595+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &offset);
49596 set_fs(oldfs);
49597 if (host_err < 0)
49598 goto out_nfserr;
49599@@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
49600 */
49601
49602 oldfs = get_fs(); set_fs(KERNEL_DS);
49603- host_err = inode->i_op->readlink(dentry, buf, *lenp);
49604+ host_err = inode->i_op->readlink(dentry, (char __force_user *)buf, *lenp);
49605 set_fs(oldfs);
49606
49607 if (host_err < 0)
49608diff -urNp linux-2.6.32.48/fs/nilfs2/ioctl.c linux-2.6.32.48/fs/nilfs2/ioctl.c
49609--- linux-2.6.32.48/fs/nilfs2/ioctl.c 2011-11-08 19:02:43.000000000 -0500
49610+++ linux-2.6.32.48/fs/nilfs2/ioctl.c 2011-11-15 19:59:43.000000000 -0500
49611@@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
49612 unsigned int cmd, void __user *argp)
49613 {
49614 struct nilfs_argv argv[5];
49615- const static size_t argsz[5] = {
49616+ static const size_t argsz[5] = {
49617 sizeof(struct nilfs_vdesc),
49618 sizeof(struct nilfs_period),
49619 sizeof(__u64),
49620diff -urNp linux-2.6.32.48/fs/notify/dnotify/dnotify.c linux-2.6.32.48/fs/notify/dnotify/dnotify.c
49621--- linux-2.6.32.48/fs/notify/dnotify/dnotify.c 2011-11-08 19:02:43.000000000 -0500
49622+++ linux-2.6.32.48/fs/notify/dnotify/dnotify.c 2011-11-15 19:59:43.000000000 -0500
49623@@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
49624 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
49625 }
49626
49627-static struct fsnotify_ops dnotify_fsnotify_ops = {
49628+static const struct fsnotify_ops dnotify_fsnotify_ops = {
49629 .handle_event = dnotify_handle_event,
49630 .should_send_event = dnotify_should_send_event,
49631 .free_group_priv = NULL,
49632diff -urNp linux-2.6.32.48/fs/notify/notification.c linux-2.6.32.48/fs/notify/notification.c
49633--- linux-2.6.32.48/fs/notify/notification.c 2011-11-08 19:02:43.000000000 -0500
49634+++ linux-2.6.32.48/fs/notify/notification.c 2011-11-15 19:59:43.000000000 -0500
49635@@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
49636 * get set to 0 so it will never get 'freed'
49637 */
49638 static struct fsnotify_event q_overflow_event;
49639-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49640+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
49641
49642 /**
49643 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
49644@@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
49645 */
49646 u32 fsnotify_get_cookie(void)
49647 {
49648- return atomic_inc_return(&fsnotify_sync_cookie);
49649+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
49650 }
49651 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
49652
49653diff -urNp linux-2.6.32.48/fs/ntfs/dir.c linux-2.6.32.48/fs/ntfs/dir.c
49654--- linux-2.6.32.48/fs/ntfs/dir.c 2011-11-08 19:02:43.000000000 -0500
49655+++ linux-2.6.32.48/fs/ntfs/dir.c 2011-11-15 19:59:43.000000000 -0500
49656@@ -1328,7 +1328,7 @@ find_next_index_buffer:
49657 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
49658 ~(s64)(ndir->itype.index.block_size - 1)));
49659 /* Bounds checks. */
49660- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49661+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
49662 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
49663 "inode 0x%lx or driver bug.", vdir->i_ino);
49664 goto err_out;
49665diff -urNp linux-2.6.32.48/fs/ntfs/file.c linux-2.6.32.48/fs/ntfs/file.c
49666--- linux-2.6.32.48/fs/ntfs/file.c 2011-11-08 19:02:43.000000000 -0500
49667+++ linux-2.6.32.48/fs/ntfs/file.c 2011-11-15 19:59:43.000000000 -0500
49668@@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
49669 #endif /* NTFS_RW */
49670 };
49671
49672-const struct file_operations ntfs_empty_file_ops = {};
49673+const struct file_operations ntfs_empty_file_ops __read_only;
49674
49675-const struct inode_operations ntfs_empty_inode_ops = {};
49676+const struct inode_operations ntfs_empty_inode_ops __read_only;
49677diff -urNp linux-2.6.32.48/fs/ocfs2/cluster/masklog.c linux-2.6.32.48/fs/ocfs2/cluster/masklog.c
49678--- linux-2.6.32.48/fs/ocfs2/cluster/masklog.c 2011-11-08 19:02:43.000000000 -0500
49679+++ linux-2.6.32.48/fs/ocfs2/cluster/masklog.c 2011-11-15 19:59:43.000000000 -0500
49680@@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
49681 return mlog_mask_store(mlog_attr->mask, buf, count);
49682 }
49683
49684-static struct sysfs_ops mlog_attr_ops = {
49685+static const struct sysfs_ops mlog_attr_ops = {
49686 .show = mlog_show,
49687 .store = mlog_store,
49688 };
49689diff -urNp linux-2.6.32.48/fs/ocfs2/localalloc.c linux-2.6.32.48/fs/ocfs2/localalloc.c
49690--- linux-2.6.32.48/fs/ocfs2/localalloc.c 2011-11-08 19:02:43.000000000 -0500
49691+++ linux-2.6.32.48/fs/ocfs2/localalloc.c 2011-11-15 19:59:43.000000000 -0500
49692@@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
49693 goto bail;
49694 }
49695
49696- atomic_inc(&osb->alloc_stats.moves);
49697+ atomic_inc_unchecked(&osb->alloc_stats.moves);
49698
49699 status = 0;
49700 bail:
49701diff -urNp linux-2.6.32.48/fs/ocfs2/namei.c linux-2.6.32.48/fs/ocfs2/namei.c
49702--- linux-2.6.32.48/fs/ocfs2/namei.c 2011-11-08 19:02:43.000000000 -0500
49703+++ linux-2.6.32.48/fs/ocfs2/namei.c 2011-11-15 19:59:43.000000000 -0500
49704@@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
49705 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
49706 struct ocfs2_dir_lookup_result target_insert = { NULL, };
49707
49708+ pax_track_stack();
49709+
49710 /* At some point it might be nice to break this function up a
49711 * bit. */
49712
49713diff -urNp linux-2.6.32.48/fs/ocfs2/ocfs2.h linux-2.6.32.48/fs/ocfs2/ocfs2.h
49714--- linux-2.6.32.48/fs/ocfs2/ocfs2.h 2011-11-08 19:02:43.000000000 -0500
49715+++ linux-2.6.32.48/fs/ocfs2/ocfs2.h 2011-11-15 19:59:43.000000000 -0500
49716@@ -217,11 +217,11 @@ enum ocfs2_vol_state
49717
49718 struct ocfs2_alloc_stats
49719 {
49720- atomic_t moves;
49721- atomic_t local_data;
49722- atomic_t bitmap_data;
49723- atomic_t bg_allocs;
49724- atomic_t bg_extends;
49725+ atomic_unchecked_t moves;
49726+ atomic_unchecked_t local_data;
49727+ atomic_unchecked_t bitmap_data;
49728+ atomic_unchecked_t bg_allocs;
49729+ atomic_unchecked_t bg_extends;
49730 };
49731
49732 enum ocfs2_local_alloc_state
49733diff -urNp linux-2.6.32.48/fs/ocfs2/suballoc.c linux-2.6.32.48/fs/ocfs2/suballoc.c
49734--- linux-2.6.32.48/fs/ocfs2/suballoc.c 2011-11-08 19:02:43.000000000 -0500
49735+++ linux-2.6.32.48/fs/ocfs2/suballoc.c 2011-11-15 19:59:43.000000000 -0500
49736@@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
49737 mlog_errno(status);
49738 goto bail;
49739 }
49740- atomic_inc(&osb->alloc_stats.bg_extends);
49741+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
49742
49743 /* You should never ask for this much metadata */
49744 BUG_ON(bits_wanted >
49745@@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
49746 mlog_errno(status);
49747 goto bail;
49748 }
49749- atomic_inc(&osb->alloc_stats.bg_allocs);
49750+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
49751
49752 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
49753 ac->ac_bits_given += (*num_bits);
49754@@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
49755 mlog_errno(status);
49756 goto bail;
49757 }
49758- atomic_inc(&osb->alloc_stats.bg_allocs);
49759+ atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
49760
49761 BUG_ON(num_bits != 1);
49762
49763@@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
49764 cluster_start,
49765 num_clusters);
49766 if (!status)
49767- atomic_inc(&osb->alloc_stats.local_data);
49768+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
49769 } else {
49770 if (min_clusters > (osb->bitmap_cpg - 1)) {
49771 /* The only paths asking for contiguousness
49772@@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
49773 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
49774 bg_blkno,
49775 bg_bit_off);
49776- atomic_inc(&osb->alloc_stats.bitmap_data);
49777+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
49778 }
49779 }
49780 if (status < 0) {
49781diff -urNp linux-2.6.32.48/fs/ocfs2/super.c linux-2.6.32.48/fs/ocfs2/super.c
49782--- linux-2.6.32.48/fs/ocfs2/super.c 2011-11-08 19:02:43.000000000 -0500
49783+++ linux-2.6.32.48/fs/ocfs2/super.c 2011-11-15 19:59:43.000000000 -0500
49784@@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
49785 "%10s => GlobalAllocs: %d LocalAllocs: %d "
49786 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
49787 "Stats",
49788- atomic_read(&osb->alloc_stats.bitmap_data),
49789- atomic_read(&osb->alloc_stats.local_data),
49790- atomic_read(&osb->alloc_stats.bg_allocs),
49791- atomic_read(&osb->alloc_stats.moves),
49792- atomic_read(&osb->alloc_stats.bg_extends));
49793+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
49794+ atomic_read_unchecked(&osb->alloc_stats.local_data),
49795+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
49796+ atomic_read_unchecked(&osb->alloc_stats.moves),
49797+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
49798
49799 out += snprintf(buf + out, len - out,
49800 "%10s => State: %u Descriptor: %llu Size: %u bits "
49801@@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
49802 spin_lock_init(&osb->osb_xattr_lock);
49803 ocfs2_init_inode_steal_slot(osb);
49804
49805- atomic_set(&osb->alloc_stats.moves, 0);
49806- atomic_set(&osb->alloc_stats.local_data, 0);
49807- atomic_set(&osb->alloc_stats.bitmap_data, 0);
49808- atomic_set(&osb->alloc_stats.bg_allocs, 0);
49809- atomic_set(&osb->alloc_stats.bg_extends, 0);
49810+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
49811+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
49812+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
49813+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
49814+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
49815
49816 /* Copy the blockcheck stats from the superblock probe */
49817 osb->osb_ecc_stats = *stats;
49818diff -urNp linux-2.6.32.48/fs/open.c linux-2.6.32.48/fs/open.c
49819--- linux-2.6.32.48/fs/open.c 2011-11-08 19:02:43.000000000 -0500
49820+++ linux-2.6.32.48/fs/open.c 2011-11-15 19:59:43.000000000 -0500
49821@@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
49822 error = locks_verify_truncate(inode, NULL, length);
49823 if (!error)
49824 error = security_path_truncate(&path, length, 0);
49825+
49826+ if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
49827+ error = -EACCES;
49828+
49829 if (!error) {
49830 vfs_dq_init(inode);
49831 error = do_truncate(path.dentry, length, 0, NULL);
49832@@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
49833 if (__mnt_is_readonly(path.mnt))
49834 res = -EROFS;
49835
49836+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
49837+ res = -EACCES;
49838+
49839 out_path_release:
49840 path_put(&path);
49841 out:
49842@@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
49843 if (error)
49844 goto dput_and_out;
49845
49846+ gr_log_chdir(path.dentry, path.mnt);
49847+
49848 set_fs_pwd(current->fs, &path);
49849
49850 dput_and_out:
49851@@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
49852 goto out_putf;
49853
49854 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
49855+
49856+ if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
49857+ error = -EPERM;
49858+
49859+ if (!error)
49860+ gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
49861+
49862 if (!error)
49863 set_fs_pwd(current->fs, &file->f_path);
49864 out_putf:
49865@@ -588,7 +604,13 @@ SYSCALL_DEFINE1(chroot, const char __use
49866 if (!capable(CAP_SYS_CHROOT))
49867 goto dput_and_out;
49868
49869+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
49870+ goto dput_and_out;
49871+
49872 set_fs_root(current->fs, &path);
49873+
49874+ gr_handle_chroot_chdir(&path);
49875+
49876 error = 0;
49877 dput_and_out:
49878 path_put(&path);
49879@@ -616,12 +638,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
49880 err = mnt_want_write_file(file);
49881 if (err)
49882 goto out_putf;
49883+
49884 mutex_lock(&inode->i_mutex);
49885+
49886+ if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
49887+ err = -EACCES;
49888+ goto out_unlock;
49889+ }
49890+
49891 if (mode == (mode_t) -1)
49892 mode = inode->i_mode;
49893+
49894+ if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
49895+ err = -EPERM;
49896+ goto out_unlock;
49897+ }
49898+
49899 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49900 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49901 err = notify_change(dentry, &newattrs);
49902+
49903+out_unlock:
49904 mutex_unlock(&inode->i_mutex);
49905 mnt_drop_write(file->f_path.mnt);
49906 out_putf:
49907@@ -645,12 +682,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
49908 error = mnt_want_write(path.mnt);
49909 if (error)
49910 goto dput_and_out;
49911+
49912 mutex_lock(&inode->i_mutex);
49913+
49914+ if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
49915+ error = -EACCES;
49916+ goto out_unlock;
49917+ }
49918+
49919 if (mode == (mode_t) -1)
49920 mode = inode->i_mode;
49921+
49922+ if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
49923+ error = -EACCES;
49924+ goto out_unlock;
49925+ }
49926+
49927 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
49928 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
49929 error = notify_change(path.dentry, &newattrs);
49930+
49931+out_unlock:
49932 mutex_unlock(&inode->i_mutex);
49933 mnt_drop_write(path.mnt);
49934 dput_and_out:
49935@@ -664,12 +716,15 @@ SYSCALL_DEFINE2(chmod, const char __user
49936 return sys_fchmodat(AT_FDCWD, filename, mode);
49937 }
49938
49939-static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
49940+static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
49941 {
49942 struct inode *inode = dentry->d_inode;
49943 int error;
49944 struct iattr newattrs;
49945
49946+ if (!gr_acl_handle_chown(dentry, mnt))
49947+ return -EACCES;
49948+
49949 newattrs.ia_valid = ATTR_CTIME;
49950 if (user != (uid_t) -1) {
49951 newattrs.ia_valid |= ATTR_UID;
49952@@ -700,7 +755,7 @@ SYSCALL_DEFINE3(chown, const char __user
49953 error = mnt_want_write(path.mnt);
49954 if (error)
49955 goto out_release;
49956- error = chown_common(path.dentry, user, group);
49957+ error = chown_common(path.dentry, user, group, path.mnt);
49958 mnt_drop_write(path.mnt);
49959 out_release:
49960 path_put(&path);
49961@@ -725,7 +780,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
49962 error = mnt_want_write(path.mnt);
49963 if (error)
49964 goto out_release;
49965- error = chown_common(path.dentry, user, group);
49966+ error = chown_common(path.dentry, user, group, path.mnt);
49967 mnt_drop_write(path.mnt);
49968 out_release:
49969 path_put(&path);
49970@@ -744,7 +799,7 @@ SYSCALL_DEFINE3(lchown, const char __use
49971 error = mnt_want_write(path.mnt);
49972 if (error)
49973 goto out_release;
49974- error = chown_common(path.dentry, user, group);
49975+ error = chown_common(path.dentry, user, group, path.mnt);
49976 mnt_drop_write(path.mnt);
49977 out_release:
49978 path_put(&path);
49979@@ -767,7 +822,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
49980 goto out_fput;
49981 dentry = file->f_path.dentry;
49982 audit_inode(NULL, dentry);
49983- error = chown_common(dentry, user, group);
49984+ error = chown_common(dentry, user, group, file->f_path.mnt);
49985 mnt_drop_write(file->f_path.mnt);
49986 out_fput:
49987 fput(file);
49988@@ -1036,7 +1091,10 @@ long do_sys_open(int dfd, const char __u
49989 if (!IS_ERR(tmp)) {
49990 fd = get_unused_fd_flags(flags);
49991 if (fd >= 0) {
49992- struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
49993+ struct file *f;
49994+ /* don't allow to be set by userland */
49995+ flags &= ~FMODE_GREXEC;
49996+ f = do_filp_open(dfd, tmp, flags, mode, 0);
49997 if (IS_ERR(f)) {
49998 put_unused_fd(fd);
49999 fd = PTR_ERR(f);
50000diff -urNp linux-2.6.32.48/fs/partitions/ldm.c linux-2.6.32.48/fs/partitions/ldm.c
50001--- linux-2.6.32.48/fs/partitions/ldm.c 2011-11-08 19:02:43.000000000 -0500
50002+++ linux-2.6.32.48/fs/partitions/ldm.c 2011-11-15 19:59:43.000000000 -0500
50003@@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
50004 ldm_error ("A VBLK claims to have %d parts.", num);
50005 return false;
50006 }
50007+
50008 if (rec >= num) {
50009 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
50010 return false;
50011@@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
50012 goto found;
50013 }
50014
50015- f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
50016+ f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
50017 if (!f) {
50018 ldm_crit ("Out of memory.");
50019 return false;
50020diff -urNp linux-2.6.32.48/fs/partitions/mac.c linux-2.6.32.48/fs/partitions/mac.c
50021--- linux-2.6.32.48/fs/partitions/mac.c 2011-11-08 19:02:43.000000000 -0500
50022+++ linux-2.6.32.48/fs/partitions/mac.c 2011-11-15 19:59:43.000000000 -0500
50023@@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
50024 return 0; /* not a MacOS disk */
50025 }
50026 blocks_in_map = be32_to_cpu(part->map_count);
50027+ printk(" [mac]");
50028 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
50029 put_dev_sector(sect);
50030 return 0;
50031 }
50032- printk(" [mac]");
50033 for (slot = 1; slot <= blocks_in_map; ++slot) {
50034 int pos = slot * secsize;
50035 put_dev_sector(sect);
50036diff -urNp linux-2.6.32.48/fs/pipe.c linux-2.6.32.48/fs/pipe.c
50037--- linux-2.6.32.48/fs/pipe.c 2011-11-08 19:02:43.000000000 -0500
50038+++ linux-2.6.32.48/fs/pipe.c 2011-11-15 19:59:43.000000000 -0500
50039@@ -401,9 +401,9 @@ redo:
50040 }
50041 if (bufs) /* More to do? */
50042 continue;
50043- if (!pipe->writers)
50044+ if (!atomic_read(&pipe->writers))
50045 break;
50046- if (!pipe->waiting_writers) {
50047+ if (!atomic_read(&pipe->waiting_writers)) {
50048 /* syscall merging: Usually we must not sleep
50049 * if O_NONBLOCK is set, or if we got some data.
50050 * But if a writer sleeps in kernel space, then
50051@@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
50052 mutex_lock(&inode->i_mutex);
50053 pipe = inode->i_pipe;
50054
50055- if (!pipe->readers) {
50056+ if (!atomic_read(&pipe->readers)) {
50057 send_sig(SIGPIPE, current, 0);
50058 ret = -EPIPE;
50059 goto out;
50060@@ -511,7 +511,7 @@ redo1:
50061 for (;;) {
50062 int bufs;
50063
50064- if (!pipe->readers) {
50065+ if (!atomic_read(&pipe->readers)) {
50066 send_sig(SIGPIPE, current, 0);
50067 if (!ret)
50068 ret = -EPIPE;
50069@@ -597,9 +597,9 @@ redo2:
50070 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
50071 do_wakeup = 0;
50072 }
50073- pipe->waiting_writers++;
50074+ atomic_inc(&pipe->waiting_writers);
50075 pipe_wait(pipe);
50076- pipe->waiting_writers--;
50077+ atomic_dec(&pipe->waiting_writers);
50078 }
50079 out:
50080 mutex_unlock(&inode->i_mutex);
50081@@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
50082 mask = 0;
50083 if (filp->f_mode & FMODE_READ) {
50084 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
50085- if (!pipe->writers && filp->f_version != pipe->w_counter)
50086+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
50087 mask |= POLLHUP;
50088 }
50089
50090@@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
50091 * Most Unices do not set POLLERR for FIFOs but on Linux they
50092 * behave exactly like pipes for poll().
50093 */
50094- if (!pipe->readers)
50095+ if (!atomic_read(&pipe->readers))
50096 mask |= POLLERR;
50097 }
50098
50099@@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
50100
50101 mutex_lock(&inode->i_mutex);
50102 pipe = inode->i_pipe;
50103- pipe->readers -= decr;
50104- pipe->writers -= decw;
50105+ atomic_sub(decr, &pipe->readers);
50106+ atomic_sub(decw, &pipe->writers);
50107
50108- if (!pipe->readers && !pipe->writers) {
50109+ if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
50110 free_pipe_info(inode);
50111 } else {
50112 wake_up_interruptible_sync(&pipe->wait);
50113@@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
50114
50115 if (inode->i_pipe) {
50116 ret = 0;
50117- inode->i_pipe->readers++;
50118+ atomic_inc(&inode->i_pipe->readers);
50119 }
50120
50121 mutex_unlock(&inode->i_mutex);
50122@@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
50123
50124 if (inode->i_pipe) {
50125 ret = 0;
50126- inode->i_pipe->writers++;
50127+ atomic_inc(&inode->i_pipe->writers);
50128 }
50129
50130 mutex_unlock(&inode->i_mutex);
50131@@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
50132 if (inode->i_pipe) {
50133 ret = 0;
50134 if (filp->f_mode & FMODE_READ)
50135- inode->i_pipe->readers++;
50136+ atomic_inc(&inode->i_pipe->readers);
50137 if (filp->f_mode & FMODE_WRITE)
50138- inode->i_pipe->writers++;
50139+ atomic_inc(&inode->i_pipe->writers);
50140 }
50141
50142 mutex_unlock(&inode->i_mutex);
50143@@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
50144 inode->i_pipe = NULL;
50145 }
50146
50147-static struct vfsmount *pipe_mnt __read_mostly;
50148+struct vfsmount *pipe_mnt __read_mostly;
50149 static int pipefs_delete_dentry(struct dentry *dentry)
50150 {
50151 /*
50152@@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
50153 goto fail_iput;
50154 inode->i_pipe = pipe;
50155
50156- pipe->readers = pipe->writers = 1;
50157+ atomic_set(&pipe->readers, 1);
50158+ atomic_set(&pipe->writers, 1);
50159 inode->i_fop = &rdwr_pipefifo_fops;
50160
50161 /*
50162diff -urNp linux-2.6.32.48/fs/proc/array.c linux-2.6.32.48/fs/proc/array.c
50163--- linux-2.6.32.48/fs/proc/array.c 2011-11-08 19:02:43.000000000 -0500
50164+++ linux-2.6.32.48/fs/proc/array.c 2011-11-15 19:59:43.000000000 -0500
50165@@ -60,6 +60,7 @@
50166 #include <linux/tty.h>
50167 #include <linux/string.h>
50168 #include <linux/mman.h>
50169+#include <linux/grsecurity.h>
50170 #include <linux/proc_fs.h>
50171 #include <linux/ioport.h>
50172 #include <linux/uaccess.h>
50173@@ -321,6 +322,21 @@ static inline void task_context_switch_c
50174 p->nivcsw);
50175 }
50176
50177+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50178+static inline void task_pax(struct seq_file *m, struct task_struct *p)
50179+{
50180+ if (p->mm)
50181+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
50182+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
50183+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
50184+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
50185+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
50186+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
50187+ else
50188+ seq_printf(m, "PaX:\t-----\n");
50189+}
50190+#endif
50191+
50192 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
50193 struct pid *pid, struct task_struct *task)
50194 {
50195@@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
50196 task_cap(m, task);
50197 cpuset_task_status_allowed(m, task);
50198 task_context_switch_counts(m, task);
50199+
50200+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
50201+ task_pax(m, task);
50202+#endif
50203+
50204+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
50205+ task_grsec_rbac(m, task);
50206+#endif
50207+
50208 return 0;
50209 }
50210
50211+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50212+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50213+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
50214+ _mm->pax_flags & MF_PAX_SEGMEXEC))
50215+#endif
50216+
50217 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
50218 struct pid *pid, struct task_struct *task, int whole)
50219 {
50220@@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
50221 cputime_t cutime, cstime, utime, stime;
50222 cputime_t cgtime, gtime;
50223 unsigned long rsslim = 0;
50224- char tcomm[sizeof(task->comm)];
50225+ char tcomm[sizeof(task->comm)] = { 0 };
50226 unsigned long flags;
50227
50228+ pax_track_stack();
50229+
50230 state = *get_task_state(task);
50231 vsize = eip = esp = 0;
50232 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
50233@@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
50234 gtime = task_gtime(task);
50235 }
50236
50237+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50238+ if (PAX_RAND_FLAGS(mm)) {
50239+ eip = 0;
50240+ esp = 0;
50241+ wchan = 0;
50242+ }
50243+#endif
50244+#ifdef CONFIG_GRKERNSEC_HIDESYM
50245+ wchan = 0;
50246+ eip =0;
50247+ esp =0;
50248+#endif
50249+
50250 /* scale priority and nice values from timeslices to -20..20 */
50251 /* to make it look like a "normal" Unix priority/nice value */
50252 priority = task_prio(task);
50253@@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
50254 vsize,
50255 mm ? get_mm_rss(mm) : 0,
50256 rsslim,
50257+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50258+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
50259+ PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
50260+ PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
50261+#else
50262 mm ? (permitted ? mm->start_code : 1) : 0,
50263 mm ? (permitted ? mm->end_code : 1) : 0,
50264 (permitted && mm) ? mm->start_stack : 0,
50265+#endif
50266 esp,
50267 eip,
50268 /* The signal information here is obsolete.
50269@@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
50270
50271 return 0;
50272 }
50273+
50274+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50275+int proc_pid_ipaddr(struct task_struct *task, char *buffer)
50276+{
50277+ u32 curr_ip = 0;
50278+ unsigned long flags;
50279+
50280+ if (lock_task_sighand(task, &flags)) {
50281+ curr_ip = task->signal->curr_ip;
50282+ unlock_task_sighand(task, &flags);
50283+ }
50284+
50285+ return sprintf(buffer, "%pI4\n", &curr_ip);
50286+}
50287+#endif
50288diff -urNp linux-2.6.32.48/fs/proc/base.c linux-2.6.32.48/fs/proc/base.c
50289--- linux-2.6.32.48/fs/proc/base.c 2011-11-08 19:02:43.000000000 -0500
50290+++ linux-2.6.32.48/fs/proc/base.c 2011-11-15 19:59:43.000000000 -0500
50291@@ -102,6 +102,22 @@ struct pid_entry {
50292 union proc_op op;
50293 };
50294
50295+struct getdents_callback {
50296+ struct linux_dirent __user * current_dir;
50297+ struct linux_dirent __user * previous;
50298+ struct file * file;
50299+ int count;
50300+ int error;
50301+};
50302+
50303+static int gr_fake_filldir(void * __buf, const char *name, int namlen,
50304+ loff_t offset, u64 ino, unsigned int d_type)
50305+{
50306+ struct getdents_callback * buf = (struct getdents_callback *) __buf;
50307+ buf->error = -EINVAL;
50308+ return 0;
50309+}
50310+
50311 #define NOD(NAME, MODE, IOP, FOP, OP) { \
50312 .name = (NAME), \
50313 .len = sizeof(NAME) - 1, \
50314@@ -213,6 +229,9 @@ static int check_mem_permission(struct t
50315 if (task == current)
50316 return 0;
50317
50318+ if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
50319+ return -EPERM;
50320+
50321 /*
50322 * If current is actively ptrace'ing, and would also be
50323 * permitted to freshly attach with ptrace now, permit it.
50324@@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
50325 if (!mm->arg_end)
50326 goto out_mm; /* Shh! No looking before we're done */
50327
50328+ if (gr_acl_handle_procpidmem(task))
50329+ goto out_mm;
50330+
50331 len = mm->arg_end - mm->arg_start;
50332
50333 if (len > PAGE_SIZE)
50334@@ -287,12 +309,28 @@ out:
50335 return res;
50336 }
50337
50338+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50339+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
50340+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
50341+ _mm->pax_flags & MF_PAX_SEGMEXEC))
50342+#endif
50343+
50344 static int proc_pid_auxv(struct task_struct *task, char *buffer)
50345 {
50346 int res = 0;
50347 struct mm_struct *mm = get_task_mm(task);
50348 if (mm) {
50349 unsigned int nwords = 0;
50350+
50351+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
50352+ /* allow if we're currently ptracing this task */
50353+ if (PAX_RAND_FLAGS(mm) &&
50354+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
50355+ mmput(mm);
50356+ return 0;
50357+ }
50358+#endif
50359+
50360 do {
50361 nwords += 2;
50362 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
50363@@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
50364 }
50365
50366
50367-#ifdef CONFIG_KALLSYMS
50368+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50369 /*
50370 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
50371 * Returns the resolved symbol. If that fails, simply return the address.
50372@@ -345,7 +383,7 @@ static void unlock_trace(struct task_str
50373 mutex_unlock(&task->cred_guard_mutex);
50374 }
50375
50376-#ifdef CONFIG_STACKTRACE
50377+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50378
50379 #define MAX_STACK_TRACE_DEPTH 64
50380
50381@@ -545,7 +583,7 @@ static int proc_pid_limits(struct task_s
50382 return count;
50383 }
50384
50385-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50386+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50387 static int proc_pid_syscall(struct task_struct *task, char *buffer)
50388 {
50389 long nr;
50390@@ -574,7 +612,7 @@ static int proc_pid_syscall(struct task_
50391 /************************************************************************/
50392
50393 /* permission checks */
50394-static int proc_fd_access_allowed(struct inode *inode)
50395+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
50396 {
50397 struct task_struct *task;
50398 int allowed = 0;
50399@@ -584,7 +622,10 @@ static int proc_fd_access_allowed(struct
50400 */
50401 task = get_proc_task(inode);
50402 if (task) {
50403- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50404+ if (log)
50405+ allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
50406+ else
50407+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
50408 put_task_struct(task);
50409 }
50410 return allowed;
50411@@ -963,6 +1004,9 @@ static ssize_t environ_read(struct file
50412 if (!task)
50413 goto out_no_task;
50414
50415+ if (gr_acl_handle_procpidmem(task))
50416+ goto out;
50417+
50418 if (!ptrace_may_access(task, PTRACE_MODE_READ))
50419 goto out;
50420
50421@@ -1377,7 +1421,7 @@ static void *proc_pid_follow_link(struct
50422 path_put(&nd->path);
50423
50424 /* Are we allowed to snoop on the tasks file descriptors? */
50425- if (!proc_fd_access_allowed(inode))
50426+ if (!proc_fd_access_allowed(inode,0))
50427 goto out;
50428
50429 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
50430@@ -1417,8 +1461,18 @@ static int proc_pid_readlink(struct dent
50431 struct path path;
50432
50433 /* Are we allowed to snoop on the tasks file descriptors? */
50434- if (!proc_fd_access_allowed(inode))
50435- goto out;
50436+ /* logging this is needed for learning on chromium to work properly,
50437+ but we don't want to flood the logs from 'ps' which does a readlink
50438+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
50439+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
50440+ */
50441+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
50442+ if (!proc_fd_access_allowed(inode,0))
50443+ goto out;
50444+ } else {
50445+ if (!proc_fd_access_allowed(inode,1))
50446+ goto out;
50447+ }
50448
50449 error = PROC_I(inode)->op.proc_get_link(inode, &path);
50450 if (error)
50451@@ -1483,7 +1537,11 @@ static struct inode *proc_pid_make_inode
50452 rcu_read_lock();
50453 cred = __task_cred(task);
50454 inode->i_uid = cred->euid;
50455+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50456+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50457+#else
50458 inode->i_gid = cred->egid;
50459+#endif
50460 rcu_read_unlock();
50461 }
50462 security_task_to_inode(task, inode);
50463@@ -1501,6 +1559,9 @@ static int pid_getattr(struct vfsmount *
50464 struct inode *inode = dentry->d_inode;
50465 struct task_struct *task;
50466 const struct cred *cred;
50467+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50468+ const struct cred *tmpcred = current_cred();
50469+#endif
50470
50471 generic_fillattr(inode, stat);
50472
50473@@ -1508,13 +1569,41 @@ static int pid_getattr(struct vfsmount *
50474 stat->uid = 0;
50475 stat->gid = 0;
50476 task = pid_task(proc_pid(inode), PIDTYPE_PID);
50477+
50478+ if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
50479+ rcu_read_unlock();
50480+ return -ENOENT;
50481+ }
50482+
50483 if (task) {
50484+ cred = __task_cred(task);
50485+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50486+ if (!tmpcred->uid || (tmpcred->uid == cred->uid)
50487+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50488+ || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50489+#endif
50490+ ) {
50491+#endif
50492 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50493+#ifdef CONFIG_GRKERNSEC_PROC_USER
50494+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50495+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50496+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50497+#endif
50498 task_dumpable(task)) {
50499- cred = __task_cred(task);
50500 stat->uid = cred->euid;
50501+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50502+ stat->gid = CONFIG_GRKERNSEC_PROC_GID;
50503+#else
50504 stat->gid = cred->egid;
50505+#endif
50506 }
50507+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50508+ } else {
50509+ rcu_read_unlock();
50510+ return -ENOENT;
50511+ }
50512+#endif
50513 }
50514 rcu_read_unlock();
50515 return 0;
50516@@ -1545,11 +1634,20 @@ static int pid_revalidate(struct dentry
50517
50518 if (task) {
50519 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
50520+#ifdef CONFIG_GRKERNSEC_PROC_USER
50521+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
50522+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50523+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
50524+#endif
50525 task_dumpable(task)) {
50526 rcu_read_lock();
50527 cred = __task_cred(task);
50528 inode->i_uid = cred->euid;
50529+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50530+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50531+#else
50532 inode->i_gid = cred->egid;
50533+#endif
50534 rcu_read_unlock();
50535 } else {
50536 inode->i_uid = 0;
50537@@ -1670,7 +1768,8 @@ static int proc_fd_info(struct inode *in
50538 int fd = proc_fd(inode);
50539
50540 if (task) {
50541- files = get_files_struct(task);
50542+ if (!gr_acl_handle_procpidmem(task))
50543+ files = get_files_struct(task);
50544 put_task_struct(task);
50545 }
50546 if (files) {
50547@@ -1922,12 +2021,22 @@ static const struct file_operations proc
50548 static int proc_fd_permission(struct inode *inode, int mask)
50549 {
50550 int rv;
50551+ struct task_struct *task;
50552
50553 rv = generic_permission(inode, mask, NULL);
50554- if (rv == 0)
50555- return 0;
50556+
50557 if (task_pid(current) == proc_pid(inode))
50558 rv = 0;
50559+
50560+ task = get_proc_task(inode);
50561+ if (task == NULL)
50562+ return rv;
50563+
50564+ if (gr_acl_handle_procpidmem(task))
50565+ rv = -EACCES;
50566+
50567+ put_task_struct(task);
50568+
50569 return rv;
50570 }
50571
50572@@ -2036,6 +2145,9 @@ static struct dentry *proc_pident_lookup
50573 if (!task)
50574 goto out_no_task;
50575
50576+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50577+ goto out;
50578+
50579 /*
50580 * Yes, it does not scale. And it should not. Don't add
50581 * new entries into /proc/<tgid>/ without very good reasons.
50582@@ -2080,6 +2192,9 @@ static int proc_pident_readdir(struct fi
50583 if (!task)
50584 goto out_no_task;
50585
50586+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50587+ goto out;
50588+
50589 ret = 0;
50590 i = filp->f_pos;
50591 switch (i) {
50592@@ -2347,7 +2462,7 @@ static void *proc_self_follow_link(struc
50593 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
50594 void *cookie)
50595 {
50596- char *s = nd_get_link(nd);
50597+ const char *s = nd_get_link(nd);
50598 if (!IS_ERR(s))
50599 __putname(s);
50600 }
50601@@ -2553,7 +2668,7 @@ static const struct pid_entry tgid_base_
50602 #ifdef CONFIG_SCHED_DEBUG
50603 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50604 #endif
50605-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50606+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50607 INF("syscall", S_IRUGO, proc_pid_syscall),
50608 #endif
50609 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50610@@ -2578,10 +2693,10 @@ static const struct pid_entry tgid_base_
50611 #ifdef CONFIG_SECURITY
50612 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50613 #endif
50614-#ifdef CONFIG_KALLSYMS
50615+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50616 INF("wchan", S_IRUGO, proc_pid_wchan),
50617 #endif
50618-#ifdef CONFIG_STACKTRACE
50619+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50620 ONE("stack", S_IRUGO, proc_pid_stack),
50621 #endif
50622 #ifdef CONFIG_SCHEDSTATS
50623@@ -2611,6 +2726,9 @@ static const struct pid_entry tgid_base_
50624 #ifdef CONFIG_TASK_IO_ACCOUNTING
50625 INF("io", S_IRUSR, proc_tgid_io_accounting),
50626 #endif
50627+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50628+ INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
50629+#endif
50630 };
50631
50632 static int proc_tgid_base_readdir(struct file * filp,
50633@@ -2735,7 +2853,14 @@ static struct dentry *proc_pid_instantia
50634 if (!inode)
50635 goto out;
50636
50637+#ifdef CONFIG_GRKERNSEC_PROC_USER
50638+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
50639+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50640+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50641+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
50642+#else
50643 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
50644+#endif
50645 inode->i_op = &proc_tgid_base_inode_operations;
50646 inode->i_fop = &proc_tgid_base_operations;
50647 inode->i_flags|=S_IMMUTABLE;
50648@@ -2777,7 +2902,14 @@ struct dentry *proc_pid_lookup(struct in
50649 if (!task)
50650 goto out;
50651
50652+ if (!has_group_leader_pid(task))
50653+ goto out_put_task;
50654+
50655+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
50656+ goto out_put_task;
50657+
50658 result = proc_pid_instantiate(dir, dentry, task, NULL);
50659+out_put_task:
50660 put_task_struct(task);
50661 out:
50662 return result;
50663@@ -2842,6 +2974,11 @@ int proc_pid_readdir(struct file * filp,
50664 {
50665 unsigned int nr;
50666 struct task_struct *reaper;
50667+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50668+ const struct cred *tmpcred = current_cred();
50669+ const struct cred *itercred;
50670+#endif
50671+ filldir_t __filldir = filldir;
50672 struct tgid_iter iter;
50673 struct pid_namespace *ns;
50674
50675@@ -2865,8 +3002,27 @@ int proc_pid_readdir(struct file * filp,
50676 for (iter = next_tgid(ns, iter);
50677 iter.task;
50678 iter.tgid += 1, iter = next_tgid(ns, iter)) {
50679+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50680+ rcu_read_lock();
50681+ itercred = __task_cred(iter.task);
50682+#endif
50683+ if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
50684+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50685+ || (tmpcred->uid && (itercred->uid != tmpcred->uid)
50686+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50687+ && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
50688+#endif
50689+ )
50690+#endif
50691+ )
50692+ __filldir = &gr_fake_filldir;
50693+ else
50694+ __filldir = filldir;
50695+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50696+ rcu_read_unlock();
50697+#endif
50698 filp->f_pos = iter.tgid + TGID_OFFSET;
50699- if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
50700+ if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
50701 put_task_struct(iter.task);
50702 goto out;
50703 }
50704@@ -2892,7 +3048,7 @@ static const struct pid_entry tid_base_s
50705 #ifdef CONFIG_SCHED_DEBUG
50706 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
50707 #endif
50708-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
50709+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
50710 INF("syscall", S_IRUGO, proc_pid_syscall),
50711 #endif
50712 INF("cmdline", S_IRUGO, proc_pid_cmdline),
50713@@ -2916,10 +3072,10 @@ static const struct pid_entry tid_base_s
50714 #ifdef CONFIG_SECURITY
50715 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
50716 #endif
50717-#ifdef CONFIG_KALLSYMS
50718+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50719 INF("wchan", S_IRUGO, proc_pid_wchan),
50720 #endif
50721-#ifdef CONFIG_STACKTRACE
50722+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50723 ONE("stack", S_IRUGO, proc_pid_stack),
50724 #endif
50725 #ifdef CONFIG_SCHEDSTATS
50726diff -urNp linux-2.6.32.48/fs/proc/cmdline.c linux-2.6.32.48/fs/proc/cmdline.c
50727--- linux-2.6.32.48/fs/proc/cmdline.c 2011-11-08 19:02:43.000000000 -0500
50728+++ linux-2.6.32.48/fs/proc/cmdline.c 2011-11-15 19:59:43.000000000 -0500
50729@@ -23,7 +23,11 @@ static const struct file_operations cmdl
50730
50731 static int __init proc_cmdline_init(void)
50732 {
50733+#ifdef CONFIG_GRKERNSEC_PROC_ADD
50734+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
50735+#else
50736 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
50737+#endif
50738 return 0;
50739 }
50740 module_init(proc_cmdline_init);
50741diff -urNp linux-2.6.32.48/fs/proc/devices.c linux-2.6.32.48/fs/proc/devices.c
50742--- linux-2.6.32.48/fs/proc/devices.c 2011-11-08 19:02:43.000000000 -0500
50743+++ linux-2.6.32.48/fs/proc/devices.c 2011-11-15 19:59:43.000000000 -0500
50744@@ -64,7 +64,11 @@ static const struct file_operations proc
50745
50746 static int __init proc_devices_init(void)
50747 {
50748+#ifdef CONFIG_GRKERNSEC_PROC_ADD
50749+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
50750+#else
50751 proc_create("devices", 0, NULL, &proc_devinfo_operations);
50752+#endif
50753 return 0;
50754 }
50755 module_init(proc_devices_init);
50756diff -urNp linux-2.6.32.48/fs/proc/inode.c linux-2.6.32.48/fs/proc/inode.c
50757--- linux-2.6.32.48/fs/proc/inode.c 2011-11-08 19:02:43.000000000 -0500
50758+++ linux-2.6.32.48/fs/proc/inode.c 2011-11-15 19:59:43.000000000 -0500
50759@@ -18,12 +18,19 @@
50760 #include <linux/module.h>
50761 #include <linux/smp_lock.h>
50762 #include <linux/sysctl.h>
50763+#include <linux/grsecurity.h>
50764
50765 #include <asm/system.h>
50766 #include <asm/uaccess.h>
50767
50768 #include "internal.h"
50769
50770+#ifdef CONFIG_PROC_SYSCTL
50771+extern const struct inode_operations proc_sys_inode_operations;
50772+extern const struct inode_operations proc_sys_dir_operations;
50773+#endif
50774+
50775+
50776 struct proc_dir_entry *de_get(struct proc_dir_entry *de)
50777 {
50778 atomic_inc(&de->count);
50779@@ -62,6 +69,13 @@ static void proc_delete_inode(struct ino
50780 de_put(de);
50781 if (PROC_I(inode)->sysctl)
50782 sysctl_head_put(PROC_I(inode)->sysctl);
50783+
50784+#ifdef CONFIG_PROC_SYSCTL
50785+ if (inode->i_op == &proc_sys_inode_operations ||
50786+ inode->i_op == &proc_sys_dir_operations)
50787+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
50788+#endif
50789+
50790 clear_inode(inode);
50791 }
50792
50793@@ -457,7 +471,11 @@ struct inode *proc_get_inode(struct supe
50794 if (de->mode) {
50795 inode->i_mode = de->mode;
50796 inode->i_uid = de->uid;
50797+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
50798+ inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
50799+#else
50800 inode->i_gid = de->gid;
50801+#endif
50802 }
50803 if (de->size)
50804 inode->i_size = de->size;
50805diff -urNp linux-2.6.32.48/fs/proc/internal.h linux-2.6.32.48/fs/proc/internal.h
50806--- linux-2.6.32.48/fs/proc/internal.h 2011-11-08 19:02:43.000000000 -0500
50807+++ linux-2.6.32.48/fs/proc/internal.h 2011-11-15 19:59:43.000000000 -0500
50808@@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
50809 struct pid *pid, struct task_struct *task);
50810 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
50811 struct pid *pid, struct task_struct *task);
50812+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
50813+extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
50814+#endif
50815 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
50816
50817 extern const struct file_operations proc_maps_operations;
50818diff -urNp linux-2.6.32.48/fs/proc/Kconfig linux-2.6.32.48/fs/proc/Kconfig
50819--- linux-2.6.32.48/fs/proc/Kconfig 2011-11-08 19:02:43.000000000 -0500
50820+++ linux-2.6.32.48/fs/proc/Kconfig 2011-11-15 19:59:43.000000000 -0500
50821@@ -30,12 +30,12 @@ config PROC_FS
50822
50823 config PROC_KCORE
50824 bool "/proc/kcore support" if !ARM
50825- depends on PROC_FS && MMU
50826+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
50827
50828 config PROC_VMCORE
50829 bool "/proc/vmcore support (EXPERIMENTAL)"
50830- depends on PROC_FS && CRASH_DUMP
50831- default y
50832+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
50833+ default n
50834 help
50835 Exports the dump image of crashed kernel in ELF format.
50836
50837@@ -59,8 +59,8 @@ config PROC_SYSCTL
50838 limited in memory.
50839
50840 config PROC_PAGE_MONITOR
50841- default y
50842- depends on PROC_FS && MMU
50843+ default n
50844+ depends on PROC_FS && MMU && !GRKERNSEC
50845 bool "Enable /proc page monitoring" if EMBEDDED
50846 help
50847 Various /proc files exist to monitor process memory utilization:
50848diff -urNp linux-2.6.32.48/fs/proc/kcore.c linux-2.6.32.48/fs/proc/kcore.c
50849--- linux-2.6.32.48/fs/proc/kcore.c 2011-11-08 19:02:43.000000000 -0500
50850+++ linux-2.6.32.48/fs/proc/kcore.c 2011-11-15 19:59:43.000000000 -0500
50851@@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
50852 off_t offset = 0;
50853 struct kcore_list *m;
50854
50855+ pax_track_stack();
50856+
50857 /* setup ELF header */
50858 elf = (struct elfhdr *) bufp;
50859 bufp += sizeof(struct elfhdr);
50860@@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
50861 * the addresses in the elf_phdr on our list.
50862 */
50863 start = kc_offset_to_vaddr(*fpos - elf_buflen);
50864- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
50865+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
50866+ if (tsz > buflen)
50867 tsz = buflen;
50868-
50869+
50870 while (buflen) {
50871 struct kcore_list *m;
50872
50873@@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
50874 kfree(elf_buf);
50875 } else {
50876 if (kern_addr_valid(start)) {
50877- unsigned long n;
50878+ char *elf_buf;
50879+ mm_segment_t oldfs;
50880
50881- n = copy_to_user(buffer, (char *)start, tsz);
50882- /*
50883- * We cannot distingush between fault on source
50884- * and fault on destination. When this happens
50885- * we clear too and hope it will trigger the
50886- * EFAULT again.
50887- */
50888- if (n) {
50889- if (clear_user(buffer + tsz - n,
50890- n))
50891+ elf_buf = kmalloc(tsz, GFP_KERNEL);
50892+ if (!elf_buf)
50893+ return -ENOMEM;
50894+ oldfs = get_fs();
50895+ set_fs(KERNEL_DS);
50896+ if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
50897+ set_fs(oldfs);
50898+ if (copy_to_user(buffer, elf_buf, tsz)) {
50899+ kfree(elf_buf);
50900 return -EFAULT;
50901+ }
50902 }
50903+ set_fs(oldfs);
50904+ kfree(elf_buf);
50905 } else {
50906 if (clear_user(buffer, tsz))
50907 return -EFAULT;
50908@@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
50909
50910 static int open_kcore(struct inode *inode, struct file *filp)
50911 {
50912+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
50913+ return -EPERM;
50914+#endif
50915 if (!capable(CAP_SYS_RAWIO))
50916 return -EPERM;
50917 if (kcore_need_update)
50918diff -urNp linux-2.6.32.48/fs/proc/meminfo.c linux-2.6.32.48/fs/proc/meminfo.c
50919--- linux-2.6.32.48/fs/proc/meminfo.c 2011-11-08 19:02:43.000000000 -0500
50920+++ linux-2.6.32.48/fs/proc/meminfo.c 2011-11-15 19:59:43.000000000 -0500
50921@@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
50922 unsigned long pages[NR_LRU_LISTS];
50923 int lru;
50924
50925+ pax_track_stack();
50926+
50927 /*
50928 * display in kilobytes.
50929 */
50930@@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
50931 vmi.used >> 10,
50932 vmi.largest_chunk >> 10
50933 #ifdef CONFIG_MEMORY_FAILURE
50934- ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
50935+ ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
50936 #endif
50937 );
50938
50939diff -urNp linux-2.6.32.48/fs/proc/nommu.c linux-2.6.32.48/fs/proc/nommu.c
50940--- linux-2.6.32.48/fs/proc/nommu.c 2011-11-08 19:02:43.000000000 -0500
50941+++ linux-2.6.32.48/fs/proc/nommu.c 2011-11-15 19:59:43.000000000 -0500
50942@@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
50943 if (len < 1)
50944 len = 1;
50945 seq_printf(m, "%*c", len, ' ');
50946- seq_path(m, &file->f_path, "");
50947+ seq_path(m, &file->f_path, "\n\\");
50948 }
50949
50950 seq_putc(m, '\n');
50951diff -urNp linux-2.6.32.48/fs/proc/proc_net.c linux-2.6.32.48/fs/proc/proc_net.c
50952--- linux-2.6.32.48/fs/proc/proc_net.c 2011-11-08 19:02:43.000000000 -0500
50953+++ linux-2.6.32.48/fs/proc/proc_net.c 2011-11-15 19:59:43.000000000 -0500
50954@@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
50955 struct task_struct *task;
50956 struct nsproxy *ns;
50957 struct net *net = NULL;
50958+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50959+ const struct cred *cred = current_cred();
50960+#endif
50961+
50962+#ifdef CONFIG_GRKERNSEC_PROC_USER
50963+ if (cred->fsuid)
50964+ return net;
50965+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50966+ if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
50967+ return net;
50968+#endif
50969
50970 rcu_read_lock();
50971 task = pid_task(proc_pid(dir), PIDTYPE_PID);
50972diff -urNp linux-2.6.32.48/fs/proc/proc_sysctl.c linux-2.6.32.48/fs/proc/proc_sysctl.c
50973--- linux-2.6.32.48/fs/proc/proc_sysctl.c 2011-11-08 19:02:43.000000000 -0500
50974+++ linux-2.6.32.48/fs/proc/proc_sysctl.c 2011-11-18 18:45:06.000000000 -0500
50975@@ -7,11 +7,13 @@
50976 #include <linux/security.h>
50977 #include "internal.h"
50978
50979+extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
50980+
50981 static const struct dentry_operations proc_sys_dentry_operations;
50982 static const struct file_operations proc_sys_file_operations;
50983-static const struct inode_operations proc_sys_inode_operations;
50984+const struct inode_operations proc_sys_inode_operations;
50985 static const struct file_operations proc_sys_dir_file_operations;
50986-static const struct inode_operations proc_sys_dir_operations;
50987+const struct inode_operations proc_sys_dir_operations;
50988
50989 static struct inode *proc_sys_make_inode(struct super_block *sb,
50990 struct ctl_table_header *head, struct ctl_table *table)
50991@@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
50992 if (!p)
50993 goto out;
50994
50995+ if (gr_handle_sysctl(p, MAY_EXEC))
50996+ goto out;
50997+
50998 err = ERR_PTR(-ENOMEM);
50999 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
51000 if (h)
51001@@ -119,6 +124,9 @@ static struct dentry *proc_sys_lookup(st
51002
51003 err = NULL;
51004 dentry->d_op = &proc_sys_dentry_operations;
51005+
51006+ gr_handle_proc_create(dentry, inode);
51007+
51008 d_add(dentry, inode);
51009
51010 out:
51011@@ -200,6 +208,9 @@ static int proc_sys_fill_cache(struct fi
51012 return -ENOMEM;
51013 } else {
51014 child->d_op = &proc_sys_dentry_operations;
51015+
51016+ gr_handle_proc_create(child, inode);
51017+
51018 d_add(child, inode);
51019 }
51020 } else {
51021@@ -228,6 +239,9 @@ static int scan(struct ctl_table_header
51022 if (*pos < file->f_pos)
51023 continue;
51024
51025+ if (gr_handle_sysctl(table, 0))
51026+ continue;
51027+
51028 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
51029 if (res)
51030 return res;
51031@@ -344,6 +358,9 @@ static int proc_sys_getattr(struct vfsmo
51032 if (IS_ERR(head))
51033 return PTR_ERR(head);
51034
51035+ if (table && gr_handle_sysctl(table, MAY_EXEC))
51036+ return -ENOENT;
51037+
51038 generic_fillattr(inode, stat);
51039 if (table)
51040 stat->mode = (stat->mode & S_IFMT) | table->mode;
51041@@ -358,17 +375,18 @@ static const struct file_operations proc
51042 };
51043
51044 static const struct file_operations proc_sys_dir_file_operations = {
51045+ .read = generic_read_dir,
51046 .readdir = proc_sys_readdir,
51047 .llseek = generic_file_llseek,
51048 };
51049
51050-static const struct inode_operations proc_sys_inode_operations = {
51051+const struct inode_operations proc_sys_inode_operations = {
51052 .permission = proc_sys_permission,
51053 .setattr = proc_sys_setattr,
51054 .getattr = proc_sys_getattr,
51055 };
51056
51057-static const struct inode_operations proc_sys_dir_operations = {
51058+const struct inode_operations proc_sys_dir_operations = {
51059 .lookup = proc_sys_lookup,
51060 .permission = proc_sys_permission,
51061 .setattr = proc_sys_setattr,
51062diff -urNp linux-2.6.32.48/fs/proc/root.c linux-2.6.32.48/fs/proc/root.c
51063--- linux-2.6.32.48/fs/proc/root.c 2011-11-08 19:02:43.000000000 -0500
51064+++ linux-2.6.32.48/fs/proc/root.c 2011-11-15 19:59:43.000000000 -0500
51065@@ -134,7 +134,15 @@ void __init proc_root_init(void)
51066 #ifdef CONFIG_PROC_DEVICETREE
51067 proc_device_tree_init();
51068 #endif
51069+#ifdef CONFIG_GRKERNSEC_PROC_ADD
51070+#ifdef CONFIG_GRKERNSEC_PROC_USER
51071+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
51072+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51073+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
51074+#endif
51075+#else
51076 proc_mkdir("bus", NULL);
51077+#endif
51078 proc_sys_init();
51079 }
51080
51081diff -urNp linux-2.6.32.48/fs/proc/task_mmu.c linux-2.6.32.48/fs/proc/task_mmu.c
51082--- linux-2.6.32.48/fs/proc/task_mmu.c 2011-11-08 19:02:43.000000000 -0500
51083+++ linux-2.6.32.48/fs/proc/task_mmu.c 2011-11-15 19:59:43.000000000 -0500
51084@@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
51085 "VmStk:\t%8lu kB\n"
51086 "VmExe:\t%8lu kB\n"
51087 "VmLib:\t%8lu kB\n"
51088- "VmPTE:\t%8lu kB\n",
51089- hiwater_vm << (PAGE_SHIFT-10),
51090+ "VmPTE:\t%8lu kB\n"
51091+
51092+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
51093+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
51094+#endif
51095+
51096+ ,hiwater_vm << (PAGE_SHIFT-10),
51097 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
51098 mm->locked_vm << (PAGE_SHIFT-10),
51099 hiwater_rss << (PAGE_SHIFT-10),
51100 total_rss << (PAGE_SHIFT-10),
51101 data << (PAGE_SHIFT-10),
51102 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
51103- (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
51104+ (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
51105+
51106+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
51107+ , mm->context.user_cs_base, mm->context.user_cs_limit
51108+#endif
51109+
51110+ );
51111 }
51112
51113 unsigned long task_vsize(struct mm_struct *mm)
51114@@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
51115 struct proc_maps_private *priv = m->private;
51116 struct vm_area_struct *vma = v;
51117
51118- vma_stop(priv, vma);
51119+ if (!IS_ERR(vma))
51120+ vma_stop(priv, vma);
51121 if (priv->task)
51122 put_task_struct(priv->task);
51123 }
51124@@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
51125 return ret;
51126 }
51127
51128+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51129+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
51130+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
51131+ _mm->pax_flags & MF_PAX_SEGMEXEC))
51132+#endif
51133+
51134 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
51135 {
51136 struct mm_struct *mm = vma->vm_mm;
51137@@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
51138 int flags = vma->vm_flags;
51139 unsigned long ino = 0;
51140 unsigned long long pgoff = 0;
51141- unsigned long start;
51142 dev_t dev = 0;
51143 int len;
51144
51145@@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
51146 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
51147 }
51148
51149- /* We don't show the stack guard page in /proc/maps */
51150- start = vma->vm_start;
51151- if (vma->vm_flags & VM_GROWSDOWN)
51152- if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
51153- start += PAGE_SIZE;
51154-
51155 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
51156- start,
51157+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51158+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
51159+ PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
51160+#else
51161+ vma->vm_start,
51162 vma->vm_end,
51163+#endif
51164 flags & VM_READ ? 'r' : '-',
51165 flags & VM_WRITE ? 'w' : '-',
51166 flags & VM_EXEC ? 'x' : '-',
51167 flags & VM_MAYSHARE ? 's' : 'p',
51168+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51169+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
51170+#else
51171 pgoff,
51172+#endif
51173 MAJOR(dev), MINOR(dev), ino, &len);
51174
51175 /*
51176@@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
51177 */
51178 if (file) {
51179 pad_len_spaces(m, len);
51180- seq_path(m, &file->f_path, "\n");
51181+ seq_path(m, &file->f_path, "\n\\");
51182 } else {
51183 const char *name = arch_vma_name(vma);
51184 if (!name) {
51185@@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
51186 if (vma->vm_start <= mm->brk &&
51187 vma->vm_end >= mm->start_brk) {
51188 name = "[heap]";
51189- } else if (vma->vm_start <= mm->start_stack &&
51190- vma->vm_end >= mm->start_stack) {
51191+ } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
51192+ (vma->vm_start <= mm->start_stack &&
51193+ vma->vm_end >= mm->start_stack)) {
51194 name = "[stack]";
51195 }
51196 } else {
51197@@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
51198 };
51199
51200 memset(&mss, 0, sizeof mss);
51201- mss.vma = vma;
51202- if (vma->vm_mm && !is_vm_hugetlb_page(vma))
51203- walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
51204+
51205+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51206+ if (!PAX_RAND_FLAGS(vma->vm_mm)) {
51207+#endif
51208+ mss.vma = vma;
51209+ if (vma->vm_mm && !is_vm_hugetlb_page(vma))
51210+ walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
51211+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51212+ }
51213+#endif
51214
51215 show_map_vma(m, vma);
51216
51217@@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
51218 "Swap: %8lu kB\n"
51219 "KernelPageSize: %8lu kB\n"
51220 "MMUPageSize: %8lu kB\n",
51221+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51222+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
51223+#else
51224 (vma->vm_end - vma->vm_start) >> 10,
51225+#endif
51226 mss.resident >> 10,
51227 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
51228 mss.shared_clean >> 10,
51229diff -urNp linux-2.6.32.48/fs/proc/task_nommu.c linux-2.6.32.48/fs/proc/task_nommu.c
51230--- linux-2.6.32.48/fs/proc/task_nommu.c 2011-11-08 19:02:43.000000000 -0500
51231+++ linux-2.6.32.48/fs/proc/task_nommu.c 2011-11-15 19:59:43.000000000 -0500
51232@@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
51233 else
51234 bytes += kobjsize(mm);
51235
51236- if (current->fs && current->fs->users > 1)
51237+ if (current->fs && atomic_read(&current->fs->users) > 1)
51238 sbytes += kobjsize(current->fs);
51239 else
51240 bytes += kobjsize(current->fs);
51241@@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
51242 if (len < 1)
51243 len = 1;
51244 seq_printf(m, "%*c", len, ' ');
51245- seq_path(m, &file->f_path, "");
51246+ seq_path(m, &file->f_path, "\n\\");
51247 }
51248
51249 seq_putc(m, '\n');
51250diff -urNp linux-2.6.32.48/fs/readdir.c linux-2.6.32.48/fs/readdir.c
51251--- linux-2.6.32.48/fs/readdir.c 2011-11-08 19:02:43.000000000 -0500
51252+++ linux-2.6.32.48/fs/readdir.c 2011-11-15 19:59:43.000000000 -0500
51253@@ -16,6 +16,7 @@
51254 #include <linux/security.h>
51255 #include <linux/syscalls.h>
51256 #include <linux/unistd.h>
51257+#include <linux/namei.h>
51258
51259 #include <asm/uaccess.h>
51260
51261@@ -67,6 +68,7 @@ struct old_linux_dirent {
51262
51263 struct readdir_callback {
51264 struct old_linux_dirent __user * dirent;
51265+ struct file * file;
51266 int result;
51267 };
51268
51269@@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
51270 buf->result = -EOVERFLOW;
51271 return -EOVERFLOW;
51272 }
51273+
51274+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51275+ return 0;
51276+
51277 buf->result++;
51278 dirent = buf->dirent;
51279 if (!access_ok(VERIFY_WRITE, dirent,
51280@@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
51281
51282 buf.result = 0;
51283 buf.dirent = dirent;
51284+ buf.file = file;
51285
51286 error = vfs_readdir(file, fillonedir, &buf);
51287 if (buf.result)
51288@@ -142,6 +149,7 @@ struct linux_dirent {
51289 struct getdents_callback {
51290 struct linux_dirent __user * current_dir;
51291 struct linux_dirent __user * previous;
51292+ struct file * file;
51293 int count;
51294 int error;
51295 };
51296@@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
51297 buf->error = -EOVERFLOW;
51298 return -EOVERFLOW;
51299 }
51300+
51301+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51302+ return 0;
51303+
51304 dirent = buf->previous;
51305 if (dirent) {
51306 if (__put_user(offset, &dirent->d_off))
51307@@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
51308 buf.previous = NULL;
51309 buf.count = count;
51310 buf.error = 0;
51311+ buf.file = file;
51312
51313 error = vfs_readdir(file, filldir, &buf);
51314 if (error >= 0)
51315@@ -228,6 +241,7 @@ out:
51316 struct getdents_callback64 {
51317 struct linux_dirent64 __user * current_dir;
51318 struct linux_dirent64 __user * previous;
51319+ struct file *file;
51320 int count;
51321 int error;
51322 };
51323@@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
51324 buf->error = -EINVAL; /* only used if we fail.. */
51325 if (reclen > buf->count)
51326 return -EINVAL;
51327+
51328+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
51329+ return 0;
51330+
51331 dirent = buf->previous;
51332 if (dirent) {
51333 if (__put_user(offset, &dirent->d_off))
51334@@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
51335
51336 buf.current_dir = dirent;
51337 buf.previous = NULL;
51338+ buf.file = file;
51339 buf.count = count;
51340 buf.error = 0;
51341
51342@@ -297,7 +316,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
51343 error = buf.error;
51344 lastdirent = buf.previous;
51345 if (lastdirent) {
51346- typeof(lastdirent->d_off) d_off = file->f_pos;
51347+ typeof(((struct linux_dirent64 *)0)->d_off) d_off = file->f_pos;
51348 if (__put_user(d_off, &lastdirent->d_off))
51349 error = -EFAULT;
51350 else
51351diff -urNp linux-2.6.32.48/fs/reiserfs/dir.c linux-2.6.32.48/fs/reiserfs/dir.c
51352--- linux-2.6.32.48/fs/reiserfs/dir.c 2011-11-08 19:02:43.000000000 -0500
51353+++ linux-2.6.32.48/fs/reiserfs/dir.c 2011-11-15 19:59:43.000000000 -0500
51354@@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
51355 struct reiserfs_dir_entry de;
51356 int ret = 0;
51357
51358+ pax_track_stack();
51359+
51360 reiserfs_write_lock(inode->i_sb);
51361
51362 reiserfs_check_lock_depth(inode->i_sb, "readdir");
51363diff -urNp linux-2.6.32.48/fs/reiserfs/do_balan.c linux-2.6.32.48/fs/reiserfs/do_balan.c
51364--- linux-2.6.32.48/fs/reiserfs/do_balan.c 2011-11-08 19:02:43.000000000 -0500
51365+++ linux-2.6.32.48/fs/reiserfs/do_balan.c 2011-11-15 19:59:43.000000000 -0500
51366@@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
51367 return;
51368 }
51369
51370- atomic_inc(&(fs_generation(tb->tb_sb)));
51371+ atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
51372 do_balance_starts(tb);
51373
51374 /* balance leaf returns 0 except if combining L R and S into
51375diff -urNp linux-2.6.32.48/fs/reiserfs/item_ops.c linux-2.6.32.48/fs/reiserfs/item_ops.c
51376--- linux-2.6.32.48/fs/reiserfs/item_ops.c 2011-11-08 19:02:43.000000000 -0500
51377+++ linux-2.6.32.48/fs/reiserfs/item_ops.c 2011-11-15 19:59:43.000000000 -0500
51378@@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
51379 vi->vi_index, vi->vi_type, vi->vi_ih);
51380 }
51381
51382-static struct item_operations stat_data_ops = {
51383+static const struct item_operations stat_data_ops = {
51384 .bytes_number = sd_bytes_number,
51385 .decrement_key = sd_decrement_key,
51386 .is_left_mergeable = sd_is_left_mergeable,
51387@@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
51388 vi->vi_index, vi->vi_type, vi->vi_ih);
51389 }
51390
51391-static struct item_operations direct_ops = {
51392+static const struct item_operations direct_ops = {
51393 .bytes_number = direct_bytes_number,
51394 .decrement_key = direct_decrement_key,
51395 .is_left_mergeable = direct_is_left_mergeable,
51396@@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
51397 vi->vi_index, vi->vi_type, vi->vi_ih);
51398 }
51399
51400-static struct item_operations indirect_ops = {
51401+static const struct item_operations indirect_ops = {
51402 .bytes_number = indirect_bytes_number,
51403 .decrement_key = indirect_decrement_key,
51404 .is_left_mergeable = indirect_is_left_mergeable,
51405@@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
51406 printk("\n");
51407 }
51408
51409-static struct item_operations direntry_ops = {
51410+static const struct item_operations direntry_ops = {
51411 .bytes_number = direntry_bytes_number,
51412 .decrement_key = direntry_decrement_key,
51413 .is_left_mergeable = direntry_is_left_mergeable,
51414@@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
51415 "Invalid item type observed, run fsck ASAP");
51416 }
51417
51418-static struct item_operations errcatch_ops = {
51419+static const struct item_operations errcatch_ops = {
51420 errcatch_bytes_number,
51421 errcatch_decrement_key,
51422 errcatch_is_left_mergeable,
51423@@ -746,7 +746,7 @@ static struct item_operations errcatch_o
51424 #error Item types must use disk-format assigned values.
51425 #endif
51426
51427-struct item_operations *item_ops[TYPE_ANY + 1] = {
51428+const struct item_operations * const item_ops[TYPE_ANY + 1] = {
51429 &stat_data_ops,
51430 &indirect_ops,
51431 &direct_ops,
51432diff -urNp linux-2.6.32.48/fs/reiserfs/journal.c linux-2.6.32.48/fs/reiserfs/journal.c
51433--- linux-2.6.32.48/fs/reiserfs/journal.c 2011-11-08 19:02:43.000000000 -0500
51434+++ linux-2.6.32.48/fs/reiserfs/journal.c 2011-11-15 19:59:43.000000000 -0500
51435@@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
51436 struct buffer_head *bh;
51437 int i, j;
51438
51439+ pax_track_stack();
51440+
51441 bh = __getblk(dev, block, bufsize);
51442 if (buffer_uptodate(bh))
51443 return (bh);
51444diff -urNp linux-2.6.32.48/fs/reiserfs/namei.c linux-2.6.32.48/fs/reiserfs/namei.c
51445--- linux-2.6.32.48/fs/reiserfs/namei.c 2011-11-08 19:02:43.000000000 -0500
51446+++ linux-2.6.32.48/fs/reiserfs/namei.c 2011-11-15 19:59:43.000000000 -0500
51447@@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
51448 unsigned long savelink = 1;
51449 struct timespec ctime;
51450
51451+ pax_track_stack();
51452+
51453 /* three balancings: (1) old name removal, (2) new name insertion
51454 and (3) maybe "save" link insertion
51455 stat data updates: (1) old directory,
51456diff -urNp linux-2.6.32.48/fs/reiserfs/procfs.c linux-2.6.32.48/fs/reiserfs/procfs.c
51457--- linux-2.6.32.48/fs/reiserfs/procfs.c 2011-11-08 19:02:43.000000000 -0500
51458+++ linux-2.6.32.48/fs/reiserfs/procfs.c 2011-11-15 19:59:43.000000000 -0500
51459@@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
51460 "SMALL_TAILS " : "NO_TAILS ",
51461 replay_only(sb) ? "REPLAY_ONLY " : "",
51462 convert_reiserfs(sb) ? "CONV " : "",
51463- atomic_read(&r->s_generation_counter),
51464+ atomic_read_unchecked(&r->s_generation_counter),
51465 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
51466 SF(s_do_balance), SF(s_unneeded_left_neighbor),
51467 SF(s_good_search_by_key_reada), SF(s_bmaps),
51468@@ -309,6 +309,8 @@ static int show_journal(struct seq_file
51469 struct journal_params *jp = &rs->s_v1.s_journal;
51470 char b[BDEVNAME_SIZE];
51471
51472+ pax_track_stack();
51473+
51474 seq_printf(m, /* on-disk fields */
51475 "jp_journal_1st_block: \t%i\n"
51476 "jp_journal_dev: \t%s[%x]\n"
51477diff -urNp linux-2.6.32.48/fs/reiserfs/stree.c linux-2.6.32.48/fs/reiserfs/stree.c
51478--- linux-2.6.32.48/fs/reiserfs/stree.c 2011-11-08 19:02:43.000000000 -0500
51479+++ linux-2.6.32.48/fs/reiserfs/stree.c 2011-11-15 19:59:43.000000000 -0500
51480@@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
51481 int iter = 0;
51482 #endif
51483
51484+ pax_track_stack();
51485+
51486 BUG_ON(!th->t_trans_id);
51487
51488 init_tb_struct(th, &s_del_balance, sb, path,
51489@@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
51490 int retval;
51491 int quota_cut_bytes = 0;
51492
51493+ pax_track_stack();
51494+
51495 BUG_ON(!th->t_trans_id);
51496
51497 le_key2cpu_key(&cpu_key, key);
51498@@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
51499 int quota_cut_bytes;
51500 loff_t tail_pos = 0;
51501
51502+ pax_track_stack();
51503+
51504 BUG_ON(!th->t_trans_id);
51505
51506 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
51507@@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
51508 int retval;
51509 int fs_gen;
51510
51511+ pax_track_stack();
51512+
51513 BUG_ON(!th->t_trans_id);
51514
51515 fs_gen = get_generation(inode->i_sb);
51516@@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
51517 int fs_gen = 0;
51518 int quota_bytes = 0;
51519
51520+ pax_track_stack();
51521+
51522 BUG_ON(!th->t_trans_id);
51523
51524 if (inode) { /* Do we count quotas for item? */
51525diff -urNp linux-2.6.32.48/fs/reiserfs/super.c linux-2.6.32.48/fs/reiserfs/super.c
51526--- linux-2.6.32.48/fs/reiserfs/super.c 2011-11-08 19:02:43.000000000 -0500
51527+++ linux-2.6.32.48/fs/reiserfs/super.c 2011-11-15 19:59:43.000000000 -0500
51528@@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
51529 {.option_name = NULL}
51530 };
51531
51532+ pax_track_stack();
51533+
51534 *blocks = 0;
51535 if (!options || !*options)
51536 /* use default configuration: create tails, journaling on, no
51537diff -urNp linux-2.6.32.48/fs/select.c linux-2.6.32.48/fs/select.c
51538--- linux-2.6.32.48/fs/select.c 2011-11-08 19:02:43.000000000 -0500
51539+++ linux-2.6.32.48/fs/select.c 2011-11-15 19:59:43.000000000 -0500
51540@@ -20,6 +20,7 @@
51541 #include <linux/module.h>
51542 #include <linux/slab.h>
51543 #include <linux/poll.h>
51544+#include <linux/security.h>
51545 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
51546 #include <linux/file.h>
51547 #include <linux/fdtable.h>
51548@@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
51549 int retval, i, timed_out = 0;
51550 unsigned long slack = 0;
51551
51552+ pax_track_stack();
51553+
51554 rcu_read_lock();
51555 retval = max_select_fd(n, fds);
51556 rcu_read_unlock();
51557@@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
51558 /* Allocate small arguments on the stack to save memory and be faster */
51559 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
51560
51561+ pax_track_stack();
51562+
51563 ret = -EINVAL;
51564 if (n < 0)
51565 goto out_nofds;
51566@@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
51567 struct poll_list *walk = head;
51568 unsigned long todo = nfds;
51569
51570+ pax_track_stack();
51571+
51572+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
51573 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
51574 return -EINVAL;
51575
51576diff -urNp linux-2.6.32.48/fs/seq_file.c linux-2.6.32.48/fs/seq_file.c
51577--- linux-2.6.32.48/fs/seq_file.c 2011-11-08 19:02:43.000000000 -0500
51578+++ linux-2.6.32.48/fs/seq_file.c 2011-11-15 19:59:43.000000000 -0500
51579@@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
51580 return 0;
51581 }
51582 if (!m->buf) {
51583- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51584+ m->size = PAGE_SIZE;
51585+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51586 if (!m->buf)
51587 return -ENOMEM;
51588 }
51589@@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
51590 Eoverflow:
51591 m->op->stop(m, p);
51592 kfree(m->buf);
51593- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51594+ m->size <<= 1;
51595+ m->buf = kmalloc(m->size, GFP_KERNEL);
51596 return !m->buf ? -ENOMEM : -EAGAIN;
51597 }
51598
51599@@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
51600 m->version = file->f_version;
51601 /* grab buffer if we didn't have one */
51602 if (!m->buf) {
51603- m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
51604+ m->size = PAGE_SIZE;
51605+ m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
51606 if (!m->buf)
51607 goto Enomem;
51608 }
51609@@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
51610 goto Fill;
51611 m->op->stop(m, p);
51612 kfree(m->buf);
51613- m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
51614+ m->size <<= 1;
51615+ m->buf = kmalloc(m->size, GFP_KERNEL);
51616 if (!m->buf)
51617 goto Enomem;
51618 m->count = 0;
51619@@ -551,7 +555,7 @@ static void single_stop(struct seq_file
51620 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
51621 void *data)
51622 {
51623- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
51624+ seq_operations_no_const *op = kmalloc(sizeof(*op), GFP_KERNEL);
51625 int res = -ENOMEM;
51626
51627 if (op) {
51628diff -urNp linux-2.6.32.48/fs/smbfs/proc.c linux-2.6.32.48/fs/smbfs/proc.c
51629--- linux-2.6.32.48/fs/smbfs/proc.c 2011-11-08 19:02:43.000000000 -0500
51630+++ linux-2.6.32.48/fs/smbfs/proc.c 2011-11-15 19:59:43.000000000 -0500
51631@@ -266,9 +266,9 @@ int smb_setcodepage(struct smb_sb_info *
51632
51633 out:
51634 if (server->local_nls != NULL && server->remote_nls != NULL)
51635- server->ops->convert = convert_cp;
51636+ *(void **)&server->ops->convert = convert_cp;
51637 else
51638- server->ops->convert = convert_memcpy;
51639+ *(void **)&server->ops->convert = convert_memcpy;
51640
51641 smb_unlock_server(server);
51642 return n;
51643@@ -933,9 +933,9 @@ smb_newconn(struct smb_sb_info *server,
51644
51645 /* FIXME: the win9x code wants to modify these ... (seek/trunc bug) */
51646 if (server->mnt->flags & SMB_MOUNT_OLDATTR) {
51647- server->ops->getattr = smb_proc_getattr_core;
51648+ *(void **)&server->ops->getattr = smb_proc_getattr_core;
51649 } else if (server->mnt->flags & SMB_MOUNT_DIRATTR) {
51650- server->ops->getattr = smb_proc_getattr_ff;
51651+ *(void **)&server->ops->getattr = smb_proc_getattr_ff;
51652 }
51653
51654 /* Decode server capabilities */
51655@@ -3439,7 +3439,7 @@ out:
51656 static void
51657 install_ops(struct smb_ops *dst, struct smb_ops *src)
51658 {
51659- memcpy(dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
51660+ memcpy((void *)dst, src, sizeof(void *) * SMB_OPS_NUM_STATIC);
51661 }
51662
51663 /* < LANMAN2 */
51664diff -urNp linux-2.6.32.48/fs/smbfs/symlink.c linux-2.6.32.48/fs/smbfs/symlink.c
51665--- linux-2.6.32.48/fs/smbfs/symlink.c 2011-11-08 19:02:43.000000000 -0500
51666+++ linux-2.6.32.48/fs/smbfs/symlink.c 2011-11-15 19:59:43.000000000 -0500
51667@@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
51668
51669 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
51670 {
51671- char *s = nd_get_link(nd);
51672+ const char *s = nd_get_link(nd);
51673 if (!IS_ERR(s))
51674 __putname(s);
51675 }
51676diff -urNp linux-2.6.32.48/fs/splice.c linux-2.6.32.48/fs/splice.c
51677--- linux-2.6.32.48/fs/splice.c 2011-11-08 19:02:43.000000000 -0500
51678+++ linux-2.6.32.48/fs/splice.c 2011-11-15 19:59:43.000000000 -0500
51679@@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
51680 pipe_lock(pipe);
51681
51682 for (;;) {
51683- if (!pipe->readers) {
51684+ if (!atomic_read(&pipe->readers)) {
51685 send_sig(SIGPIPE, current, 0);
51686 if (!ret)
51687 ret = -EPIPE;
51688@@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
51689 do_wakeup = 0;
51690 }
51691
51692- pipe->waiting_writers++;
51693+ atomic_inc(&pipe->waiting_writers);
51694 pipe_wait(pipe);
51695- pipe->waiting_writers--;
51696+ atomic_dec(&pipe->waiting_writers);
51697 }
51698
51699 pipe_unlock(pipe);
51700@@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
51701 .spd_release = spd_release_page,
51702 };
51703
51704+ pax_track_stack();
51705+
51706 index = *ppos >> PAGE_CACHE_SHIFT;
51707 loff = *ppos & ~PAGE_CACHE_MASK;
51708 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
51709@@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
51710 old_fs = get_fs();
51711 set_fs(get_ds());
51712 /* The cast to a user pointer is valid due to the set_fs() */
51713- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
51714+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
51715 set_fs(old_fs);
51716
51717 return res;
51718@@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
51719 old_fs = get_fs();
51720 set_fs(get_ds());
51721 /* The cast to a user pointer is valid due to the set_fs() */
51722- res = vfs_write(file, (const char __user *)buf, count, &pos);
51723+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
51724 set_fs(old_fs);
51725
51726 return res;
51727@@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
51728 .spd_release = spd_release_page,
51729 };
51730
51731+ pax_track_stack();
51732+
51733 index = *ppos >> PAGE_CACHE_SHIFT;
51734 offset = *ppos & ~PAGE_CACHE_MASK;
51735 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
51736@@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
51737 goto err;
51738
51739 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
51740- vec[i].iov_base = (void __user *) page_address(page);
51741+ vec[i].iov_base = (__force void __user *) page_address(page);
51742 vec[i].iov_len = this_len;
51743 pages[i] = page;
51744 spd.nr_pages++;
51745@@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
51746 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
51747 {
51748 while (!pipe->nrbufs) {
51749- if (!pipe->writers)
51750+ if (!atomic_read(&pipe->writers))
51751 return 0;
51752
51753- if (!pipe->waiting_writers && sd->num_spliced)
51754+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
51755 return 0;
51756
51757 if (sd->flags & SPLICE_F_NONBLOCK)
51758@@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
51759 * out of the pipe right after the splice_to_pipe(). So set
51760 * PIPE_READERS appropriately.
51761 */
51762- pipe->readers = 1;
51763+ atomic_set(&pipe->readers, 1);
51764
51765 current->splice_pipe = pipe;
51766 }
51767@@ -1593,6 +1597,8 @@ static long vmsplice_to_pipe(struct file
51768 .spd_release = spd_release_page,
51769 };
51770
51771+ pax_track_stack();
51772+
51773 pipe = pipe_info(file->f_path.dentry->d_inode);
51774 if (!pipe)
51775 return -EBADF;
51776@@ -1701,9 +1707,9 @@ static int ipipe_prep(struct pipe_inode_
51777 ret = -ERESTARTSYS;
51778 break;
51779 }
51780- if (!pipe->writers)
51781+ if (!atomic_read(&pipe->writers))
51782 break;
51783- if (!pipe->waiting_writers) {
51784+ if (!atomic_read(&pipe->waiting_writers)) {
51785 if (flags & SPLICE_F_NONBLOCK) {
51786 ret = -EAGAIN;
51787 break;
51788@@ -1735,7 +1741,7 @@ static int opipe_prep(struct pipe_inode_
51789 pipe_lock(pipe);
51790
51791 while (pipe->nrbufs >= PIPE_BUFFERS) {
51792- if (!pipe->readers) {
51793+ if (!atomic_read(&pipe->readers)) {
51794 send_sig(SIGPIPE, current, 0);
51795 ret = -EPIPE;
51796 break;
51797@@ -1748,9 +1754,9 @@ static int opipe_prep(struct pipe_inode_
51798 ret = -ERESTARTSYS;
51799 break;
51800 }
51801- pipe->waiting_writers++;
51802+ atomic_inc(&pipe->waiting_writers);
51803 pipe_wait(pipe);
51804- pipe->waiting_writers--;
51805+ atomic_dec(&pipe->waiting_writers);
51806 }
51807
51808 pipe_unlock(pipe);
51809@@ -1786,14 +1792,14 @@ retry:
51810 pipe_double_lock(ipipe, opipe);
51811
51812 do {
51813- if (!opipe->readers) {
51814+ if (!atomic_read(&opipe->readers)) {
51815 send_sig(SIGPIPE, current, 0);
51816 if (!ret)
51817 ret = -EPIPE;
51818 break;
51819 }
51820
51821- if (!ipipe->nrbufs && !ipipe->writers)
51822+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
51823 break;
51824
51825 /*
51826@@ -1893,7 +1899,7 @@ static int link_pipe(struct pipe_inode_i
51827 pipe_double_lock(ipipe, opipe);
51828
51829 do {
51830- if (!opipe->readers) {
51831+ if (!atomic_read(&opipe->readers)) {
51832 send_sig(SIGPIPE, current, 0);
51833 if (!ret)
51834 ret = -EPIPE;
51835@@ -1938,7 +1944,7 @@ static int link_pipe(struct pipe_inode_i
51836 * return EAGAIN if we have the potential of some data in the
51837 * future, otherwise just return 0
51838 */
51839- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
51840+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
51841 ret = -EAGAIN;
51842
51843 pipe_unlock(ipipe);
51844diff -urNp linux-2.6.32.48/fs/sysfs/file.c linux-2.6.32.48/fs/sysfs/file.c
51845--- linux-2.6.32.48/fs/sysfs/file.c 2011-11-08 19:02:43.000000000 -0500
51846+++ linux-2.6.32.48/fs/sysfs/file.c 2011-11-15 19:59:43.000000000 -0500
51847@@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
51848
51849 struct sysfs_open_dirent {
51850 atomic_t refcnt;
51851- atomic_t event;
51852+ atomic_unchecked_t event;
51853 wait_queue_head_t poll;
51854 struct list_head buffers; /* goes through sysfs_buffer.list */
51855 };
51856@@ -53,7 +53,7 @@ struct sysfs_buffer {
51857 size_t count;
51858 loff_t pos;
51859 char * page;
51860- struct sysfs_ops * ops;
51861+ const struct sysfs_ops * ops;
51862 struct mutex mutex;
51863 int needs_read_fill;
51864 int event;
51865@@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
51866 {
51867 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
51868 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51869- struct sysfs_ops * ops = buffer->ops;
51870+ const struct sysfs_ops * ops = buffer->ops;
51871 int ret = 0;
51872 ssize_t count;
51873
51874@@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
51875 if (!sysfs_get_active_two(attr_sd))
51876 return -ENODEV;
51877
51878- buffer->event = atomic_read(&attr_sd->s_attr.open->event);
51879+ buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
51880 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
51881
51882 sysfs_put_active_two(attr_sd);
51883@@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
51884 {
51885 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
51886 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51887- struct sysfs_ops * ops = buffer->ops;
51888+ const struct sysfs_ops * ops = buffer->ops;
51889 int rc;
51890
51891 /* need attr_sd for attr and ops, its parent for kobj */
51892@@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
51893 return -ENOMEM;
51894
51895 atomic_set(&new_od->refcnt, 0);
51896- atomic_set(&new_od->event, 1);
51897+ atomic_set_unchecked(&new_od->event, 1);
51898 init_waitqueue_head(&new_od->poll);
51899 INIT_LIST_HEAD(&new_od->buffers);
51900 goto retry;
51901@@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
51902 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
51903 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
51904 struct sysfs_buffer *buffer;
51905- struct sysfs_ops *ops;
51906+ const struct sysfs_ops *ops;
51907 int error = -EACCES;
51908 char *p;
51909
51910@@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
51911
51912 sysfs_put_active_two(attr_sd);
51913
51914- if (buffer->event != atomic_read(&od->event))
51915+ if (buffer->event != atomic_read_unchecked(&od->event))
51916 goto trigger;
51917
51918 return DEFAULT_POLLMASK;
51919@@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
51920
51921 od = sd->s_attr.open;
51922 if (od) {
51923- atomic_inc(&od->event);
51924+ atomic_inc_unchecked(&od->event);
51925 wake_up_interruptible(&od->poll);
51926 }
51927
51928diff -urNp linux-2.6.32.48/fs/sysfs/mount.c linux-2.6.32.48/fs/sysfs/mount.c
51929--- linux-2.6.32.48/fs/sysfs/mount.c 2011-11-08 19:02:43.000000000 -0500
51930+++ linux-2.6.32.48/fs/sysfs/mount.c 2011-11-15 19:59:43.000000000 -0500
51931@@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
51932 .s_name = "",
51933 .s_count = ATOMIC_INIT(1),
51934 .s_flags = SYSFS_DIR,
51935+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
51936+ .s_mode = S_IFDIR | S_IRWXU,
51937+#else
51938 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
51939+#endif
51940 .s_ino = 1,
51941 };
51942
51943diff -urNp linux-2.6.32.48/fs/sysfs/symlink.c linux-2.6.32.48/fs/sysfs/symlink.c
51944--- linux-2.6.32.48/fs/sysfs/symlink.c 2011-11-08 19:02:43.000000000 -0500
51945+++ linux-2.6.32.48/fs/sysfs/symlink.c 2011-11-15 19:59:43.000000000 -0500
51946@@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
51947
51948 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
51949 {
51950- char *page = nd_get_link(nd);
51951+ const char *page = nd_get_link(nd);
51952 if (!IS_ERR(page))
51953 free_page((unsigned long)page);
51954 }
51955diff -urNp linux-2.6.32.48/fs/udf/balloc.c linux-2.6.32.48/fs/udf/balloc.c
51956--- linux-2.6.32.48/fs/udf/balloc.c 2011-11-08 19:02:43.000000000 -0500
51957+++ linux-2.6.32.48/fs/udf/balloc.c 2011-11-15 19:59:43.000000000 -0500
51958@@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
51959
51960 mutex_lock(&sbi->s_alloc_mutex);
51961 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
51962- if (bloc->logicalBlockNum < 0 ||
51963- (bloc->logicalBlockNum + count) >
51964- partmap->s_partition_len) {
51965+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
51966 udf_debug("%d < %d || %d + %d > %d\n",
51967 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
51968 count, partmap->s_partition_len);
51969@@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
51970
51971 mutex_lock(&sbi->s_alloc_mutex);
51972 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
51973- if (bloc->logicalBlockNum < 0 ||
51974- (bloc->logicalBlockNum + count) >
51975- partmap->s_partition_len) {
51976+ if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
51977 udf_debug("%d < %d || %d + %d > %d\n",
51978 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
51979 partmap->s_partition_len);
51980diff -urNp linux-2.6.32.48/fs/udf/inode.c linux-2.6.32.48/fs/udf/inode.c
51981--- linux-2.6.32.48/fs/udf/inode.c 2011-11-08 19:02:43.000000000 -0500
51982+++ linux-2.6.32.48/fs/udf/inode.c 2011-11-15 19:59:43.000000000 -0500
51983@@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
51984 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
51985 int lastblock = 0;
51986
51987+ pax_track_stack();
51988+
51989 prev_epos.offset = udf_file_entry_alloc_offset(inode);
51990 prev_epos.block = iinfo->i_location;
51991 prev_epos.bh = NULL;
51992diff -urNp linux-2.6.32.48/fs/udf/misc.c linux-2.6.32.48/fs/udf/misc.c
51993--- linux-2.6.32.48/fs/udf/misc.c 2011-11-08 19:02:43.000000000 -0500
51994+++ linux-2.6.32.48/fs/udf/misc.c 2011-11-15 19:59:43.000000000 -0500
51995@@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
51996
51997 u8 udf_tag_checksum(const struct tag *t)
51998 {
51999- u8 *data = (u8 *)t;
52000+ const u8 *data = (const u8 *)t;
52001 u8 checksum = 0;
52002 int i;
52003 for (i = 0; i < sizeof(struct tag); ++i)
52004diff -urNp linux-2.6.32.48/fs/utimes.c linux-2.6.32.48/fs/utimes.c
52005--- linux-2.6.32.48/fs/utimes.c 2011-11-08 19:02:43.000000000 -0500
52006+++ linux-2.6.32.48/fs/utimes.c 2011-11-15 19:59:43.000000000 -0500
52007@@ -1,6 +1,7 @@
52008 #include <linux/compiler.h>
52009 #include <linux/file.h>
52010 #include <linux/fs.h>
52011+#include <linux/security.h>
52012 #include <linux/linkage.h>
52013 #include <linux/mount.h>
52014 #include <linux/namei.h>
52015@@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
52016 goto mnt_drop_write_and_out;
52017 }
52018 }
52019+
52020+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
52021+ error = -EACCES;
52022+ goto mnt_drop_write_and_out;
52023+ }
52024+
52025 mutex_lock(&inode->i_mutex);
52026 error = notify_change(path->dentry, &newattrs);
52027 mutex_unlock(&inode->i_mutex);
52028diff -urNp linux-2.6.32.48/fs/xattr_acl.c linux-2.6.32.48/fs/xattr_acl.c
52029--- linux-2.6.32.48/fs/xattr_acl.c 2011-11-08 19:02:43.000000000 -0500
52030+++ linux-2.6.32.48/fs/xattr_acl.c 2011-11-15 19:59:43.000000000 -0500
52031@@ -17,8 +17,8 @@
52032 struct posix_acl *
52033 posix_acl_from_xattr(const void *value, size_t size)
52034 {
52035- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
52036- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
52037+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
52038+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
52039 int count;
52040 struct posix_acl *acl;
52041 struct posix_acl_entry *acl_e;
52042diff -urNp linux-2.6.32.48/fs/xattr.c linux-2.6.32.48/fs/xattr.c
52043--- linux-2.6.32.48/fs/xattr.c 2011-11-08 19:02:43.000000000 -0500
52044+++ linux-2.6.32.48/fs/xattr.c 2011-11-15 19:59:43.000000000 -0500
52045@@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
52046 * Extended attribute SET operations
52047 */
52048 static long
52049-setxattr(struct dentry *d, const char __user *name, const void __user *value,
52050+setxattr(struct path *path, const char __user *name, const void __user *value,
52051 size_t size, int flags)
52052 {
52053 int error;
52054@@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
52055 return PTR_ERR(kvalue);
52056 }
52057
52058- error = vfs_setxattr(d, kname, kvalue, size, flags);
52059+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
52060+ error = -EACCES;
52061+ goto out;
52062+ }
52063+
52064+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
52065+out:
52066 kfree(kvalue);
52067 return error;
52068 }
52069@@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
52070 return error;
52071 error = mnt_want_write(path.mnt);
52072 if (!error) {
52073- error = setxattr(path.dentry, name, value, size, flags);
52074+ error = setxattr(&path, name, value, size, flags);
52075 mnt_drop_write(path.mnt);
52076 }
52077 path_put(&path);
52078@@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
52079 return error;
52080 error = mnt_want_write(path.mnt);
52081 if (!error) {
52082- error = setxattr(path.dentry, name, value, size, flags);
52083+ error = setxattr(&path, name, value, size, flags);
52084 mnt_drop_write(path.mnt);
52085 }
52086 path_put(&path);
52087@@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
52088 const void __user *,value, size_t, size, int, flags)
52089 {
52090 struct file *f;
52091- struct dentry *dentry;
52092 int error = -EBADF;
52093
52094 f = fget(fd);
52095 if (!f)
52096 return error;
52097- dentry = f->f_path.dentry;
52098- audit_inode(NULL, dentry);
52099+ audit_inode(NULL, f->f_path.dentry);
52100 error = mnt_want_write_file(f);
52101 if (!error) {
52102- error = setxattr(dentry, name, value, size, flags);
52103+ error = setxattr(&f->f_path, name, value, size, flags);
52104 mnt_drop_write(f->f_path.mnt);
52105 }
52106 fput(f);
52107diff -urNp linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl32.c
52108--- linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-08 19:02:43.000000000 -0500
52109+++ linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-11-15 19:59:43.000000000 -0500
52110@@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
52111 xfs_fsop_geom_t fsgeo;
52112 int error;
52113
52114+ memset(&fsgeo, 0, sizeof(fsgeo));
52115 error = xfs_fs_geometry(mp, &fsgeo, 3);
52116 if (error)
52117 return -error;
52118diff -urNp linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl.c
52119--- linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-08 19:02:43.000000000 -0500
52120+++ linux-2.6.32.48/fs/xfs/linux-2.6/xfs_ioctl.c 2011-11-15 19:59:43.000000000 -0500
52121@@ -134,7 +134,7 @@ xfs_find_handle(
52122 }
52123
52124 error = -EFAULT;
52125- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
52126+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
52127 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
52128 goto out_put;
52129
52130@@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
52131 if (IS_ERR(dentry))
52132 return PTR_ERR(dentry);
52133
52134- kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
52135+ kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
52136 if (!kbuf)
52137 goto out_dput;
52138
52139@@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
52140 xfs_mount_t *mp,
52141 void __user *arg)
52142 {
52143- xfs_fsop_geom_t fsgeo;
52144+ xfs_fsop_geom_t fsgeo;
52145 int error;
52146
52147 error = xfs_fs_geometry(mp, &fsgeo, 3);
52148diff -urNp linux-2.6.32.48/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.48/fs/xfs/linux-2.6/xfs_iops.c
52149--- linux-2.6.32.48/fs/xfs/linux-2.6/xfs_iops.c 2011-11-08 19:02:43.000000000 -0500
52150+++ linux-2.6.32.48/fs/xfs/linux-2.6/xfs_iops.c 2011-11-15 19:59:43.000000000 -0500
52151@@ -468,7 +468,7 @@ xfs_vn_put_link(
52152 struct nameidata *nd,
52153 void *p)
52154 {
52155- char *s = nd_get_link(nd);
52156+ const char *s = nd_get_link(nd);
52157
52158 if (!IS_ERR(s))
52159 kfree(s);
52160diff -urNp linux-2.6.32.48/fs/xfs/xfs_bmap.c linux-2.6.32.48/fs/xfs/xfs_bmap.c
52161--- linux-2.6.32.48/fs/xfs/xfs_bmap.c 2011-11-08 19:02:43.000000000 -0500
52162+++ linux-2.6.32.48/fs/xfs/xfs_bmap.c 2011-11-15 19:59:43.000000000 -0500
52163@@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
52164 int nmap,
52165 int ret_nmap);
52166 #else
52167-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
52168+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
52169 #endif /* DEBUG */
52170
52171 #if defined(XFS_RW_TRACE)
52172diff -urNp linux-2.6.32.48/fs/xfs/xfs_dir2_sf.c linux-2.6.32.48/fs/xfs/xfs_dir2_sf.c
52173--- linux-2.6.32.48/fs/xfs/xfs_dir2_sf.c 2011-11-08 19:02:43.000000000 -0500
52174+++ linux-2.6.32.48/fs/xfs/xfs_dir2_sf.c 2011-11-15 19:59:43.000000000 -0500
52175@@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
52176 }
52177
52178 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
52179- if (filldir(dirent, sfep->name, sfep->namelen,
52180+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
52181+ char name[sfep->namelen];
52182+ memcpy(name, sfep->name, sfep->namelen);
52183+ if (filldir(dirent, name, sfep->namelen,
52184+ off & 0x7fffffff, ino, DT_UNKNOWN)) {
52185+ *offset = off & 0x7fffffff;
52186+ return 0;
52187+ }
52188+ } else if (filldir(dirent, sfep->name, sfep->namelen,
52189 off & 0x7fffffff, ino, DT_UNKNOWN)) {
52190 *offset = off & 0x7fffffff;
52191 return 0;
52192diff -urNp linux-2.6.32.48/fs/xfs/xfs_vnodeops.c linux-2.6.32.48/fs/xfs/xfs_vnodeops.c
52193--- linux-2.6.32.48/fs/xfs/xfs_vnodeops.c 2011-11-08 19:02:43.000000000 -0500
52194+++ linux-2.6.32.48/fs/xfs/xfs_vnodeops.c 2011-11-18 18:59:38.000000000 -0500
52195@@ -564,13 +564,17 @@ xfs_readlink(
52196
52197 xfs_ilock(ip, XFS_ILOCK_SHARED);
52198
52199- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
52200- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
52201-
52202 pathlen = ip->i_d.di_size;
52203 if (!pathlen)
52204 goto out;
52205
52206+ if (pathlen > MAXPATHLEN) {
52207+ xfs_fs_cmn_err(CE_ALERT, mp, "%s: inode (%llu) symlink length (%d) too long",
52208+ __func__, (unsigned long long)ip->i_ino, pathlen);
52209+ ASSERT(0);
52210+ return XFS_ERROR(EFSCORRUPTED);
52211+ }
52212+
52213 if (ip->i_df.if_flags & XFS_IFINLINE) {
52214 memcpy(link, ip->i_df.if_u1.if_data, pathlen);
52215 link[pathlen] = '\0';
52216diff -urNp linux-2.6.32.48/grsecurity/gracl_alloc.c linux-2.6.32.48/grsecurity/gracl_alloc.c
52217--- linux-2.6.32.48/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
52218+++ linux-2.6.32.48/grsecurity/gracl_alloc.c 2011-11-15 19:59:43.000000000 -0500
52219@@ -0,0 +1,105 @@
52220+#include <linux/kernel.h>
52221+#include <linux/mm.h>
52222+#include <linux/slab.h>
52223+#include <linux/vmalloc.h>
52224+#include <linux/gracl.h>
52225+#include <linux/grsecurity.h>
52226+
52227+static unsigned long alloc_stack_next = 1;
52228+static unsigned long alloc_stack_size = 1;
52229+static void **alloc_stack;
52230+
52231+static __inline__ int
52232+alloc_pop(void)
52233+{
52234+ if (alloc_stack_next == 1)
52235+ return 0;
52236+
52237+ kfree(alloc_stack[alloc_stack_next - 2]);
52238+
52239+ alloc_stack_next--;
52240+
52241+ return 1;
52242+}
52243+
52244+static __inline__ int
52245+alloc_push(void *buf)
52246+{
52247+ if (alloc_stack_next >= alloc_stack_size)
52248+ return 1;
52249+
52250+ alloc_stack[alloc_stack_next - 1] = buf;
52251+
52252+ alloc_stack_next++;
52253+
52254+ return 0;
52255+}
52256+
52257+void *
52258+acl_alloc(unsigned long len)
52259+{
52260+ void *ret = NULL;
52261+
52262+ if (!len || len > PAGE_SIZE)
52263+ goto out;
52264+
52265+ ret = kmalloc(len, GFP_KERNEL);
52266+
52267+ if (ret) {
52268+ if (alloc_push(ret)) {
52269+ kfree(ret);
52270+ ret = NULL;
52271+ }
52272+ }
52273+
52274+out:
52275+ return ret;
52276+}
52277+
52278+void *
52279+acl_alloc_num(unsigned long num, unsigned long len)
52280+{
52281+ if (!len || (num > (PAGE_SIZE / len)))
52282+ return NULL;
52283+
52284+ return acl_alloc(num * len);
52285+}
52286+
52287+void
52288+acl_free_all(void)
52289+{
52290+ if (gr_acl_is_enabled() || !alloc_stack)
52291+ return;
52292+
52293+ while (alloc_pop()) ;
52294+
52295+ if (alloc_stack) {
52296+ if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
52297+ kfree(alloc_stack);
52298+ else
52299+ vfree(alloc_stack);
52300+ }
52301+
52302+ alloc_stack = NULL;
52303+ alloc_stack_size = 1;
52304+ alloc_stack_next = 1;
52305+
52306+ return;
52307+}
52308+
52309+int
52310+acl_alloc_stack_init(unsigned long size)
52311+{
52312+ if ((size * sizeof (void *)) <= PAGE_SIZE)
52313+ alloc_stack =
52314+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
52315+ else
52316+ alloc_stack = (void **) vmalloc(size * sizeof (void *));
52317+
52318+ alloc_stack_size = size;
52319+
52320+ if (!alloc_stack)
52321+ return 0;
52322+ else
52323+ return 1;
52324+}
52325diff -urNp linux-2.6.32.48/grsecurity/gracl.c linux-2.6.32.48/grsecurity/gracl.c
52326--- linux-2.6.32.48/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
52327+++ linux-2.6.32.48/grsecurity/gracl.c 2011-11-16 17:55:28.000000000 -0500
52328@@ -0,0 +1,4141 @@
52329+#include <linux/kernel.h>
52330+#include <linux/module.h>
52331+#include <linux/sched.h>
52332+#include <linux/mm.h>
52333+#include <linux/file.h>
52334+#include <linux/fs.h>
52335+#include <linux/namei.h>
52336+#include <linux/mount.h>
52337+#include <linux/tty.h>
52338+#include <linux/proc_fs.h>
52339+#include <linux/smp_lock.h>
52340+#include <linux/slab.h>
52341+#include <linux/vmalloc.h>
52342+#include <linux/types.h>
52343+#include <linux/sysctl.h>
52344+#include <linux/netdevice.h>
52345+#include <linux/ptrace.h>
52346+#include <linux/gracl.h>
52347+#include <linux/gralloc.h>
52348+#include <linux/grsecurity.h>
52349+#include <linux/grinternal.h>
52350+#include <linux/pid_namespace.h>
52351+#include <linux/fdtable.h>
52352+#include <linux/percpu.h>
52353+
52354+#include <asm/uaccess.h>
52355+#include <asm/errno.h>
52356+#include <asm/mman.h>
52357+
52358+static struct acl_role_db acl_role_set;
52359+static struct name_db name_set;
52360+static struct inodev_db inodev_set;
52361+
52362+/* for keeping track of userspace pointers used for subjects, so we
52363+ can share references in the kernel as well
52364+*/
52365+
52366+static struct dentry *real_root;
52367+static struct vfsmount *real_root_mnt;
52368+
52369+static struct acl_subj_map_db subj_map_set;
52370+
52371+static struct acl_role_label *default_role;
52372+
52373+static struct acl_role_label *role_list;
52374+
52375+static u16 acl_sp_role_value;
52376+
52377+extern char *gr_shared_page[4];
52378+static DEFINE_MUTEX(gr_dev_mutex);
52379+DEFINE_RWLOCK(gr_inode_lock);
52380+
52381+struct gr_arg *gr_usermode;
52382+
52383+static unsigned int gr_status __read_only = GR_STATUS_INIT;
52384+
52385+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
52386+extern void gr_clear_learn_entries(void);
52387+
52388+#ifdef CONFIG_GRKERNSEC_RESLOG
52389+extern void gr_log_resource(const struct task_struct *task,
52390+ const int res, const unsigned long wanted, const int gt);
52391+#endif
52392+
52393+unsigned char *gr_system_salt;
52394+unsigned char *gr_system_sum;
52395+
52396+static struct sprole_pw **acl_special_roles = NULL;
52397+static __u16 num_sprole_pws = 0;
52398+
52399+static struct acl_role_label *kernel_role = NULL;
52400+
52401+static unsigned int gr_auth_attempts = 0;
52402+static unsigned long gr_auth_expires = 0UL;
52403+
52404+#ifdef CONFIG_NET
52405+extern struct vfsmount *sock_mnt;
52406+#endif
52407+extern struct vfsmount *pipe_mnt;
52408+extern struct vfsmount *shm_mnt;
52409+#ifdef CONFIG_HUGETLBFS
52410+extern struct vfsmount *hugetlbfs_vfsmount;
52411+#endif
52412+
52413+static struct acl_object_label *fakefs_obj_rw;
52414+static struct acl_object_label *fakefs_obj_rwx;
52415+
52416+extern int gr_init_uidset(void);
52417+extern void gr_free_uidset(void);
52418+extern void gr_remove_uid(uid_t uid);
52419+extern int gr_find_uid(uid_t uid);
52420+
52421+__inline__ int
52422+gr_acl_is_enabled(void)
52423+{
52424+ return (gr_status & GR_READY);
52425+}
52426+
52427+#ifdef CONFIG_BTRFS_FS
52428+extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
52429+extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
52430+#endif
52431+
52432+static inline dev_t __get_dev(const struct dentry *dentry)
52433+{
52434+#ifdef CONFIG_BTRFS_FS
52435+ if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
52436+ return get_btrfs_dev_from_inode(dentry->d_inode);
52437+ else
52438+#endif
52439+ return dentry->d_inode->i_sb->s_dev;
52440+}
52441+
52442+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
52443+{
52444+ return __get_dev(dentry);
52445+}
52446+
52447+static char gr_task_roletype_to_char(struct task_struct *task)
52448+{
52449+ switch (task->role->roletype &
52450+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
52451+ GR_ROLE_SPECIAL)) {
52452+ case GR_ROLE_DEFAULT:
52453+ return 'D';
52454+ case GR_ROLE_USER:
52455+ return 'U';
52456+ case GR_ROLE_GROUP:
52457+ return 'G';
52458+ case GR_ROLE_SPECIAL:
52459+ return 'S';
52460+ }
52461+
52462+ return 'X';
52463+}
52464+
52465+char gr_roletype_to_char(void)
52466+{
52467+ return gr_task_roletype_to_char(current);
52468+}
52469+
52470+__inline__ int
52471+gr_acl_tpe_check(void)
52472+{
52473+ if (unlikely(!(gr_status & GR_READY)))
52474+ return 0;
52475+ if (current->role->roletype & GR_ROLE_TPE)
52476+ return 1;
52477+ else
52478+ return 0;
52479+}
52480+
52481+int
52482+gr_handle_rawio(const struct inode *inode)
52483+{
52484+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52485+ if (inode && S_ISBLK(inode->i_mode) &&
52486+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
52487+ !capable(CAP_SYS_RAWIO))
52488+ return 1;
52489+#endif
52490+ return 0;
52491+}
52492+
52493+static int
52494+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
52495+{
52496+ if (likely(lena != lenb))
52497+ return 0;
52498+
52499+ return !memcmp(a, b, lena);
52500+}
52501+
52502+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
52503+{
52504+ *buflen -= namelen;
52505+ if (*buflen < 0)
52506+ return -ENAMETOOLONG;
52507+ *buffer -= namelen;
52508+ memcpy(*buffer, str, namelen);
52509+ return 0;
52510+}
52511+
52512+/* this must be called with vfsmount_lock and dcache_lock held */
52513+
52514+static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52515+ struct dentry *root, struct vfsmount *rootmnt,
52516+ char *buffer, int buflen)
52517+{
52518+ char * end = buffer+buflen;
52519+ char * retval;
52520+ int namelen;
52521+
52522+ *--end = '\0';
52523+ buflen--;
52524+
52525+ if (buflen < 1)
52526+ goto Elong;
52527+ /* Get '/' right */
52528+ retval = end-1;
52529+ *retval = '/';
52530+
52531+ for (;;) {
52532+ struct dentry * parent;
52533+
52534+ if (dentry == root && vfsmnt == rootmnt)
52535+ break;
52536+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
52537+ /* Global root? */
52538+ if (vfsmnt->mnt_parent == vfsmnt)
52539+ goto global_root;
52540+ dentry = vfsmnt->mnt_mountpoint;
52541+ vfsmnt = vfsmnt->mnt_parent;
52542+ continue;
52543+ }
52544+ parent = dentry->d_parent;
52545+ prefetch(parent);
52546+ namelen = dentry->d_name.len;
52547+ buflen -= namelen + 1;
52548+ if (buflen < 0)
52549+ goto Elong;
52550+ end -= namelen;
52551+ memcpy(end, dentry->d_name.name, namelen);
52552+ *--end = '/';
52553+ retval = end;
52554+ dentry = parent;
52555+ }
52556+
52557+out:
52558+ return retval;
52559+
52560+global_root:
52561+ namelen = dentry->d_name.len;
52562+ buflen -= namelen;
52563+ if (buflen < 0)
52564+ goto Elong;
52565+ retval -= namelen-1; /* hit the slash */
52566+ memcpy(retval, dentry->d_name.name, namelen);
52567+ goto out;
52568+Elong:
52569+ retval = ERR_PTR(-ENAMETOOLONG);
52570+ goto out;
52571+}
52572+
52573+static char *
52574+gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
52575+ struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
52576+{
52577+ char *retval;
52578+
52579+ retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
52580+ if (unlikely(IS_ERR(retval)))
52581+ retval = strcpy(buf, "<path too long>");
52582+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
52583+ retval[1] = '\0';
52584+
52585+ return retval;
52586+}
52587+
52588+static char *
52589+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52590+ char *buf, int buflen)
52591+{
52592+ char *res;
52593+
52594+ /* we can use real_root, real_root_mnt, because this is only called
52595+ by the RBAC system */
52596+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
52597+
52598+ return res;
52599+}
52600+
52601+static char *
52602+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
52603+ char *buf, int buflen)
52604+{
52605+ char *res;
52606+ struct dentry *root;
52607+ struct vfsmount *rootmnt;
52608+ struct task_struct *reaper = &init_task;
52609+
52610+ /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
52611+ read_lock(&reaper->fs->lock);
52612+ root = dget(reaper->fs->root.dentry);
52613+ rootmnt = mntget(reaper->fs->root.mnt);
52614+ read_unlock(&reaper->fs->lock);
52615+
52616+ spin_lock(&dcache_lock);
52617+ spin_lock(&vfsmount_lock);
52618+ res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
52619+ spin_unlock(&vfsmount_lock);
52620+ spin_unlock(&dcache_lock);
52621+
52622+ dput(root);
52623+ mntput(rootmnt);
52624+ return res;
52625+}
52626+
52627+static char *
52628+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52629+{
52630+ char *ret;
52631+ spin_lock(&dcache_lock);
52632+ spin_lock(&vfsmount_lock);
52633+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52634+ PAGE_SIZE);
52635+ spin_unlock(&vfsmount_lock);
52636+ spin_unlock(&dcache_lock);
52637+ return ret;
52638+}
52639+
52640+static char *
52641+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
52642+{
52643+ char *ret;
52644+ char *buf;
52645+ int buflen;
52646+
52647+ spin_lock(&dcache_lock);
52648+ spin_lock(&vfsmount_lock);
52649+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
52650+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
52651+ buflen = (int)(ret - buf);
52652+ if (buflen >= 5)
52653+ prepend(&ret, &buflen, "/proc", 5);
52654+ else
52655+ ret = strcpy(buf, "<path too long>");
52656+ spin_unlock(&vfsmount_lock);
52657+ spin_unlock(&dcache_lock);
52658+ return ret;
52659+}
52660+
52661+char *
52662+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
52663+{
52664+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
52665+ PAGE_SIZE);
52666+}
52667+
52668+char *
52669+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
52670+{
52671+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
52672+ PAGE_SIZE);
52673+}
52674+
52675+char *
52676+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
52677+{
52678+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
52679+ PAGE_SIZE);
52680+}
52681+
52682+char *
52683+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
52684+{
52685+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
52686+ PAGE_SIZE);
52687+}
52688+
52689+char *
52690+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
52691+{
52692+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
52693+ PAGE_SIZE);
52694+}
52695+
52696+__inline__ __u32
52697+to_gr_audit(const __u32 reqmode)
52698+{
52699+ /* masks off auditable permission flags, then shifts them to create
52700+ auditing flags, and adds the special case of append auditing if
52701+ we're requesting write */
52702+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
52703+}
52704+
52705+struct acl_subject_label *
52706+lookup_subject_map(const struct acl_subject_label *userp)
52707+{
52708+ unsigned int index = shash(userp, subj_map_set.s_size);
52709+ struct subject_map *match;
52710+
52711+ match = subj_map_set.s_hash[index];
52712+
52713+ while (match && match->user != userp)
52714+ match = match->next;
52715+
52716+ if (match != NULL)
52717+ return match->kernel;
52718+ else
52719+ return NULL;
52720+}
52721+
52722+static void
52723+insert_subj_map_entry(struct subject_map *subjmap)
52724+{
52725+ unsigned int index = shash(subjmap->user, subj_map_set.s_size);
52726+ struct subject_map **curr;
52727+
52728+ subjmap->prev = NULL;
52729+
52730+ curr = &subj_map_set.s_hash[index];
52731+ if (*curr != NULL)
52732+ (*curr)->prev = subjmap;
52733+
52734+ subjmap->next = *curr;
52735+ *curr = subjmap;
52736+
52737+ return;
52738+}
52739+
52740+static struct acl_role_label *
52741+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
52742+ const gid_t gid)
52743+{
52744+ unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
52745+ struct acl_role_label *match;
52746+ struct role_allowed_ip *ipp;
52747+ unsigned int x;
52748+ u32 curr_ip = task->signal->curr_ip;
52749+
52750+ task->signal->saved_ip = curr_ip;
52751+
52752+ match = acl_role_set.r_hash[index];
52753+
52754+ while (match) {
52755+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
52756+ for (x = 0; x < match->domain_child_num; x++) {
52757+ if (match->domain_children[x] == uid)
52758+ goto found;
52759+ }
52760+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
52761+ break;
52762+ match = match->next;
52763+ }
52764+found:
52765+ if (match == NULL) {
52766+ try_group:
52767+ index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
52768+ match = acl_role_set.r_hash[index];
52769+
52770+ while (match) {
52771+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
52772+ for (x = 0; x < match->domain_child_num; x++) {
52773+ if (match->domain_children[x] == gid)
52774+ goto found2;
52775+ }
52776+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
52777+ break;
52778+ match = match->next;
52779+ }
52780+found2:
52781+ if (match == NULL)
52782+ match = default_role;
52783+ if (match->allowed_ips == NULL)
52784+ return match;
52785+ else {
52786+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52787+ if (likely
52788+ ((ntohl(curr_ip) & ipp->netmask) ==
52789+ (ntohl(ipp->addr) & ipp->netmask)))
52790+ return match;
52791+ }
52792+ match = default_role;
52793+ }
52794+ } else if (match->allowed_ips == NULL) {
52795+ return match;
52796+ } else {
52797+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
52798+ if (likely
52799+ ((ntohl(curr_ip) & ipp->netmask) ==
52800+ (ntohl(ipp->addr) & ipp->netmask)))
52801+ return match;
52802+ }
52803+ goto try_group;
52804+ }
52805+
52806+ return match;
52807+}
52808+
52809+struct acl_subject_label *
52810+lookup_acl_subj_label(const ino_t ino, const dev_t dev,
52811+ const struct acl_role_label *role)
52812+{
52813+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
52814+ struct acl_subject_label *match;
52815+
52816+ match = role->subj_hash[index];
52817+
52818+ while (match && (match->inode != ino || match->device != dev ||
52819+ (match->mode & GR_DELETED))) {
52820+ match = match->next;
52821+ }
52822+
52823+ if (match && !(match->mode & GR_DELETED))
52824+ return match;
52825+ else
52826+ return NULL;
52827+}
52828+
52829+struct acl_subject_label *
52830+lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
52831+ const struct acl_role_label *role)
52832+{
52833+ unsigned int index = fhash(ino, dev, role->subj_hash_size);
52834+ struct acl_subject_label *match;
52835+
52836+ match = role->subj_hash[index];
52837+
52838+ while (match && (match->inode != ino || match->device != dev ||
52839+ !(match->mode & GR_DELETED))) {
52840+ match = match->next;
52841+ }
52842+
52843+ if (match && (match->mode & GR_DELETED))
52844+ return match;
52845+ else
52846+ return NULL;
52847+}
52848+
52849+static struct acl_object_label *
52850+lookup_acl_obj_label(const ino_t ino, const dev_t dev,
52851+ const struct acl_subject_label *subj)
52852+{
52853+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52854+ struct acl_object_label *match;
52855+
52856+ match = subj->obj_hash[index];
52857+
52858+ while (match && (match->inode != ino || match->device != dev ||
52859+ (match->mode & GR_DELETED))) {
52860+ match = match->next;
52861+ }
52862+
52863+ if (match && !(match->mode & GR_DELETED))
52864+ return match;
52865+ else
52866+ return NULL;
52867+}
52868+
52869+static struct acl_object_label *
52870+lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
52871+ const struct acl_subject_label *subj)
52872+{
52873+ unsigned int index = fhash(ino, dev, subj->obj_hash_size);
52874+ struct acl_object_label *match;
52875+
52876+ match = subj->obj_hash[index];
52877+
52878+ while (match && (match->inode != ino || match->device != dev ||
52879+ !(match->mode & GR_DELETED))) {
52880+ match = match->next;
52881+ }
52882+
52883+ if (match && (match->mode & GR_DELETED))
52884+ return match;
52885+
52886+ match = subj->obj_hash[index];
52887+
52888+ while (match && (match->inode != ino || match->device != dev ||
52889+ (match->mode & GR_DELETED))) {
52890+ match = match->next;
52891+ }
52892+
52893+ if (match && !(match->mode & GR_DELETED))
52894+ return match;
52895+ else
52896+ return NULL;
52897+}
52898+
52899+static struct name_entry *
52900+lookup_name_entry(const char *name)
52901+{
52902+ unsigned int len = strlen(name);
52903+ unsigned int key = full_name_hash(name, len);
52904+ unsigned int index = key % name_set.n_size;
52905+ struct name_entry *match;
52906+
52907+ match = name_set.n_hash[index];
52908+
52909+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
52910+ match = match->next;
52911+
52912+ return match;
52913+}
52914+
52915+static struct name_entry *
52916+lookup_name_entry_create(const char *name)
52917+{
52918+ unsigned int len = strlen(name);
52919+ unsigned int key = full_name_hash(name, len);
52920+ unsigned int index = key % name_set.n_size;
52921+ struct name_entry *match;
52922+
52923+ match = name_set.n_hash[index];
52924+
52925+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52926+ !match->deleted))
52927+ match = match->next;
52928+
52929+ if (match && match->deleted)
52930+ return match;
52931+
52932+ match = name_set.n_hash[index];
52933+
52934+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
52935+ match->deleted))
52936+ match = match->next;
52937+
52938+ if (match && !match->deleted)
52939+ return match;
52940+ else
52941+ return NULL;
52942+}
52943+
52944+static struct inodev_entry *
52945+lookup_inodev_entry(const ino_t ino, const dev_t dev)
52946+{
52947+ unsigned int index = fhash(ino, dev, inodev_set.i_size);
52948+ struct inodev_entry *match;
52949+
52950+ match = inodev_set.i_hash[index];
52951+
52952+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
52953+ match = match->next;
52954+
52955+ return match;
52956+}
52957+
52958+static void
52959+insert_inodev_entry(struct inodev_entry *entry)
52960+{
52961+ unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
52962+ inodev_set.i_size);
52963+ struct inodev_entry **curr;
52964+
52965+ entry->prev = NULL;
52966+
52967+ curr = &inodev_set.i_hash[index];
52968+ if (*curr != NULL)
52969+ (*curr)->prev = entry;
52970+
52971+ entry->next = *curr;
52972+ *curr = entry;
52973+
52974+ return;
52975+}
52976+
52977+static void
52978+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
52979+{
52980+ unsigned int index =
52981+ rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
52982+ struct acl_role_label **curr;
52983+ struct acl_role_label *tmp;
52984+
52985+ curr = &acl_role_set.r_hash[index];
52986+
52987+ /* if role was already inserted due to domains and already has
52988+ a role in the same bucket as it attached, then we need to
52989+ combine these two buckets
52990+ */
52991+ if (role->next) {
52992+ tmp = role->next;
52993+ while (tmp->next)
52994+ tmp = tmp->next;
52995+ tmp->next = *curr;
52996+ } else
52997+ role->next = *curr;
52998+ *curr = role;
52999+
53000+ return;
53001+}
53002+
53003+static void
53004+insert_acl_role_label(struct acl_role_label *role)
53005+{
53006+ int i;
53007+
53008+ if (role_list == NULL) {
53009+ role_list = role;
53010+ role->prev = NULL;
53011+ } else {
53012+ role->prev = role_list;
53013+ role_list = role;
53014+ }
53015+
53016+ /* used for hash chains */
53017+ role->next = NULL;
53018+
53019+ if (role->roletype & GR_ROLE_DOMAIN) {
53020+ for (i = 0; i < role->domain_child_num; i++)
53021+ __insert_acl_role_label(role, role->domain_children[i]);
53022+ } else
53023+ __insert_acl_role_label(role, role->uidgid);
53024+}
53025+
53026+static int
53027+insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
53028+{
53029+ struct name_entry **curr, *nentry;
53030+ struct inodev_entry *ientry;
53031+ unsigned int len = strlen(name);
53032+ unsigned int key = full_name_hash(name, len);
53033+ unsigned int index = key % name_set.n_size;
53034+
53035+ curr = &name_set.n_hash[index];
53036+
53037+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
53038+ curr = &((*curr)->next);
53039+
53040+ if (*curr != NULL)
53041+ return 1;
53042+
53043+ nentry = acl_alloc(sizeof (struct name_entry));
53044+ if (nentry == NULL)
53045+ return 0;
53046+ ientry = acl_alloc(sizeof (struct inodev_entry));
53047+ if (ientry == NULL)
53048+ return 0;
53049+ ientry->nentry = nentry;
53050+
53051+ nentry->key = key;
53052+ nentry->name = name;
53053+ nentry->inode = inode;
53054+ nentry->device = device;
53055+ nentry->len = len;
53056+ nentry->deleted = deleted;
53057+
53058+ nentry->prev = NULL;
53059+ curr = &name_set.n_hash[index];
53060+ if (*curr != NULL)
53061+ (*curr)->prev = nentry;
53062+ nentry->next = *curr;
53063+ *curr = nentry;
53064+
53065+ /* insert us into the table searchable by inode/dev */
53066+ insert_inodev_entry(ientry);
53067+
53068+ return 1;
53069+}
53070+
53071+static void
53072+insert_acl_obj_label(struct acl_object_label *obj,
53073+ struct acl_subject_label *subj)
53074+{
53075+ unsigned int index =
53076+ fhash(obj->inode, obj->device, subj->obj_hash_size);
53077+ struct acl_object_label **curr;
53078+
53079+
53080+ obj->prev = NULL;
53081+
53082+ curr = &subj->obj_hash[index];
53083+ if (*curr != NULL)
53084+ (*curr)->prev = obj;
53085+
53086+ obj->next = *curr;
53087+ *curr = obj;
53088+
53089+ return;
53090+}
53091+
53092+static void
53093+insert_acl_subj_label(struct acl_subject_label *obj,
53094+ struct acl_role_label *role)
53095+{
53096+ unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
53097+ struct acl_subject_label **curr;
53098+
53099+ obj->prev = NULL;
53100+
53101+ curr = &role->subj_hash[index];
53102+ if (*curr != NULL)
53103+ (*curr)->prev = obj;
53104+
53105+ obj->next = *curr;
53106+ *curr = obj;
53107+
53108+ return;
53109+}
53110+
53111+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
53112+
53113+static void *
53114+create_table(__u32 * len, int elementsize)
53115+{
53116+ unsigned int table_sizes[] = {
53117+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
53118+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
53119+ 4194301, 8388593, 16777213, 33554393, 67108859
53120+ };
53121+ void *newtable = NULL;
53122+ unsigned int pwr = 0;
53123+
53124+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
53125+ table_sizes[pwr] <= *len)
53126+ pwr++;
53127+
53128+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
53129+ return newtable;
53130+
53131+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
53132+ newtable =
53133+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
53134+ else
53135+ newtable = vmalloc(table_sizes[pwr] * elementsize);
53136+
53137+ *len = table_sizes[pwr];
53138+
53139+ return newtable;
53140+}
53141+
53142+static int
53143+init_variables(const struct gr_arg *arg)
53144+{
53145+ struct task_struct *reaper = &init_task;
53146+ unsigned int stacksize;
53147+
53148+ subj_map_set.s_size = arg->role_db.num_subjects;
53149+ acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
53150+ name_set.n_size = arg->role_db.num_objects;
53151+ inodev_set.i_size = arg->role_db.num_objects;
53152+
53153+ if (!subj_map_set.s_size || !acl_role_set.r_size ||
53154+ !name_set.n_size || !inodev_set.i_size)
53155+ return 1;
53156+
53157+ if (!gr_init_uidset())
53158+ return 1;
53159+
53160+ /* set up the stack that holds allocation info */
53161+
53162+ stacksize = arg->role_db.num_pointers + 5;
53163+
53164+ if (!acl_alloc_stack_init(stacksize))
53165+ return 1;
53166+
53167+ /* grab reference for the real root dentry and vfsmount */
53168+ read_lock(&reaper->fs->lock);
53169+ real_root = dget(reaper->fs->root.dentry);
53170+ real_root_mnt = mntget(reaper->fs->root.mnt);
53171+ read_unlock(&reaper->fs->lock);
53172+
53173+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53174+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
53175+#endif
53176+
53177+ fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
53178+ if (fakefs_obj_rw == NULL)
53179+ return 1;
53180+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
53181+
53182+ fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
53183+ if (fakefs_obj_rwx == NULL)
53184+ return 1;
53185+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
53186+
53187+ subj_map_set.s_hash =
53188+ (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
53189+ acl_role_set.r_hash =
53190+ (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
53191+ name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
53192+ inodev_set.i_hash =
53193+ (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
53194+
53195+ if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
53196+ !name_set.n_hash || !inodev_set.i_hash)
53197+ return 1;
53198+
53199+ memset(subj_map_set.s_hash, 0,
53200+ sizeof(struct subject_map *) * subj_map_set.s_size);
53201+ memset(acl_role_set.r_hash, 0,
53202+ sizeof (struct acl_role_label *) * acl_role_set.r_size);
53203+ memset(name_set.n_hash, 0,
53204+ sizeof (struct name_entry *) * name_set.n_size);
53205+ memset(inodev_set.i_hash, 0,
53206+ sizeof (struct inodev_entry *) * inodev_set.i_size);
53207+
53208+ return 0;
53209+}
53210+
53211+/* free information not needed after startup
53212+ currently contains user->kernel pointer mappings for subjects
53213+*/
53214+
53215+static void
53216+free_init_variables(void)
53217+{
53218+ __u32 i;
53219+
53220+ if (subj_map_set.s_hash) {
53221+ for (i = 0; i < subj_map_set.s_size; i++) {
53222+ if (subj_map_set.s_hash[i]) {
53223+ kfree(subj_map_set.s_hash[i]);
53224+ subj_map_set.s_hash[i] = NULL;
53225+ }
53226+ }
53227+
53228+ if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
53229+ PAGE_SIZE)
53230+ kfree(subj_map_set.s_hash);
53231+ else
53232+ vfree(subj_map_set.s_hash);
53233+ }
53234+
53235+ return;
53236+}
53237+
53238+static void
53239+free_variables(void)
53240+{
53241+ struct acl_subject_label *s;
53242+ struct acl_role_label *r;
53243+ struct task_struct *task, *task2;
53244+ unsigned int x;
53245+
53246+ gr_clear_learn_entries();
53247+
53248+ read_lock(&tasklist_lock);
53249+ do_each_thread(task2, task) {
53250+ task->acl_sp_role = 0;
53251+ task->acl_role_id = 0;
53252+ task->acl = NULL;
53253+ task->role = NULL;
53254+ } while_each_thread(task2, task);
53255+ read_unlock(&tasklist_lock);
53256+
53257+ /* release the reference to the real root dentry and vfsmount */
53258+ if (real_root)
53259+ dput(real_root);
53260+ real_root = NULL;
53261+ if (real_root_mnt)
53262+ mntput(real_root_mnt);
53263+ real_root_mnt = NULL;
53264+
53265+ /* free all object hash tables */
53266+
53267+ FOR_EACH_ROLE_START(r)
53268+ if (r->subj_hash == NULL)
53269+ goto next_role;
53270+ FOR_EACH_SUBJECT_START(r, s, x)
53271+ if (s->obj_hash == NULL)
53272+ break;
53273+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53274+ kfree(s->obj_hash);
53275+ else
53276+ vfree(s->obj_hash);
53277+ FOR_EACH_SUBJECT_END(s, x)
53278+ FOR_EACH_NESTED_SUBJECT_START(r, s)
53279+ if (s->obj_hash == NULL)
53280+ break;
53281+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
53282+ kfree(s->obj_hash);
53283+ else
53284+ vfree(s->obj_hash);
53285+ FOR_EACH_NESTED_SUBJECT_END(s)
53286+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
53287+ kfree(r->subj_hash);
53288+ else
53289+ vfree(r->subj_hash);
53290+ r->subj_hash = NULL;
53291+next_role:
53292+ FOR_EACH_ROLE_END(r)
53293+
53294+ acl_free_all();
53295+
53296+ if (acl_role_set.r_hash) {
53297+ if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
53298+ PAGE_SIZE)
53299+ kfree(acl_role_set.r_hash);
53300+ else
53301+ vfree(acl_role_set.r_hash);
53302+ }
53303+ if (name_set.n_hash) {
53304+ if ((name_set.n_size * sizeof (struct name_entry *)) <=
53305+ PAGE_SIZE)
53306+ kfree(name_set.n_hash);
53307+ else
53308+ vfree(name_set.n_hash);
53309+ }
53310+
53311+ if (inodev_set.i_hash) {
53312+ if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
53313+ PAGE_SIZE)
53314+ kfree(inodev_set.i_hash);
53315+ else
53316+ vfree(inodev_set.i_hash);
53317+ }
53318+
53319+ gr_free_uidset();
53320+
53321+ memset(&name_set, 0, sizeof (struct name_db));
53322+ memset(&inodev_set, 0, sizeof (struct inodev_db));
53323+ memset(&acl_role_set, 0, sizeof (struct acl_role_db));
53324+ memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
53325+
53326+ default_role = NULL;
53327+ role_list = NULL;
53328+
53329+ return;
53330+}
53331+
53332+static __u32
53333+count_user_objs(struct acl_object_label *userp)
53334+{
53335+ struct acl_object_label o_tmp;
53336+ __u32 num = 0;
53337+
53338+ while (userp) {
53339+ if (copy_from_user(&o_tmp, userp,
53340+ sizeof (struct acl_object_label)))
53341+ break;
53342+
53343+ userp = o_tmp.prev;
53344+ num++;
53345+ }
53346+
53347+ return num;
53348+}
53349+
53350+static struct acl_subject_label *
53351+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
53352+
53353+static int
53354+copy_user_glob(struct acl_object_label *obj)
53355+{
53356+ struct acl_object_label *g_tmp, **guser;
53357+ unsigned int len;
53358+ char *tmp;
53359+
53360+ if (obj->globbed == NULL)
53361+ return 0;
53362+
53363+ guser = &obj->globbed;
53364+ while (*guser) {
53365+ g_tmp = (struct acl_object_label *)
53366+ acl_alloc(sizeof (struct acl_object_label));
53367+ if (g_tmp == NULL)
53368+ return -ENOMEM;
53369+
53370+ if (copy_from_user(g_tmp, *guser,
53371+ sizeof (struct acl_object_label)))
53372+ return -EFAULT;
53373+
53374+ len = strnlen_user(g_tmp->filename, PATH_MAX);
53375+
53376+ if (!len || len >= PATH_MAX)
53377+ return -EINVAL;
53378+
53379+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53380+ return -ENOMEM;
53381+
53382+ if (copy_from_user(tmp, g_tmp->filename, len))
53383+ return -EFAULT;
53384+ tmp[len-1] = '\0';
53385+ g_tmp->filename = tmp;
53386+
53387+ *guser = g_tmp;
53388+ guser = &(g_tmp->next);
53389+ }
53390+
53391+ return 0;
53392+}
53393+
53394+static int
53395+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
53396+ struct acl_role_label *role)
53397+{
53398+ struct acl_object_label *o_tmp;
53399+ unsigned int len;
53400+ int ret;
53401+ char *tmp;
53402+
53403+ while (userp) {
53404+ if ((o_tmp = (struct acl_object_label *)
53405+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
53406+ return -ENOMEM;
53407+
53408+ if (copy_from_user(o_tmp, userp,
53409+ sizeof (struct acl_object_label)))
53410+ return -EFAULT;
53411+
53412+ userp = o_tmp->prev;
53413+
53414+ len = strnlen_user(o_tmp->filename, PATH_MAX);
53415+
53416+ if (!len || len >= PATH_MAX)
53417+ return -EINVAL;
53418+
53419+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53420+ return -ENOMEM;
53421+
53422+ if (copy_from_user(tmp, o_tmp->filename, len))
53423+ return -EFAULT;
53424+ tmp[len-1] = '\0';
53425+ o_tmp->filename = tmp;
53426+
53427+ insert_acl_obj_label(o_tmp, subj);
53428+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
53429+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
53430+ return -ENOMEM;
53431+
53432+ ret = copy_user_glob(o_tmp);
53433+ if (ret)
53434+ return ret;
53435+
53436+ if (o_tmp->nested) {
53437+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
53438+ if (IS_ERR(o_tmp->nested))
53439+ return PTR_ERR(o_tmp->nested);
53440+
53441+ /* insert into nested subject list */
53442+ o_tmp->nested->next = role->hash->first;
53443+ role->hash->first = o_tmp->nested;
53444+ }
53445+ }
53446+
53447+ return 0;
53448+}
53449+
53450+static __u32
53451+count_user_subjs(struct acl_subject_label *userp)
53452+{
53453+ struct acl_subject_label s_tmp;
53454+ __u32 num = 0;
53455+
53456+ while (userp) {
53457+ if (copy_from_user(&s_tmp, userp,
53458+ sizeof (struct acl_subject_label)))
53459+ break;
53460+
53461+ userp = s_tmp.prev;
53462+ /* do not count nested subjects against this count, since
53463+ they are not included in the hash table, but are
53464+ attached to objects. We have already counted
53465+ the subjects in userspace for the allocation
53466+ stack
53467+ */
53468+ if (!(s_tmp.mode & GR_NESTED))
53469+ num++;
53470+ }
53471+
53472+ return num;
53473+}
53474+
53475+static int
53476+copy_user_allowedips(struct acl_role_label *rolep)
53477+{
53478+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
53479+
53480+ ruserip = rolep->allowed_ips;
53481+
53482+ while (ruserip) {
53483+ rlast = rtmp;
53484+
53485+ if ((rtmp = (struct role_allowed_ip *)
53486+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
53487+ return -ENOMEM;
53488+
53489+ if (copy_from_user(rtmp, ruserip,
53490+ sizeof (struct role_allowed_ip)))
53491+ return -EFAULT;
53492+
53493+ ruserip = rtmp->prev;
53494+
53495+ if (!rlast) {
53496+ rtmp->prev = NULL;
53497+ rolep->allowed_ips = rtmp;
53498+ } else {
53499+ rlast->next = rtmp;
53500+ rtmp->prev = rlast;
53501+ }
53502+
53503+ if (!ruserip)
53504+ rtmp->next = NULL;
53505+ }
53506+
53507+ return 0;
53508+}
53509+
53510+static int
53511+copy_user_transitions(struct acl_role_label *rolep)
53512+{
53513+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
53514+
53515+ unsigned int len;
53516+ char *tmp;
53517+
53518+ rusertp = rolep->transitions;
53519+
53520+ while (rusertp) {
53521+ rlast = rtmp;
53522+
53523+ if ((rtmp = (struct role_transition *)
53524+ acl_alloc(sizeof (struct role_transition))) == NULL)
53525+ return -ENOMEM;
53526+
53527+ if (copy_from_user(rtmp, rusertp,
53528+ sizeof (struct role_transition)))
53529+ return -EFAULT;
53530+
53531+ rusertp = rtmp->prev;
53532+
53533+ len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
53534+
53535+ if (!len || len >= GR_SPROLE_LEN)
53536+ return -EINVAL;
53537+
53538+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53539+ return -ENOMEM;
53540+
53541+ if (copy_from_user(tmp, rtmp->rolename, len))
53542+ return -EFAULT;
53543+ tmp[len-1] = '\0';
53544+ rtmp->rolename = tmp;
53545+
53546+ if (!rlast) {
53547+ rtmp->prev = NULL;
53548+ rolep->transitions = rtmp;
53549+ } else {
53550+ rlast->next = rtmp;
53551+ rtmp->prev = rlast;
53552+ }
53553+
53554+ if (!rusertp)
53555+ rtmp->next = NULL;
53556+ }
53557+
53558+ return 0;
53559+}
53560+
53561+static struct acl_subject_label *
53562+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
53563+{
53564+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
53565+ unsigned int len;
53566+ char *tmp;
53567+ __u32 num_objs;
53568+ struct acl_ip_label **i_tmp, *i_utmp2;
53569+ struct gr_hash_struct ghash;
53570+ struct subject_map *subjmap;
53571+ unsigned int i_num;
53572+ int err;
53573+
53574+ s_tmp = lookup_subject_map(userp);
53575+
53576+ /* we've already copied this subject into the kernel, just return
53577+ the reference to it, and don't copy it over again
53578+ */
53579+ if (s_tmp)
53580+ return(s_tmp);
53581+
53582+ if ((s_tmp = (struct acl_subject_label *)
53583+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
53584+ return ERR_PTR(-ENOMEM);
53585+
53586+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
53587+ if (subjmap == NULL)
53588+ return ERR_PTR(-ENOMEM);
53589+
53590+ subjmap->user = userp;
53591+ subjmap->kernel = s_tmp;
53592+ insert_subj_map_entry(subjmap);
53593+
53594+ if (copy_from_user(s_tmp, userp,
53595+ sizeof (struct acl_subject_label)))
53596+ return ERR_PTR(-EFAULT);
53597+
53598+ len = strnlen_user(s_tmp->filename, PATH_MAX);
53599+
53600+ if (!len || len >= PATH_MAX)
53601+ return ERR_PTR(-EINVAL);
53602+
53603+ if ((tmp = (char *) acl_alloc(len)) == NULL)
53604+ return ERR_PTR(-ENOMEM);
53605+
53606+ if (copy_from_user(tmp, s_tmp->filename, len))
53607+ return ERR_PTR(-EFAULT);
53608+ tmp[len-1] = '\0';
53609+ s_tmp->filename = tmp;
53610+
53611+ if (!strcmp(s_tmp->filename, "/"))
53612+ role->root_label = s_tmp;
53613+
53614+ if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
53615+ return ERR_PTR(-EFAULT);
53616+
53617+ /* copy user and group transition tables */
53618+
53619+ if (s_tmp->user_trans_num) {
53620+ uid_t *uidlist;
53621+
53622+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
53623+ if (uidlist == NULL)
53624+ return ERR_PTR(-ENOMEM);
53625+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
53626+ return ERR_PTR(-EFAULT);
53627+
53628+ s_tmp->user_transitions = uidlist;
53629+ }
53630+
53631+ if (s_tmp->group_trans_num) {
53632+ gid_t *gidlist;
53633+
53634+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
53635+ if (gidlist == NULL)
53636+ return ERR_PTR(-ENOMEM);
53637+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
53638+ return ERR_PTR(-EFAULT);
53639+
53640+ s_tmp->group_transitions = gidlist;
53641+ }
53642+
53643+ /* set up object hash table */
53644+ num_objs = count_user_objs(ghash.first);
53645+
53646+ s_tmp->obj_hash_size = num_objs;
53647+ s_tmp->obj_hash =
53648+ (struct acl_object_label **)
53649+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
53650+
53651+ if (!s_tmp->obj_hash)
53652+ return ERR_PTR(-ENOMEM);
53653+
53654+ memset(s_tmp->obj_hash, 0,
53655+ s_tmp->obj_hash_size *
53656+ sizeof (struct acl_object_label *));
53657+
53658+ /* add in objects */
53659+ err = copy_user_objs(ghash.first, s_tmp, role);
53660+
53661+ if (err)
53662+ return ERR_PTR(err);
53663+
53664+ /* set pointer for parent subject */
53665+ if (s_tmp->parent_subject) {
53666+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
53667+
53668+ if (IS_ERR(s_tmp2))
53669+ return s_tmp2;
53670+
53671+ s_tmp->parent_subject = s_tmp2;
53672+ }
53673+
53674+ /* add in ip acls */
53675+
53676+ if (!s_tmp->ip_num) {
53677+ s_tmp->ips = NULL;
53678+ goto insert;
53679+ }
53680+
53681+ i_tmp =
53682+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
53683+ sizeof (struct acl_ip_label *));
53684+
53685+ if (!i_tmp)
53686+ return ERR_PTR(-ENOMEM);
53687+
53688+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
53689+ *(i_tmp + i_num) =
53690+ (struct acl_ip_label *)
53691+ acl_alloc(sizeof (struct acl_ip_label));
53692+ if (!*(i_tmp + i_num))
53693+ return ERR_PTR(-ENOMEM);
53694+
53695+ if (copy_from_user
53696+ (&i_utmp2, s_tmp->ips + i_num,
53697+ sizeof (struct acl_ip_label *)))
53698+ return ERR_PTR(-EFAULT);
53699+
53700+ if (copy_from_user
53701+ (*(i_tmp + i_num), i_utmp2,
53702+ sizeof (struct acl_ip_label)))
53703+ return ERR_PTR(-EFAULT);
53704+
53705+ if ((*(i_tmp + i_num))->iface == NULL)
53706+ continue;
53707+
53708+ len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
53709+ if (!len || len >= IFNAMSIZ)
53710+ return ERR_PTR(-EINVAL);
53711+ tmp = acl_alloc(len);
53712+ if (tmp == NULL)
53713+ return ERR_PTR(-ENOMEM);
53714+ if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
53715+ return ERR_PTR(-EFAULT);
53716+ (*(i_tmp + i_num))->iface = tmp;
53717+ }
53718+
53719+ s_tmp->ips = i_tmp;
53720+
53721+insert:
53722+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
53723+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
53724+ return ERR_PTR(-ENOMEM);
53725+
53726+ return s_tmp;
53727+}
53728+
53729+static int
53730+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
53731+{
53732+ struct acl_subject_label s_pre;
53733+ struct acl_subject_label * ret;
53734+ int err;
53735+
53736+ while (userp) {
53737+ if (copy_from_user(&s_pre, userp,
53738+ sizeof (struct acl_subject_label)))
53739+ return -EFAULT;
53740+
53741+ /* do not add nested subjects here, add
53742+ while parsing objects
53743+ */
53744+
53745+ if (s_pre.mode & GR_NESTED) {
53746+ userp = s_pre.prev;
53747+ continue;
53748+ }
53749+
53750+ ret = do_copy_user_subj(userp, role);
53751+
53752+ err = PTR_ERR(ret);
53753+ if (IS_ERR(ret))
53754+ return err;
53755+
53756+ insert_acl_subj_label(ret, role);
53757+
53758+ userp = s_pre.prev;
53759+ }
53760+
53761+ return 0;
53762+}
53763+
53764+static int
53765+copy_user_acl(struct gr_arg *arg)
53766+{
53767+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
53768+ struct sprole_pw *sptmp;
53769+ struct gr_hash_struct *ghash;
53770+ uid_t *domainlist;
53771+ unsigned int r_num;
53772+ unsigned int len;
53773+ char *tmp;
53774+ int err = 0;
53775+ __u16 i;
53776+ __u32 num_subjs;
53777+
53778+ /* we need a default and kernel role */
53779+ if (arg->role_db.num_roles < 2)
53780+ return -EINVAL;
53781+
53782+ /* copy special role authentication info from userspace */
53783+
53784+ num_sprole_pws = arg->num_sprole_pws;
53785+ acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
53786+
53787+ if (!acl_special_roles) {
53788+ err = -ENOMEM;
53789+ goto cleanup;
53790+ }
53791+
53792+ for (i = 0; i < num_sprole_pws; i++) {
53793+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
53794+ if (!sptmp) {
53795+ err = -ENOMEM;
53796+ goto cleanup;
53797+ }
53798+ if (copy_from_user(sptmp, arg->sprole_pws + i,
53799+ sizeof (struct sprole_pw))) {
53800+ err = -EFAULT;
53801+ goto cleanup;
53802+ }
53803+
53804+ len =
53805+ strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
53806+
53807+ if (!len || len >= GR_SPROLE_LEN) {
53808+ err = -EINVAL;
53809+ goto cleanup;
53810+ }
53811+
53812+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
53813+ err = -ENOMEM;
53814+ goto cleanup;
53815+ }
53816+
53817+ if (copy_from_user(tmp, sptmp->rolename, len)) {
53818+ err = -EFAULT;
53819+ goto cleanup;
53820+ }
53821+ tmp[len-1] = '\0';
53822+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
53823+ printk(KERN_ALERT "Copying special role %s\n", tmp);
53824+#endif
53825+ sptmp->rolename = tmp;
53826+ acl_special_roles[i] = sptmp;
53827+ }
53828+
53829+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
53830+
53831+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
53832+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
53833+
53834+ if (!r_tmp) {
53835+ err = -ENOMEM;
53836+ goto cleanup;
53837+ }
53838+
53839+ if (copy_from_user(&r_utmp2, r_utmp + r_num,
53840+ sizeof (struct acl_role_label *))) {
53841+ err = -EFAULT;
53842+ goto cleanup;
53843+ }
53844+
53845+ if (copy_from_user(r_tmp, r_utmp2,
53846+ sizeof (struct acl_role_label))) {
53847+ err = -EFAULT;
53848+ goto cleanup;
53849+ }
53850+
53851+ len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
53852+
53853+ if (!len || len >= PATH_MAX) {
53854+ err = -EINVAL;
53855+ goto cleanup;
53856+ }
53857+
53858+ if ((tmp = (char *) acl_alloc(len)) == NULL) {
53859+ err = -ENOMEM;
53860+ goto cleanup;
53861+ }
53862+ if (copy_from_user(tmp, r_tmp->rolename, len)) {
53863+ err = -EFAULT;
53864+ goto cleanup;
53865+ }
53866+ tmp[len-1] = '\0';
53867+ r_tmp->rolename = tmp;
53868+
53869+ if (!strcmp(r_tmp->rolename, "default")
53870+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
53871+ default_role = r_tmp;
53872+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
53873+ kernel_role = r_tmp;
53874+ }
53875+
53876+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
53877+ err = -ENOMEM;
53878+ goto cleanup;
53879+ }
53880+ if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
53881+ err = -EFAULT;
53882+ goto cleanup;
53883+ }
53884+
53885+ r_tmp->hash = ghash;
53886+
53887+ num_subjs = count_user_subjs(r_tmp->hash->first);
53888+
53889+ r_tmp->subj_hash_size = num_subjs;
53890+ r_tmp->subj_hash =
53891+ (struct acl_subject_label **)
53892+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
53893+
53894+ if (!r_tmp->subj_hash) {
53895+ err = -ENOMEM;
53896+ goto cleanup;
53897+ }
53898+
53899+ err = copy_user_allowedips(r_tmp);
53900+ if (err)
53901+ goto cleanup;
53902+
53903+ /* copy domain info */
53904+ if (r_tmp->domain_children != NULL) {
53905+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
53906+ if (domainlist == NULL) {
53907+ err = -ENOMEM;
53908+ goto cleanup;
53909+ }
53910+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
53911+ err = -EFAULT;
53912+ goto cleanup;
53913+ }
53914+ r_tmp->domain_children = domainlist;
53915+ }
53916+
53917+ err = copy_user_transitions(r_tmp);
53918+ if (err)
53919+ goto cleanup;
53920+
53921+ memset(r_tmp->subj_hash, 0,
53922+ r_tmp->subj_hash_size *
53923+ sizeof (struct acl_subject_label *));
53924+
53925+ err = copy_user_subjs(r_tmp->hash->first, r_tmp);
53926+
53927+ if (err)
53928+ goto cleanup;
53929+
53930+ /* set nested subject list to null */
53931+ r_tmp->hash->first = NULL;
53932+
53933+ insert_acl_role_label(r_tmp);
53934+ }
53935+
53936+ goto return_err;
53937+ cleanup:
53938+ free_variables();
53939+ return_err:
53940+ return err;
53941+
53942+}
53943+
53944+static int
53945+gracl_init(struct gr_arg *args)
53946+{
53947+ int error = 0;
53948+
53949+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
53950+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
53951+
53952+ if (init_variables(args)) {
53953+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
53954+ error = -ENOMEM;
53955+ free_variables();
53956+ goto out;
53957+ }
53958+
53959+ error = copy_user_acl(args);
53960+ free_init_variables();
53961+ if (error) {
53962+ free_variables();
53963+ goto out;
53964+ }
53965+
53966+ if ((error = gr_set_acls(0))) {
53967+ free_variables();
53968+ goto out;
53969+ }
53970+
53971+ pax_open_kernel();
53972+ gr_status |= GR_READY;
53973+ pax_close_kernel();
53974+
53975+ out:
53976+ return error;
53977+}
53978+
53979+/* derived from glibc fnmatch() 0: match, 1: no match*/
53980+
53981+static int
53982+glob_match(const char *p, const char *n)
53983+{
53984+ char c;
53985+
53986+ while ((c = *p++) != '\0') {
53987+ switch (c) {
53988+ case '?':
53989+ if (*n == '\0')
53990+ return 1;
53991+ else if (*n == '/')
53992+ return 1;
53993+ break;
53994+ case '\\':
53995+ if (*n != c)
53996+ return 1;
53997+ break;
53998+ case '*':
53999+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
54000+ if (*n == '/')
54001+ return 1;
54002+ else if (c == '?') {
54003+ if (*n == '\0')
54004+ return 1;
54005+ else
54006+ ++n;
54007+ }
54008+ }
54009+ if (c == '\0') {
54010+ return 0;
54011+ } else {
54012+ const char *endp;
54013+
54014+ if ((endp = strchr(n, '/')) == NULL)
54015+ endp = n + strlen(n);
54016+
54017+ if (c == '[') {
54018+ for (--p; n < endp; ++n)
54019+ if (!glob_match(p, n))
54020+ return 0;
54021+ } else if (c == '/') {
54022+ while (*n != '\0' && *n != '/')
54023+ ++n;
54024+ if (*n == '/' && !glob_match(p, n + 1))
54025+ return 0;
54026+ } else {
54027+ for (--p; n < endp; ++n)
54028+ if (*n == c && !glob_match(p, n))
54029+ return 0;
54030+ }
54031+
54032+ return 1;
54033+ }
54034+ case '[':
54035+ {
54036+ int not;
54037+ char cold;
54038+
54039+ if (*n == '\0' || *n == '/')
54040+ return 1;
54041+
54042+ not = (*p == '!' || *p == '^');
54043+ if (not)
54044+ ++p;
54045+
54046+ c = *p++;
54047+ for (;;) {
54048+ unsigned char fn = (unsigned char)*n;
54049+
54050+ if (c == '\0')
54051+ return 1;
54052+ else {
54053+ if (c == fn)
54054+ goto matched;
54055+ cold = c;
54056+ c = *p++;
54057+
54058+ if (c == '-' && *p != ']') {
54059+ unsigned char cend = *p++;
54060+
54061+ if (cend == '\0')
54062+ return 1;
54063+
54064+ if (cold <= fn && fn <= cend)
54065+ goto matched;
54066+
54067+ c = *p++;
54068+ }
54069+ }
54070+
54071+ if (c == ']')
54072+ break;
54073+ }
54074+ if (!not)
54075+ return 1;
54076+ break;
54077+ matched:
54078+ while (c != ']') {
54079+ if (c == '\0')
54080+ return 1;
54081+
54082+ c = *p++;
54083+ }
54084+ if (not)
54085+ return 1;
54086+ }
54087+ break;
54088+ default:
54089+ if (c != *n)
54090+ return 1;
54091+ }
54092+
54093+ ++n;
54094+ }
54095+
54096+ if (*n == '\0')
54097+ return 0;
54098+
54099+ if (*n == '/')
54100+ return 0;
54101+
54102+ return 1;
54103+}
54104+
54105+static struct acl_object_label *
54106+chk_glob_label(struct acl_object_label *globbed,
54107+ struct dentry *dentry, struct vfsmount *mnt, char **path)
54108+{
54109+ struct acl_object_label *tmp;
54110+
54111+ if (*path == NULL)
54112+ *path = gr_to_filename_nolock(dentry, mnt);
54113+
54114+ tmp = globbed;
54115+
54116+ while (tmp) {
54117+ if (!glob_match(tmp->filename, *path))
54118+ return tmp;
54119+ tmp = tmp->next;
54120+ }
54121+
54122+ return NULL;
54123+}
54124+
54125+static struct acl_object_label *
54126+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
54127+ const ino_t curr_ino, const dev_t curr_dev,
54128+ const struct acl_subject_label *subj, char **path, const int checkglob)
54129+{
54130+ struct acl_subject_label *tmpsubj;
54131+ struct acl_object_label *retval;
54132+ struct acl_object_label *retval2;
54133+
54134+ tmpsubj = (struct acl_subject_label *) subj;
54135+ read_lock(&gr_inode_lock);
54136+ do {
54137+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
54138+ if (retval) {
54139+ if (checkglob && retval->globbed) {
54140+ retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
54141+ (struct vfsmount *)orig_mnt, path);
54142+ if (retval2)
54143+ retval = retval2;
54144+ }
54145+ break;
54146+ }
54147+ } while ((tmpsubj = tmpsubj->parent_subject));
54148+ read_unlock(&gr_inode_lock);
54149+
54150+ return retval;
54151+}
54152+
54153+static __inline__ struct acl_object_label *
54154+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
54155+ const struct dentry *curr_dentry,
54156+ const struct acl_subject_label *subj, char **path, const int checkglob)
54157+{
54158+ int newglob = checkglob;
54159+
54160+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
54161+ as we don't want a / * rule to match instead of the / object
54162+ don't do this for create lookups that call this function though, since they're looking up
54163+ on the parent and thus need globbing checks on all paths
54164+ */
54165+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
54166+ newglob = GR_NO_GLOB;
54167+
54168+ return __full_lookup(orig_dentry, orig_mnt,
54169+ curr_dentry->d_inode->i_ino,
54170+ __get_dev(curr_dentry), subj, path, newglob);
54171+}
54172+
54173+static struct acl_object_label *
54174+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54175+ const struct acl_subject_label *subj, char *path, const int checkglob)
54176+{
54177+ struct dentry *dentry = (struct dentry *) l_dentry;
54178+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54179+ struct acl_object_label *retval;
54180+
54181+ spin_lock(&dcache_lock);
54182+ spin_lock(&vfsmount_lock);
54183+
54184+ if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
54185+#ifdef CONFIG_NET
54186+ mnt == sock_mnt ||
54187+#endif
54188+#ifdef CONFIG_HUGETLBFS
54189+ (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
54190+#endif
54191+ /* ignore Eric Biederman */
54192+ IS_PRIVATE(l_dentry->d_inode))) {
54193+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
54194+ goto out;
54195+ }
54196+
54197+ for (;;) {
54198+ if (dentry == real_root && mnt == real_root_mnt)
54199+ break;
54200+
54201+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54202+ if (mnt->mnt_parent == mnt)
54203+ break;
54204+
54205+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54206+ if (retval != NULL)
54207+ goto out;
54208+
54209+ dentry = mnt->mnt_mountpoint;
54210+ mnt = mnt->mnt_parent;
54211+ continue;
54212+ }
54213+
54214+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54215+ if (retval != NULL)
54216+ goto out;
54217+
54218+ dentry = dentry->d_parent;
54219+ }
54220+
54221+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
54222+
54223+ if (retval == NULL)
54224+ retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
54225+out:
54226+ spin_unlock(&vfsmount_lock);
54227+ spin_unlock(&dcache_lock);
54228+
54229+ BUG_ON(retval == NULL);
54230+
54231+ return retval;
54232+}
54233+
54234+static __inline__ struct acl_object_label *
54235+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54236+ const struct acl_subject_label *subj)
54237+{
54238+ char *path = NULL;
54239+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
54240+}
54241+
54242+static __inline__ struct acl_object_label *
54243+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54244+ const struct acl_subject_label *subj)
54245+{
54246+ char *path = NULL;
54247+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
54248+}
54249+
54250+static __inline__ struct acl_object_label *
54251+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54252+ const struct acl_subject_label *subj, char *path)
54253+{
54254+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
54255+}
54256+
54257+static struct acl_subject_label *
54258+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
54259+ const struct acl_role_label *role)
54260+{
54261+ struct dentry *dentry = (struct dentry *) l_dentry;
54262+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
54263+ struct acl_subject_label *retval;
54264+
54265+ spin_lock(&dcache_lock);
54266+ spin_lock(&vfsmount_lock);
54267+
54268+ for (;;) {
54269+ if (dentry == real_root && mnt == real_root_mnt)
54270+ break;
54271+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
54272+ if (mnt->mnt_parent == mnt)
54273+ break;
54274+
54275+ read_lock(&gr_inode_lock);
54276+ retval =
54277+ lookup_acl_subj_label(dentry->d_inode->i_ino,
54278+ __get_dev(dentry), role);
54279+ read_unlock(&gr_inode_lock);
54280+ if (retval != NULL)
54281+ goto out;
54282+
54283+ dentry = mnt->mnt_mountpoint;
54284+ mnt = mnt->mnt_parent;
54285+ continue;
54286+ }
54287+
54288+ read_lock(&gr_inode_lock);
54289+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54290+ __get_dev(dentry), role);
54291+ read_unlock(&gr_inode_lock);
54292+ if (retval != NULL)
54293+ goto out;
54294+
54295+ dentry = dentry->d_parent;
54296+ }
54297+
54298+ read_lock(&gr_inode_lock);
54299+ retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
54300+ __get_dev(dentry), role);
54301+ read_unlock(&gr_inode_lock);
54302+
54303+ if (unlikely(retval == NULL)) {
54304+ read_lock(&gr_inode_lock);
54305+ retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
54306+ __get_dev(real_root), role);
54307+ read_unlock(&gr_inode_lock);
54308+ }
54309+out:
54310+ spin_unlock(&vfsmount_lock);
54311+ spin_unlock(&dcache_lock);
54312+
54313+ BUG_ON(retval == NULL);
54314+
54315+ return retval;
54316+}
54317+
54318+static void
54319+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
54320+{
54321+ struct task_struct *task = current;
54322+ const struct cred *cred = current_cred();
54323+
54324+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54325+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54326+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54327+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
54328+
54329+ return;
54330+}
54331+
54332+static void
54333+gr_log_learn_sysctl(const char *path, const __u32 mode)
54334+{
54335+ struct task_struct *task = current;
54336+ const struct cred *cred = current_cred();
54337+
54338+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
54339+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54340+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54341+ 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
54342+
54343+ return;
54344+}
54345+
54346+static void
54347+gr_log_learn_id_change(const char type, const unsigned int real,
54348+ const unsigned int effective, const unsigned int fs)
54349+{
54350+ struct task_struct *task = current;
54351+ const struct cred *cred = current_cred();
54352+
54353+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
54354+ cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
54355+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
54356+ type, real, effective, fs, &task->signal->saved_ip);
54357+
54358+ return;
54359+}
54360+
54361+__u32
54362+gr_search_file(const struct dentry * dentry, const __u32 mode,
54363+ const struct vfsmount * mnt)
54364+{
54365+ __u32 retval = mode;
54366+ struct acl_subject_label *curracl;
54367+ struct acl_object_label *currobj;
54368+
54369+ if (unlikely(!(gr_status & GR_READY)))
54370+ return (mode & ~GR_AUDITS);
54371+
54372+ curracl = current->acl;
54373+
54374+ currobj = chk_obj_label(dentry, mnt, curracl);
54375+ retval = currobj->mode & mode;
54376+
54377+ /* if we're opening a specified transfer file for writing
54378+ (e.g. /dev/initctl), then transfer our role to init
54379+ */
54380+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
54381+ current->role->roletype & GR_ROLE_PERSIST)) {
54382+ struct task_struct *task = init_pid_ns.child_reaper;
54383+
54384+ if (task->role != current->role) {
54385+ task->acl_sp_role = 0;
54386+ task->acl_role_id = current->acl_role_id;
54387+ task->role = current->role;
54388+ rcu_read_lock();
54389+ read_lock(&grsec_exec_file_lock);
54390+ gr_apply_subject_to_task(task);
54391+ read_unlock(&grsec_exec_file_lock);
54392+ rcu_read_unlock();
54393+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
54394+ }
54395+ }
54396+
54397+ if (unlikely
54398+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
54399+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
54400+ __u32 new_mode = mode;
54401+
54402+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54403+
54404+ retval = new_mode;
54405+
54406+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
54407+ new_mode |= GR_INHERIT;
54408+
54409+ if (!(mode & GR_NOLEARN))
54410+ gr_log_learn(dentry, mnt, new_mode);
54411+ }
54412+
54413+ return retval;
54414+}
54415+
54416+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
54417+ const struct dentry *parent,
54418+ const struct vfsmount *mnt)
54419+{
54420+ struct name_entry *match;
54421+ struct acl_object_label *matchpo;
54422+ struct acl_subject_label *curracl;
54423+ char *path;
54424+
54425+ if (unlikely(!(gr_status & GR_READY)))
54426+ return NULL;
54427+
54428+ preempt_disable();
54429+ path = gr_to_filename_rbac(new_dentry, mnt);
54430+ match = lookup_name_entry_create(path);
54431+
54432+ curracl = current->acl;
54433+
54434+ if (match) {
54435+ read_lock(&gr_inode_lock);
54436+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
54437+ read_unlock(&gr_inode_lock);
54438+
54439+ if (matchpo) {
54440+ preempt_enable();
54441+ return matchpo;
54442+ }
54443+ }
54444+
54445+ // lookup parent
54446+
54447+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
54448+
54449+ preempt_enable();
54450+ return matchpo;
54451+}
54452+
54453+__u32
54454+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
54455+ const struct vfsmount * mnt, const __u32 mode)
54456+{
54457+ struct acl_object_label *matchpo;
54458+ __u32 retval;
54459+
54460+ if (unlikely(!(gr_status & GR_READY)))
54461+ return (mode & ~GR_AUDITS);
54462+
54463+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
54464+
54465+ retval = matchpo->mode & mode;
54466+
54467+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
54468+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
54469+ __u32 new_mode = mode;
54470+
54471+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
54472+
54473+ gr_log_learn(new_dentry, mnt, new_mode);
54474+ return new_mode;
54475+ }
54476+
54477+ return retval;
54478+}
54479+
54480+__u32
54481+gr_check_link(const struct dentry * new_dentry,
54482+ const struct dentry * parent_dentry,
54483+ const struct vfsmount * parent_mnt,
54484+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
54485+{
54486+ struct acl_object_label *obj;
54487+ __u32 oldmode, newmode;
54488+ __u32 needmode;
54489+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
54490+ GR_DELETE | GR_INHERIT;
54491+
54492+ if (unlikely(!(gr_status & GR_READY)))
54493+ return (GR_CREATE | GR_LINK);
54494+
54495+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
54496+ oldmode = obj->mode;
54497+
54498+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
54499+ newmode = obj->mode;
54500+
54501+ needmode = newmode & checkmodes;
54502+
54503+ // old name for hardlink must have at least the permissions of the new name
54504+ if ((oldmode & needmode) != needmode)
54505+ goto bad;
54506+
54507+ // if old name had restrictions/auditing, make sure the new name does as well
54508+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
54509+
54510+ // don't allow hardlinking of suid/sgid files without permission
54511+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54512+ needmode |= GR_SETID;
54513+
54514+ if ((newmode & needmode) != needmode)
54515+ goto bad;
54516+
54517+ // enforce minimum permissions
54518+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
54519+ return newmode;
54520+bad:
54521+ needmode = oldmode;
54522+ if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
54523+ needmode |= GR_SETID;
54524+
54525+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
54526+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
54527+ return (GR_CREATE | GR_LINK);
54528+ } else if (newmode & GR_SUPPRESS)
54529+ return GR_SUPPRESS;
54530+ else
54531+ return 0;
54532+}
54533+
54534+int
54535+gr_check_hidden_task(const struct task_struct *task)
54536+{
54537+ if (unlikely(!(gr_status & GR_READY)))
54538+ return 0;
54539+
54540+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
54541+ return 1;
54542+
54543+ return 0;
54544+}
54545+
54546+int
54547+gr_check_protected_task(const struct task_struct *task)
54548+{
54549+ if (unlikely(!(gr_status & GR_READY) || !task))
54550+ return 0;
54551+
54552+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54553+ task->acl != current->acl)
54554+ return 1;
54555+
54556+ return 0;
54557+}
54558+
54559+int
54560+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
54561+{
54562+ struct task_struct *p;
54563+ int ret = 0;
54564+
54565+ if (unlikely(!(gr_status & GR_READY) || !pid))
54566+ return ret;
54567+
54568+ read_lock(&tasklist_lock);
54569+ do_each_pid_task(pid, type, p) {
54570+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
54571+ p->acl != current->acl) {
54572+ ret = 1;
54573+ goto out;
54574+ }
54575+ } while_each_pid_task(pid, type, p);
54576+out:
54577+ read_unlock(&tasklist_lock);
54578+
54579+ return ret;
54580+}
54581+
54582+void
54583+gr_copy_label(struct task_struct *tsk)
54584+{
54585+ tsk->signal->used_accept = 0;
54586+ tsk->acl_sp_role = 0;
54587+ tsk->acl_role_id = current->acl_role_id;
54588+ tsk->acl = current->acl;
54589+ tsk->role = current->role;
54590+ tsk->signal->curr_ip = current->signal->curr_ip;
54591+ tsk->signal->saved_ip = current->signal->saved_ip;
54592+ if (current->exec_file)
54593+ get_file(current->exec_file);
54594+ tsk->exec_file = current->exec_file;
54595+ tsk->is_writable = current->is_writable;
54596+ if (unlikely(current->signal->used_accept)) {
54597+ current->signal->curr_ip = 0;
54598+ current->signal->saved_ip = 0;
54599+ }
54600+
54601+ return;
54602+}
54603+
54604+static void
54605+gr_set_proc_res(struct task_struct *task)
54606+{
54607+ struct acl_subject_label *proc;
54608+ unsigned short i;
54609+
54610+ proc = task->acl;
54611+
54612+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
54613+ return;
54614+
54615+ for (i = 0; i < RLIM_NLIMITS; i++) {
54616+ if (!(proc->resmask & (1 << i)))
54617+ continue;
54618+
54619+ task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
54620+ task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
54621+ }
54622+
54623+ return;
54624+}
54625+
54626+extern int __gr_process_user_ban(struct user_struct *user);
54627+
54628+int
54629+gr_check_user_change(int real, int effective, int fs)
54630+{
54631+ unsigned int i;
54632+ __u16 num;
54633+ uid_t *uidlist;
54634+ int curuid;
54635+ int realok = 0;
54636+ int effectiveok = 0;
54637+ int fsok = 0;
54638+
54639+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
54640+ struct user_struct *user;
54641+
54642+ if (real == -1)
54643+ goto skipit;
54644+
54645+ user = find_user(real);
54646+ if (user == NULL)
54647+ goto skipit;
54648+
54649+ if (__gr_process_user_ban(user)) {
54650+ /* for find_user */
54651+ free_uid(user);
54652+ return 1;
54653+ }
54654+
54655+ /* for find_user */
54656+ free_uid(user);
54657+
54658+skipit:
54659+#endif
54660+
54661+ if (unlikely(!(gr_status & GR_READY)))
54662+ return 0;
54663+
54664+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54665+ gr_log_learn_id_change('u', real, effective, fs);
54666+
54667+ num = current->acl->user_trans_num;
54668+ uidlist = current->acl->user_transitions;
54669+
54670+ if (uidlist == NULL)
54671+ return 0;
54672+
54673+ if (real == -1)
54674+ realok = 1;
54675+ if (effective == -1)
54676+ effectiveok = 1;
54677+ if (fs == -1)
54678+ fsok = 1;
54679+
54680+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
54681+ for (i = 0; i < num; i++) {
54682+ curuid = (int)uidlist[i];
54683+ if (real == curuid)
54684+ realok = 1;
54685+ if (effective == curuid)
54686+ effectiveok = 1;
54687+ if (fs == curuid)
54688+ fsok = 1;
54689+ }
54690+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
54691+ for (i = 0; i < num; i++) {
54692+ curuid = (int)uidlist[i];
54693+ if (real == curuid)
54694+ break;
54695+ if (effective == curuid)
54696+ break;
54697+ if (fs == curuid)
54698+ break;
54699+ }
54700+ /* not in deny list */
54701+ if (i == num) {
54702+ realok = 1;
54703+ effectiveok = 1;
54704+ fsok = 1;
54705+ }
54706+ }
54707+
54708+ if (realok && effectiveok && fsok)
54709+ return 0;
54710+ else {
54711+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54712+ return 1;
54713+ }
54714+}
54715+
54716+int
54717+gr_check_group_change(int real, int effective, int fs)
54718+{
54719+ unsigned int i;
54720+ __u16 num;
54721+ gid_t *gidlist;
54722+ int curgid;
54723+ int realok = 0;
54724+ int effectiveok = 0;
54725+ int fsok = 0;
54726+
54727+ if (unlikely(!(gr_status & GR_READY)))
54728+ return 0;
54729+
54730+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
54731+ gr_log_learn_id_change('g', real, effective, fs);
54732+
54733+ num = current->acl->group_trans_num;
54734+ gidlist = current->acl->group_transitions;
54735+
54736+ if (gidlist == NULL)
54737+ return 0;
54738+
54739+ if (real == -1)
54740+ realok = 1;
54741+ if (effective == -1)
54742+ effectiveok = 1;
54743+ if (fs == -1)
54744+ fsok = 1;
54745+
54746+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
54747+ for (i = 0; i < num; i++) {
54748+ curgid = (int)gidlist[i];
54749+ if (real == curgid)
54750+ realok = 1;
54751+ if (effective == curgid)
54752+ effectiveok = 1;
54753+ if (fs == curgid)
54754+ fsok = 1;
54755+ }
54756+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
54757+ for (i = 0; i < num; i++) {
54758+ curgid = (int)gidlist[i];
54759+ if (real == curgid)
54760+ break;
54761+ if (effective == curgid)
54762+ break;
54763+ if (fs == curgid)
54764+ break;
54765+ }
54766+ /* not in deny list */
54767+ if (i == num) {
54768+ realok = 1;
54769+ effectiveok = 1;
54770+ fsok = 1;
54771+ }
54772+ }
54773+
54774+ if (realok && effectiveok && fsok)
54775+ return 0;
54776+ else {
54777+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
54778+ return 1;
54779+ }
54780+}
54781+
54782+void
54783+gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
54784+{
54785+ struct acl_role_label *role = task->role;
54786+ struct acl_subject_label *subj = NULL;
54787+ struct acl_object_label *obj;
54788+ struct file *filp;
54789+
54790+ if (unlikely(!(gr_status & GR_READY)))
54791+ return;
54792+
54793+ filp = task->exec_file;
54794+
54795+ /* kernel process, we'll give them the kernel role */
54796+ if (unlikely(!filp)) {
54797+ task->role = kernel_role;
54798+ task->acl = kernel_role->root_label;
54799+ return;
54800+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
54801+ role = lookup_acl_role_label(task, uid, gid);
54802+
54803+ /* perform subject lookup in possibly new role
54804+ we can use this result below in the case where role == task->role
54805+ */
54806+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
54807+
54808+ /* if we changed uid/gid, but result in the same role
54809+ and are using inheritance, don't lose the inherited subject
54810+ if current subject is other than what normal lookup
54811+ would result in, we arrived via inheritance, don't
54812+ lose subject
54813+ */
54814+ if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
54815+ (subj == task->acl)))
54816+ task->acl = subj;
54817+
54818+ task->role = role;
54819+
54820+ task->is_writable = 0;
54821+
54822+ /* ignore additional mmap checks for processes that are writable
54823+ by the default ACL */
54824+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
54825+ if (unlikely(obj->mode & GR_WRITE))
54826+ task->is_writable = 1;
54827+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
54828+ if (unlikely(obj->mode & GR_WRITE))
54829+ task->is_writable = 1;
54830+
54831+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54832+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54833+#endif
54834+
54835+ gr_set_proc_res(task);
54836+
54837+ return;
54838+}
54839+
54840+int
54841+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
54842+ const int unsafe_share)
54843+{
54844+ struct task_struct *task = current;
54845+ struct acl_subject_label *newacl;
54846+ struct acl_object_label *obj;
54847+ __u32 retmode;
54848+
54849+ if (unlikely(!(gr_status & GR_READY)))
54850+ return 0;
54851+
54852+ newacl = chk_subj_label(dentry, mnt, task->role);
54853+
54854+ task_lock(task);
54855+ if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
54856+ !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
54857+ !(task->role->roletype & GR_ROLE_GOD) &&
54858+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
54859+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
54860+ task_unlock(task);
54861+ if (unsafe_share)
54862+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
54863+ else
54864+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
54865+ return -EACCES;
54866+ }
54867+ task_unlock(task);
54868+
54869+ obj = chk_obj_label(dentry, mnt, task->acl);
54870+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
54871+
54872+ if (!(task->acl->mode & GR_INHERITLEARN) &&
54873+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
54874+ if (obj->nested)
54875+ task->acl = obj->nested;
54876+ else
54877+ task->acl = newacl;
54878+ } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
54879+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
54880+
54881+ task->is_writable = 0;
54882+
54883+ /* ignore additional mmap checks for processes that are writable
54884+ by the default ACL */
54885+ obj = chk_obj_label(dentry, mnt, default_role->root_label);
54886+ if (unlikely(obj->mode & GR_WRITE))
54887+ task->is_writable = 1;
54888+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
54889+ if (unlikely(obj->mode & GR_WRITE))
54890+ task->is_writable = 1;
54891+
54892+ gr_set_proc_res(task);
54893+
54894+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
54895+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
54896+#endif
54897+ return 0;
54898+}
54899+
54900+/* always called with valid inodev ptr */
54901+static void
54902+do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
54903+{
54904+ struct acl_object_label *matchpo;
54905+ struct acl_subject_label *matchps;
54906+ struct acl_subject_label *subj;
54907+ struct acl_role_label *role;
54908+ unsigned int x;
54909+
54910+ FOR_EACH_ROLE_START(role)
54911+ FOR_EACH_SUBJECT_START(role, subj, x)
54912+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
54913+ matchpo->mode |= GR_DELETED;
54914+ FOR_EACH_SUBJECT_END(subj,x)
54915+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
54916+ if (subj->inode == ino && subj->device == dev)
54917+ subj->mode |= GR_DELETED;
54918+ FOR_EACH_NESTED_SUBJECT_END(subj)
54919+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
54920+ matchps->mode |= GR_DELETED;
54921+ FOR_EACH_ROLE_END(role)
54922+
54923+ inodev->nentry->deleted = 1;
54924+
54925+ return;
54926+}
54927+
54928+void
54929+gr_handle_delete(const ino_t ino, const dev_t dev)
54930+{
54931+ struct inodev_entry *inodev;
54932+
54933+ if (unlikely(!(gr_status & GR_READY)))
54934+ return;
54935+
54936+ write_lock(&gr_inode_lock);
54937+ inodev = lookup_inodev_entry(ino, dev);
54938+ if (inodev != NULL)
54939+ do_handle_delete(inodev, ino, dev);
54940+ write_unlock(&gr_inode_lock);
54941+
54942+ return;
54943+}
54944+
54945+static void
54946+update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
54947+ const ino_t newinode, const dev_t newdevice,
54948+ struct acl_subject_label *subj)
54949+{
54950+ unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
54951+ struct acl_object_label *match;
54952+
54953+ match = subj->obj_hash[index];
54954+
54955+ while (match && (match->inode != oldinode ||
54956+ match->device != olddevice ||
54957+ !(match->mode & GR_DELETED)))
54958+ match = match->next;
54959+
54960+ if (match && (match->inode == oldinode)
54961+ && (match->device == olddevice)
54962+ && (match->mode & GR_DELETED)) {
54963+ if (match->prev == NULL) {
54964+ subj->obj_hash[index] = match->next;
54965+ if (match->next != NULL)
54966+ match->next->prev = NULL;
54967+ } else {
54968+ match->prev->next = match->next;
54969+ if (match->next != NULL)
54970+ match->next->prev = match->prev;
54971+ }
54972+ match->prev = NULL;
54973+ match->next = NULL;
54974+ match->inode = newinode;
54975+ match->device = newdevice;
54976+ match->mode &= ~GR_DELETED;
54977+
54978+ insert_acl_obj_label(match, subj);
54979+ }
54980+
54981+ return;
54982+}
54983+
54984+static void
54985+update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
54986+ const ino_t newinode, const dev_t newdevice,
54987+ struct acl_role_label *role)
54988+{
54989+ unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
54990+ struct acl_subject_label *match;
54991+
54992+ match = role->subj_hash[index];
54993+
54994+ while (match && (match->inode != oldinode ||
54995+ match->device != olddevice ||
54996+ !(match->mode & GR_DELETED)))
54997+ match = match->next;
54998+
54999+ if (match && (match->inode == oldinode)
55000+ && (match->device == olddevice)
55001+ && (match->mode & GR_DELETED)) {
55002+ if (match->prev == NULL) {
55003+ role->subj_hash[index] = match->next;
55004+ if (match->next != NULL)
55005+ match->next->prev = NULL;
55006+ } else {
55007+ match->prev->next = match->next;
55008+ if (match->next != NULL)
55009+ match->next->prev = match->prev;
55010+ }
55011+ match->prev = NULL;
55012+ match->next = NULL;
55013+ match->inode = newinode;
55014+ match->device = newdevice;
55015+ match->mode &= ~GR_DELETED;
55016+
55017+ insert_acl_subj_label(match, role);
55018+ }
55019+
55020+ return;
55021+}
55022+
55023+static void
55024+update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
55025+ const ino_t newinode, const dev_t newdevice)
55026+{
55027+ unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
55028+ struct inodev_entry *match;
55029+
55030+ match = inodev_set.i_hash[index];
55031+
55032+ while (match && (match->nentry->inode != oldinode ||
55033+ match->nentry->device != olddevice || !match->nentry->deleted))
55034+ match = match->next;
55035+
55036+ if (match && (match->nentry->inode == oldinode)
55037+ && (match->nentry->device == olddevice) &&
55038+ match->nentry->deleted) {
55039+ if (match->prev == NULL) {
55040+ inodev_set.i_hash[index] = match->next;
55041+ if (match->next != NULL)
55042+ match->next->prev = NULL;
55043+ } else {
55044+ match->prev->next = match->next;
55045+ if (match->next != NULL)
55046+ match->next->prev = match->prev;
55047+ }
55048+ match->prev = NULL;
55049+ match->next = NULL;
55050+ match->nentry->inode = newinode;
55051+ match->nentry->device = newdevice;
55052+ match->nentry->deleted = 0;
55053+
55054+ insert_inodev_entry(match);
55055+ }
55056+
55057+ return;
55058+}
55059+
55060+static void
55061+__do_handle_create(const struct name_entry *matchn, ino_t inode, dev_t dev)
55062+{
55063+ struct acl_subject_label *subj;
55064+ struct acl_role_label *role;
55065+ unsigned int x;
55066+
55067+ FOR_EACH_ROLE_START(role)
55068+ update_acl_subj_label(matchn->inode, matchn->device,
55069+ inode, dev, role);
55070+
55071+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
55072+ if ((subj->inode == inode) && (subj->device == dev)) {
55073+ subj->inode = inode;
55074+ subj->device = dev;
55075+ }
55076+ FOR_EACH_NESTED_SUBJECT_END(subj)
55077+ FOR_EACH_SUBJECT_START(role, subj, x)
55078+ update_acl_obj_label(matchn->inode, matchn->device,
55079+ inode, dev, subj);
55080+ FOR_EACH_SUBJECT_END(subj,x)
55081+ FOR_EACH_ROLE_END(role)
55082+
55083+ update_inodev_entry(matchn->inode, matchn->device, inode, dev);
55084+
55085+ return;
55086+}
55087+
55088+static void
55089+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
55090+ const struct vfsmount *mnt)
55091+{
55092+ ino_t ino = dentry->d_inode->i_ino;
55093+ dev_t dev = __get_dev(dentry);
55094+
55095+ __do_handle_create(matchn, ino, dev);
55096+
55097+ return;
55098+}
55099+
55100+void
55101+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
55102+{
55103+ struct name_entry *matchn;
55104+
55105+ if (unlikely(!(gr_status & GR_READY)))
55106+ return;
55107+
55108+ preempt_disable();
55109+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
55110+
55111+ if (unlikely((unsigned long)matchn)) {
55112+ write_lock(&gr_inode_lock);
55113+ do_handle_create(matchn, dentry, mnt);
55114+ write_unlock(&gr_inode_lock);
55115+ }
55116+ preempt_enable();
55117+
55118+ return;
55119+}
55120+
55121+void
55122+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
55123+{
55124+ struct name_entry *matchn;
55125+
55126+ if (unlikely(!(gr_status & GR_READY)))
55127+ return;
55128+
55129+ preempt_disable();
55130+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
55131+
55132+ if (unlikely((unsigned long)matchn)) {
55133+ write_lock(&gr_inode_lock);
55134+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
55135+ write_unlock(&gr_inode_lock);
55136+ }
55137+ preempt_enable();
55138+
55139+ return;
55140+}
55141+
55142+void
55143+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
55144+ struct dentry *old_dentry,
55145+ struct dentry *new_dentry,
55146+ struct vfsmount *mnt, const __u8 replace)
55147+{
55148+ struct name_entry *matchn;
55149+ struct inodev_entry *inodev;
55150+ struct inode *inode = new_dentry->d_inode;
55151+ ino_t oldinode = old_dentry->d_inode->i_ino;
55152+ dev_t olddev = __get_dev(old_dentry);
55153+
55154+ /* vfs_rename swaps the name and parent link for old_dentry and
55155+ new_dentry
55156+ at this point, old_dentry has the new name, parent link, and inode
55157+ for the renamed file
55158+ if a file is being replaced by a rename, new_dentry has the inode
55159+ and name for the replaced file
55160+ */
55161+
55162+ if (unlikely(!(gr_status & GR_READY)))
55163+ return;
55164+
55165+ preempt_disable();
55166+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
55167+
55168+ /* we wouldn't have to check d_inode if it weren't for
55169+ NFS silly-renaming
55170+ */
55171+
55172+ write_lock(&gr_inode_lock);
55173+ if (unlikely(replace && inode)) {
55174+ ino_t newinode = inode->i_ino;
55175+ dev_t newdev = __get_dev(new_dentry);
55176+ inodev = lookup_inodev_entry(newinode, newdev);
55177+ if (inodev != NULL && ((inode->i_nlink <= 1) || S_ISDIR(inode->i_mode)))
55178+ do_handle_delete(inodev, newinode, newdev);
55179+ }
55180+
55181+ inodev = lookup_inodev_entry(oldinode, olddev);
55182+ if (inodev != NULL && ((old_dentry->d_inode->i_nlink <= 1) || S_ISDIR(old_dentry->d_inode->i_mode)))
55183+ do_handle_delete(inodev, oldinode, olddev);
55184+
55185+ if (unlikely((unsigned long)matchn))
55186+ do_handle_create(matchn, old_dentry, mnt);
55187+
55188+ write_unlock(&gr_inode_lock);
55189+ preempt_enable();
55190+
55191+ return;
55192+}
55193+
55194+static int
55195+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
55196+ unsigned char **sum)
55197+{
55198+ struct acl_role_label *r;
55199+ struct role_allowed_ip *ipp;
55200+ struct role_transition *trans;
55201+ unsigned int i;
55202+ int found = 0;
55203+ u32 curr_ip = current->signal->curr_ip;
55204+
55205+ current->signal->saved_ip = curr_ip;
55206+
55207+ /* check transition table */
55208+
55209+ for (trans = current->role->transitions; trans; trans = trans->next) {
55210+ if (!strcmp(rolename, trans->rolename)) {
55211+ found = 1;
55212+ break;
55213+ }
55214+ }
55215+
55216+ if (!found)
55217+ return 0;
55218+
55219+ /* handle special roles that do not require authentication
55220+ and check ip */
55221+
55222+ FOR_EACH_ROLE_START(r)
55223+ if (!strcmp(rolename, r->rolename) &&
55224+ (r->roletype & GR_ROLE_SPECIAL)) {
55225+ found = 0;
55226+ if (r->allowed_ips != NULL) {
55227+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
55228+ if ((ntohl(curr_ip) & ipp->netmask) ==
55229+ (ntohl(ipp->addr) & ipp->netmask))
55230+ found = 1;
55231+ }
55232+ } else
55233+ found = 2;
55234+ if (!found)
55235+ return 0;
55236+
55237+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
55238+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
55239+ *salt = NULL;
55240+ *sum = NULL;
55241+ return 1;
55242+ }
55243+ }
55244+ FOR_EACH_ROLE_END(r)
55245+
55246+ for (i = 0; i < num_sprole_pws; i++) {
55247+ if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
55248+ *salt = acl_special_roles[i]->salt;
55249+ *sum = acl_special_roles[i]->sum;
55250+ return 1;
55251+ }
55252+ }
55253+
55254+ return 0;
55255+}
55256+
55257+static void
55258+assign_special_role(char *rolename)
55259+{
55260+ struct acl_object_label *obj;
55261+ struct acl_role_label *r;
55262+ struct acl_role_label *assigned = NULL;
55263+ struct task_struct *tsk;
55264+ struct file *filp;
55265+
55266+ FOR_EACH_ROLE_START(r)
55267+ if (!strcmp(rolename, r->rolename) &&
55268+ (r->roletype & GR_ROLE_SPECIAL)) {
55269+ assigned = r;
55270+ break;
55271+ }
55272+ FOR_EACH_ROLE_END(r)
55273+
55274+ if (!assigned)
55275+ return;
55276+
55277+ read_lock(&tasklist_lock);
55278+ read_lock(&grsec_exec_file_lock);
55279+
55280+ tsk = current->real_parent;
55281+ if (tsk == NULL)
55282+ goto out_unlock;
55283+
55284+ filp = tsk->exec_file;
55285+ if (filp == NULL)
55286+ goto out_unlock;
55287+
55288+ tsk->is_writable = 0;
55289+
55290+ tsk->acl_sp_role = 1;
55291+ tsk->acl_role_id = ++acl_sp_role_value;
55292+ tsk->role = assigned;
55293+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
55294+
55295+ /* ignore additional mmap checks for processes that are writable
55296+ by the default ACL */
55297+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55298+ if (unlikely(obj->mode & GR_WRITE))
55299+ tsk->is_writable = 1;
55300+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
55301+ if (unlikely(obj->mode & GR_WRITE))
55302+ tsk->is_writable = 1;
55303+
55304+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55305+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
55306+#endif
55307+
55308+out_unlock:
55309+ read_unlock(&grsec_exec_file_lock);
55310+ read_unlock(&tasklist_lock);
55311+ return;
55312+}
55313+
55314+int gr_check_secure_terminal(struct task_struct *task)
55315+{
55316+ struct task_struct *p, *p2, *p3;
55317+ struct files_struct *files;
55318+ struct fdtable *fdt;
55319+ struct file *our_file = NULL, *file;
55320+ int i;
55321+
55322+ if (task->signal->tty == NULL)
55323+ return 1;
55324+
55325+ files = get_files_struct(task);
55326+ if (files != NULL) {
55327+ rcu_read_lock();
55328+ fdt = files_fdtable(files);
55329+ for (i=0; i < fdt->max_fds; i++) {
55330+ file = fcheck_files(files, i);
55331+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
55332+ get_file(file);
55333+ our_file = file;
55334+ }
55335+ }
55336+ rcu_read_unlock();
55337+ put_files_struct(files);
55338+ }
55339+
55340+ if (our_file == NULL)
55341+ return 1;
55342+
55343+ read_lock(&tasklist_lock);
55344+ do_each_thread(p2, p) {
55345+ files = get_files_struct(p);
55346+ if (files == NULL ||
55347+ (p->signal && p->signal->tty == task->signal->tty)) {
55348+ if (files != NULL)
55349+ put_files_struct(files);
55350+ continue;
55351+ }
55352+ rcu_read_lock();
55353+ fdt = files_fdtable(files);
55354+ for (i=0; i < fdt->max_fds; i++) {
55355+ file = fcheck_files(files, i);
55356+ if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
55357+ file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
55358+ p3 = task;
55359+ while (p3->pid > 0) {
55360+ if (p3 == p)
55361+ break;
55362+ p3 = p3->real_parent;
55363+ }
55364+ if (p3 == p)
55365+ break;
55366+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
55367+ gr_handle_alertkill(p);
55368+ rcu_read_unlock();
55369+ put_files_struct(files);
55370+ read_unlock(&tasklist_lock);
55371+ fput(our_file);
55372+ return 0;
55373+ }
55374+ }
55375+ rcu_read_unlock();
55376+ put_files_struct(files);
55377+ } while_each_thread(p2, p);
55378+ read_unlock(&tasklist_lock);
55379+
55380+ fput(our_file);
55381+ return 1;
55382+}
55383+
55384+ssize_t
55385+write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
55386+{
55387+ struct gr_arg_wrapper uwrap;
55388+ unsigned char *sprole_salt = NULL;
55389+ unsigned char *sprole_sum = NULL;
55390+ int error = sizeof (struct gr_arg_wrapper);
55391+ int error2 = 0;
55392+
55393+ mutex_lock(&gr_dev_mutex);
55394+
55395+ if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
55396+ error = -EPERM;
55397+ goto out;
55398+ }
55399+
55400+ if (count != sizeof (struct gr_arg_wrapper)) {
55401+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
55402+ error = -EINVAL;
55403+ goto out;
55404+ }
55405+
55406+
55407+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
55408+ gr_auth_expires = 0;
55409+ gr_auth_attempts = 0;
55410+ }
55411+
55412+ if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
55413+ error = -EFAULT;
55414+ goto out;
55415+ }
55416+
55417+ if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
55418+ error = -EINVAL;
55419+ goto out;
55420+ }
55421+
55422+ if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
55423+ error = -EFAULT;
55424+ goto out;
55425+ }
55426+
55427+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55428+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55429+ time_after(gr_auth_expires, get_seconds())) {
55430+ error = -EBUSY;
55431+ goto out;
55432+ }
55433+
55434+ /* if non-root trying to do anything other than use a special role,
55435+ do not attempt authentication, do not count towards authentication
55436+ locking
55437+ */
55438+
55439+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
55440+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
55441+ current_uid()) {
55442+ error = -EPERM;
55443+ goto out;
55444+ }
55445+
55446+ /* ensure pw and special role name are null terminated */
55447+
55448+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
55449+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
55450+
55451+ /* Okay.
55452+ * We have our enough of the argument structure..(we have yet
55453+ * to copy_from_user the tables themselves) . Copy the tables
55454+ * only if we need them, i.e. for loading operations. */
55455+
55456+ switch (gr_usermode->mode) {
55457+ case GR_STATUS:
55458+ if (gr_status & GR_READY) {
55459+ error = 1;
55460+ if (!gr_check_secure_terminal(current))
55461+ error = 3;
55462+ } else
55463+ error = 2;
55464+ goto out;
55465+ case GR_SHUTDOWN:
55466+ if ((gr_status & GR_READY)
55467+ && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55468+ pax_open_kernel();
55469+ gr_status &= ~GR_READY;
55470+ pax_close_kernel();
55471+
55472+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
55473+ free_variables();
55474+ memset(gr_usermode, 0, sizeof (struct gr_arg));
55475+ memset(gr_system_salt, 0, GR_SALT_LEN);
55476+ memset(gr_system_sum, 0, GR_SHA_LEN);
55477+ } else if (gr_status & GR_READY) {
55478+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
55479+ error = -EPERM;
55480+ } else {
55481+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
55482+ error = -EAGAIN;
55483+ }
55484+ break;
55485+ case GR_ENABLE:
55486+ if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
55487+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
55488+ else {
55489+ if (gr_status & GR_READY)
55490+ error = -EAGAIN;
55491+ else
55492+ error = error2;
55493+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
55494+ }
55495+ break;
55496+ case GR_RELOAD:
55497+ if (!(gr_status & GR_READY)) {
55498+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
55499+ error = -EAGAIN;
55500+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55501+ lock_kernel();
55502+
55503+ pax_open_kernel();
55504+ gr_status &= ~GR_READY;
55505+ pax_close_kernel();
55506+
55507+ free_variables();
55508+ if (!(error2 = gracl_init(gr_usermode))) {
55509+ unlock_kernel();
55510+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
55511+ } else {
55512+ unlock_kernel();
55513+ error = error2;
55514+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55515+ }
55516+ } else {
55517+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
55518+ error = -EPERM;
55519+ }
55520+ break;
55521+ case GR_SEGVMOD:
55522+ if (unlikely(!(gr_status & GR_READY))) {
55523+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
55524+ error = -EAGAIN;
55525+ break;
55526+ }
55527+
55528+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
55529+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
55530+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
55531+ struct acl_subject_label *segvacl;
55532+ segvacl =
55533+ lookup_acl_subj_label(gr_usermode->segv_inode,
55534+ gr_usermode->segv_device,
55535+ current->role);
55536+ if (segvacl) {
55537+ segvacl->crashes = 0;
55538+ segvacl->expires = 0;
55539+ }
55540+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
55541+ gr_remove_uid(gr_usermode->segv_uid);
55542+ }
55543+ } else {
55544+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
55545+ error = -EPERM;
55546+ }
55547+ break;
55548+ case GR_SPROLE:
55549+ case GR_SPROLEPAM:
55550+ if (unlikely(!(gr_status & GR_READY))) {
55551+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
55552+ error = -EAGAIN;
55553+ break;
55554+ }
55555+
55556+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
55557+ current->role->expires = 0;
55558+ current->role->auth_attempts = 0;
55559+ }
55560+
55561+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
55562+ time_after(current->role->expires, get_seconds())) {
55563+ error = -EBUSY;
55564+ goto out;
55565+ }
55566+
55567+ if (lookup_special_role_auth
55568+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
55569+ && ((!sprole_salt && !sprole_sum)
55570+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
55571+ char *p = "";
55572+ assign_special_role(gr_usermode->sp_role);
55573+ read_lock(&tasklist_lock);
55574+ if (current->real_parent)
55575+ p = current->real_parent->role->rolename;
55576+ read_unlock(&tasklist_lock);
55577+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
55578+ p, acl_sp_role_value);
55579+ } else {
55580+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
55581+ error = -EPERM;
55582+ if(!(current->role->auth_attempts++))
55583+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55584+
55585+ goto out;
55586+ }
55587+ break;
55588+ case GR_UNSPROLE:
55589+ if (unlikely(!(gr_status & GR_READY))) {
55590+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
55591+ error = -EAGAIN;
55592+ break;
55593+ }
55594+
55595+ if (current->role->roletype & GR_ROLE_SPECIAL) {
55596+ char *p = "";
55597+ int i = 0;
55598+
55599+ read_lock(&tasklist_lock);
55600+ if (current->real_parent) {
55601+ p = current->real_parent->role->rolename;
55602+ i = current->real_parent->acl_role_id;
55603+ }
55604+ read_unlock(&tasklist_lock);
55605+
55606+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
55607+ gr_set_acls(1);
55608+ } else {
55609+ error = -EPERM;
55610+ goto out;
55611+ }
55612+ break;
55613+ default:
55614+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
55615+ error = -EINVAL;
55616+ break;
55617+ }
55618+
55619+ if (error != -EPERM)
55620+ goto out;
55621+
55622+ if(!(gr_auth_attempts++))
55623+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
55624+
55625+ out:
55626+ mutex_unlock(&gr_dev_mutex);
55627+ return error;
55628+}
55629+
55630+/* must be called with
55631+ rcu_read_lock();
55632+ read_lock(&tasklist_lock);
55633+ read_lock(&grsec_exec_file_lock);
55634+*/
55635+int gr_apply_subject_to_task(struct task_struct *task)
55636+{
55637+ struct acl_object_label *obj;
55638+ char *tmpname;
55639+ struct acl_subject_label *tmpsubj;
55640+ struct file *filp;
55641+ struct name_entry *nmatch;
55642+
55643+ filp = task->exec_file;
55644+ if (filp == NULL)
55645+ return 0;
55646+
55647+ /* the following is to apply the correct subject
55648+ on binaries running when the RBAC system
55649+ is enabled, when the binaries have been
55650+ replaced or deleted since their execution
55651+ -----
55652+ when the RBAC system starts, the inode/dev
55653+ from exec_file will be one the RBAC system
55654+ is unaware of. It only knows the inode/dev
55655+ of the present file on disk, or the absence
55656+ of it.
55657+ */
55658+ preempt_disable();
55659+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
55660+
55661+ nmatch = lookup_name_entry(tmpname);
55662+ preempt_enable();
55663+ tmpsubj = NULL;
55664+ if (nmatch) {
55665+ if (nmatch->deleted)
55666+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
55667+ else
55668+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
55669+ if (tmpsubj != NULL)
55670+ task->acl = tmpsubj;
55671+ }
55672+ if (tmpsubj == NULL)
55673+ task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
55674+ task->role);
55675+ if (task->acl) {
55676+ task->is_writable = 0;
55677+ /* ignore additional mmap checks for processes that are writable
55678+ by the default ACL */
55679+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
55680+ if (unlikely(obj->mode & GR_WRITE))
55681+ task->is_writable = 1;
55682+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
55683+ if (unlikely(obj->mode & GR_WRITE))
55684+ task->is_writable = 1;
55685+
55686+ gr_set_proc_res(task);
55687+
55688+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
55689+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
55690+#endif
55691+ } else {
55692+ return 1;
55693+ }
55694+
55695+ return 0;
55696+}
55697+
55698+int
55699+gr_set_acls(const int type)
55700+{
55701+ struct task_struct *task, *task2;
55702+ struct acl_role_label *role = current->role;
55703+ __u16 acl_role_id = current->acl_role_id;
55704+ const struct cred *cred;
55705+ int ret;
55706+
55707+ rcu_read_lock();
55708+ read_lock(&tasklist_lock);
55709+ read_lock(&grsec_exec_file_lock);
55710+ do_each_thread(task2, task) {
55711+ /* check to see if we're called from the exit handler,
55712+ if so, only replace ACLs that have inherited the admin
55713+ ACL */
55714+
55715+ if (type && (task->role != role ||
55716+ task->acl_role_id != acl_role_id))
55717+ continue;
55718+
55719+ task->acl_role_id = 0;
55720+ task->acl_sp_role = 0;
55721+
55722+ if (task->exec_file) {
55723+ cred = __task_cred(task);
55724+ task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
55725+
55726+ ret = gr_apply_subject_to_task(task);
55727+ if (ret) {
55728+ read_unlock(&grsec_exec_file_lock);
55729+ read_unlock(&tasklist_lock);
55730+ rcu_read_unlock();
55731+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
55732+ return ret;
55733+ }
55734+ } else {
55735+ // it's a kernel process
55736+ task->role = kernel_role;
55737+ task->acl = kernel_role->root_label;
55738+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
55739+ task->acl->mode &= ~GR_PROCFIND;
55740+#endif
55741+ }
55742+ } while_each_thread(task2, task);
55743+ read_unlock(&grsec_exec_file_lock);
55744+ read_unlock(&tasklist_lock);
55745+ rcu_read_unlock();
55746+
55747+ return 0;
55748+}
55749+
55750+void
55751+gr_learn_resource(const struct task_struct *task,
55752+ const int res, const unsigned long wanted, const int gt)
55753+{
55754+ struct acl_subject_label *acl;
55755+ const struct cred *cred;
55756+
55757+ if (unlikely((gr_status & GR_READY) &&
55758+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
55759+ goto skip_reslog;
55760+
55761+#ifdef CONFIG_GRKERNSEC_RESLOG
55762+ gr_log_resource(task, res, wanted, gt);
55763+#endif
55764+ skip_reslog:
55765+
55766+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
55767+ return;
55768+
55769+ acl = task->acl;
55770+
55771+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
55772+ !(acl->resmask & (1 << (unsigned short) res))))
55773+ return;
55774+
55775+ if (wanted >= acl->res[res].rlim_cur) {
55776+ unsigned long res_add;
55777+
55778+ res_add = wanted;
55779+ switch (res) {
55780+ case RLIMIT_CPU:
55781+ res_add += GR_RLIM_CPU_BUMP;
55782+ break;
55783+ case RLIMIT_FSIZE:
55784+ res_add += GR_RLIM_FSIZE_BUMP;
55785+ break;
55786+ case RLIMIT_DATA:
55787+ res_add += GR_RLIM_DATA_BUMP;
55788+ break;
55789+ case RLIMIT_STACK:
55790+ res_add += GR_RLIM_STACK_BUMP;
55791+ break;
55792+ case RLIMIT_CORE:
55793+ res_add += GR_RLIM_CORE_BUMP;
55794+ break;
55795+ case RLIMIT_RSS:
55796+ res_add += GR_RLIM_RSS_BUMP;
55797+ break;
55798+ case RLIMIT_NPROC:
55799+ res_add += GR_RLIM_NPROC_BUMP;
55800+ break;
55801+ case RLIMIT_NOFILE:
55802+ res_add += GR_RLIM_NOFILE_BUMP;
55803+ break;
55804+ case RLIMIT_MEMLOCK:
55805+ res_add += GR_RLIM_MEMLOCK_BUMP;
55806+ break;
55807+ case RLIMIT_AS:
55808+ res_add += GR_RLIM_AS_BUMP;
55809+ break;
55810+ case RLIMIT_LOCKS:
55811+ res_add += GR_RLIM_LOCKS_BUMP;
55812+ break;
55813+ case RLIMIT_SIGPENDING:
55814+ res_add += GR_RLIM_SIGPENDING_BUMP;
55815+ break;
55816+ case RLIMIT_MSGQUEUE:
55817+ res_add += GR_RLIM_MSGQUEUE_BUMP;
55818+ break;
55819+ case RLIMIT_NICE:
55820+ res_add += GR_RLIM_NICE_BUMP;
55821+ break;
55822+ case RLIMIT_RTPRIO:
55823+ res_add += GR_RLIM_RTPRIO_BUMP;
55824+ break;
55825+ case RLIMIT_RTTIME:
55826+ res_add += GR_RLIM_RTTIME_BUMP;
55827+ break;
55828+ }
55829+
55830+ acl->res[res].rlim_cur = res_add;
55831+
55832+ if (wanted > acl->res[res].rlim_max)
55833+ acl->res[res].rlim_max = res_add;
55834+
55835+ /* only log the subject filename, since resource logging is supported for
55836+ single-subject learning only */
55837+ rcu_read_lock();
55838+ cred = __task_cred(task);
55839+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
55840+ task->role->roletype, cred->uid, cred->gid, acl->filename,
55841+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
55842+ "", (unsigned long) res, &task->signal->saved_ip);
55843+ rcu_read_unlock();
55844+ }
55845+
55846+ return;
55847+}
55848+
55849+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
55850+void
55851+pax_set_initial_flags(struct linux_binprm *bprm)
55852+{
55853+ struct task_struct *task = current;
55854+ struct acl_subject_label *proc;
55855+ unsigned long flags;
55856+
55857+ if (unlikely(!(gr_status & GR_READY)))
55858+ return;
55859+
55860+ flags = pax_get_flags(task);
55861+
55862+ proc = task->acl;
55863+
55864+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
55865+ flags &= ~MF_PAX_PAGEEXEC;
55866+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
55867+ flags &= ~MF_PAX_SEGMEXEC;
55868+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
55869+ flags &= ~MF_PAX_RANDMMAP;
55870+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
55871+ flags &= ~MF_PAX_EMUTRAMP;
55872+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
55873+ flags &= ~MF_PAX_MPROTECT;
55874+
55875+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
55876+ flags |= MF_PAX_PAGEEXEC;
55877+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
55878+ flags |= MF_PAX_SEGMEXEC;
55879+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
55880+ flags |= MF_PAX_RANDMMAP;
55881+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
55882+ flags |= MF_PAX_EMUTRAMP;
55883+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
55884+ flags |= MF_PAX_MPROTECT;
55885+
55886+ pax_set_flags(task, flags);
55887+
55888+ return;
55889+}
55890+#endif
55891+
55892+#ifdef CONFIG_SYSCTL
55893+/* Eric Biederman likes breaking userland ABI and every inode-based security
55894+ system to save 35kb of memory */
55895+
55896+/* we modify the passed in filename, but adjust it back before returning */
55897+static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
55898+{
55899+ struct name_entry *nmatch;
55900+ char *p, *lastp = NULL;
55901+ struct acl_object_label *obj = NULL, *tmp;
55902+ struct acl_subject_label *tmpsubj;
55903+ char c = '\0';
55904+
55905+ read_lock(&gr_inode_lock);
55906+
55907+ p = name + len - 1;
55908+ do {
55909+ nmatch = lookup_name_entry(name);
55910+ if (lastp != NULL)
55911+ *lastp = c;
55912+
55913+ if (nmatch == NULL)
55914+ goto next_component;
55915+ tmpsubj = current->acl;
55916+ do {
55917+ obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
55918+ if (obj != NULL) {
55919+ tmp = obj->globbed;
55920+ while (tmp) {
55921+ if (!glob_match(tmp->filename, name)) {
55922+ obj = tmp;
55923+ goto found_obj;
55924+ }
55925+ tmp = tmp->next;
55926+ }
55927+ goto found_obj;
55928+ }
55929+ } while ((tmpsubj = tmpsubj->parent_subject));
55930+next_component:
55931+ /* end case */
55932+ if (p == name)
55933+ break;
55934+
55935+ while (*p != '/')
55936+ p--;
55937+ if (p == name)
55938+ lastp = p + 1;
55939+ else {
55940+ lastp = p;
55941+ p--;
55942+ }
55943+ c = *lastp;
55944+ *lastp = '\0';
55945+ } while (1);
55946+found_obj:
55947+ read_unlock(&gr_inode_lock);
55948+ /* obj returned will always be non-null */
55949+ return obj;
55950+}
55951+
55952+/* returns 0 when allowing, non-zero on error
55953+ op of 0 is used for readdir, so we don't log the names of hidden files
55954+*/
55955+__u32
55956+gr_handle_sysctl(const struct ctl_table *table, const int op)
55957+{
55958+ ctl_table *tmp;
55959+ const char *proc_sys = "/proc/sys";
55960+ char *path;
55961+ struct acl_object_label *obj;
55962+ unsigned short len = 0, pos = 0, depth = 0, i;
55963+ __u32 err = 0;
55964+ __u32 mode = 0;
55965+
55966+ if (unlikely(!(gr_status & GR_READY)))
55967+ return 0;
55968+
55969+ /* for now, ignore operations on non-sysctl entries if it's not a
55970+ readdir*/
55971+ if (table->child != NULL && op != 0)
55972+ return 0;
55973+
55974+ mode |= GR_FIND;
55975+ /* it's only a read if it's an entry, read on dirs is for readdir */
55976+ if (op & MAY_READ)
55977+ mode |= GR_READ;
55978+ if (op & MAY_WRITE)
55979+ mode |= GR_WRITE;
55980+
55981+ preempt_disable();
55982+
55983+ path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
55984+
55985+ /* it's only a read/write if it's an actual entry, not a dir
55986+ (which are opened for readdir)
55987+ */
55988+
55989+ /* convert the requested sysctl entry into a pathname */
55990+
55991+ for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
55992+ len += strlen(tmp->procname);
55993+ len++;
55994+ depth++;
55995+ }
55996+
55997+ if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
55998+ /* deny */
55999+ goto out;
56000+ }
56001+
56002+ memset(path, 0, PAGE_SIZE);
56003+
56004+ memcpy(path, proc_sys, strlen(proc_sys));
56005+
56006+ pos += strlen(proc_sys);
56007+
56008+ for (; depth > 0; depth--) {
56009+ path[pos] = '/';
56010+ pos++;
56011+ for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
56012+ if (depth == i) {
56013+ memcpy(path + pos, tmp->procname,
56014+ strlen(tmp->procname));
56015+ pos += strlen(tmp->procname);
56016+ }
56017+ i++;
56018+ }
56019+ }
56020+
56021+ obj = gr_lookup_by_name(path, pos);
56022+ err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
56023+
56024+ if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
56025+ ((err & mode) != mode))) {
56026+ __u32 new_mode = mode;
56027+
56028+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
56029+
56030+ err = 0;
56031+ gr_log_learn_sysctl(path, new_mode);
56032+ } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
56033+ gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
56034+ err = -ENOENT;
56035+ } else if (!(err & GR_FIND)) {
56036+ err = -ENOENT;
56037+ } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
56038+ gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
56039+ path, (mode & GR_READ) ? " reading" : "",
56040+ (mode & GR_WRITE) ? " writing" : "");
56041+ err = -EACCES;
56042+ } else if ((err & mode) != mode) {
56043+ err = -EACCES;
56044+ } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
56045+ gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
56046+ path, (mode & GR_READ) ? " reading" : "",
56047+ (mode & GR_WRITE) ? " writing" : "");
56048+ err = 0;
56049+ } else
56050+ err = 0;
56051+
56052+ out:
56053+ preempt_enable();
56054+
56055+ return err;
56056+}
56057+#endif
56058+
56059+int
56060+gr_handle_proc_ptrace(struct task_struct *task)
56061+{
56062+ struct file *filp;
56063+ struct task_struct *tmp = task;
56064+ struct task_struct *curtemp = current;
56065+ __u32 retmode;
56066+
56067+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
56068+ if (unlikely(!(gr_status & GR_READY)))
56069+ return 0;
56070+#endif
56071+
56072+ read_lock(&tasklist_lock);
56073+ read_lock(&grsec_exec_file_lock);
56074+ filp = task->exec_file;
56075+
56076+ while (tmp->pid > 0) {
56077+ if (tmp == curtemp)
56078+ break;
56079+ tmp = tmp->real_parent;
56080+ }
56081+
56082+ if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
56083+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
56084+ read_unlock(&grsec_exec_file_lock);
56085+ read_unlock(&tasklist_lock);
56086+ return 1;
56087+ }
56088+
56089+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56090+ if (!(gr_status & GR_READY)) {
56091+ read_unlock(&grsec_exec_file_lock);
56092+ read_unlock(&tasklist_lock);
56093+ return 0;
56094+ }
56095+#endif
56096+
56097+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
56098+ read_unlock(&grsec_exec_file_lock);
56099+ read_unlock(&tasklist_lock);
56100+
56101+ if (retmode & GR_NOPTRACE)
56102+ return 1;
56103+
56104+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
56105+ && (current->acl != task->acl || (current->acl != current->role->root_label
56106+ && current->pid != task->pid)))
56107+ return 1;
56108+
56109+ return 0;
56110+}
56111+
56112+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
56113+{
56114+ if (unlikely(!(gr_status & GR_READY)))
56115+ return;
56116+
56117+ if (!(current->role->roletype & GR_ROLE_GOD))
56118+ return;
56119+
56120+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
56121+ p->role->rolename, gr_task_roletype_to_char(p),
56122+ p->acl->filename);
56123+}
56124+
56125+int
56126+gr_handle_ptrace(struct task_struct *task, const long request)
56127+{
56128+ struct task_struct *tmp = task;
56129+ struct task_struct *curtemp = current;
56130+ __u32 retmode;
56131+
56132+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
56133+ if (unlikely(!(gr_status & GR_READY)))
56134+ return 0;
56135+#endif
56136+
56137+ read_lock(&tasklist_lock);
56138+ while (tmp->pid > 0) {
56139+ if (tmp == curtemp)
56140+ break;
56141+ tmp = tmp->real_parent;
56142+ }
56143+
56144+ if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
56145+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
56146+ read_unlock(&tasklist_lock);
56147+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56148+ return 1;
56149+ }
56150+ read_unlock(&tasklist_lock);
56151+
56152+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
56153+ if (!(gr_status & GR_READY))
56154+ return 0;
56155+#endif
56156+
56157+ read_lock(&grsec_exec_file_lock);
56158+ if (unlikely(!task->exec_file)) {
56159+ read_unlock(&grsec_exec_file_lock);
56160+ return 0;
56161+ }
56162+
56163+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
56164+ read_unlock(&grsec_exec_file_lock);
56165+
56166+ if (retmode & GR_NOPTRACE) {
56167+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56168+ return 1;
56169+ }
56170+
56171+ if (retmode & GR_PTRACERD) {
56172+ switch (request) {
56173+ case PTRACE_POKETEXT:
56174+ case PTRACE_POKEDATA:
56175+ case PTRACE_POKEUSR:
56176+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
56177+ case PTRACE_SETREGS:
56178+ case PTRACE_SETFPREGS:
56179+#endif
56180+#ifdef CONFIG_X86
56181+ case PTRACE_SETFPXREGS:
56182+#endif
56183+#ifdef CONFIG_ALTIVEC
56184+ case PTRACE_SETVRREGS:
56185+#endif
56186+ return 1;
56187+ default:
56188+ return 0;
56189+ }
56190+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
56191+ !(current->role->roletype & GR_ROLE_GOD) &&
56192+ (current->acl != task->acl)) {
56193+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
56194+ return 1;
56195+ }
56196+
56197+ return 0;
56198+}
56199+
56200+static int is_writable_mmap(const struct file *filp)
56201+{
56202+ struct task_struct *task = current;
56203+ struct acl_object_label *obj, *obj2;
56204+
56205+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
56206+ !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
56207+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
56208+ obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
56209+ task->role->root_label);
56210+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
56211+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
56212+ return 1;
56213+ }
56214+ }
56215+ return 0;
56216+}
56217+
56218+int
56219+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
56220+{
56221+ __u32 mode;
56222+
56223+ if (unlikely(!file || !(prot & PROT_EXEC)))
56224+ return 1;
56225+
56226+ if (is_writable_mmap(file))
56227+ return 0;
56228+
56229+ mode =
56230+ gr_search_file(file->f_path.dentry,
56231+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56232+ file->f_path.mnt);
56233+
56234+ if (!gr_tpe_allow(file))
56235+ return 0;
56236+
56237+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56238+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56239+ return 0;
56240+ } else if (unlikely(!(mode & GR_EXEC))) {
56241+ return 0;
56242+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56243+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56244+ return 1;
56245+ }
56246+
56247+ return 1;
56248+}
56249+
56250+int
56251+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
56252+{
56253+ __u32 mode;
56254+
56255+ if (unlikely(!file || !(prot & PROT_EXEC)))
56256+ return 1;
56257+
56258+ if (is_writable_mmap(file))
56259+ return 0;
56260+
56261+ mode =
56262+ gr_search_file(file->f_path.dentry,
56263+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
56264+ file->f_path.mnt);
56265+
56266+ if (!gr_tpe_allow(file))
56267+ return 0;
56268+
56269+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
56270+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56271+ return 0;
56272+ } else if (unlikely(!(mode & GR_EXEC))) {
56273+ return 0;
56274+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
56275+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
56276+ return 1;
56277+ }
56278+
56279+ return 1;
56280+}
56281+
56282+void
56283+gr_acl_handle_psacct(struct task_struct *task, const long code)
56284+{
56285+ unsigned long runtime;
56286+ unsigned long cputime;
56287+ unsigned int wday, cday;
56288+ __u8 whr, chr;
56289+ __u8 wmin, cmin;
56290+ __u8 wsec, csec;
56291+ struct timespec timeval;
56292+
56293+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
56294+ !(task->acl->mode & GR_PROCACCT)))
56295+ return;
56296+
56297+ do_posix_clock_monotonic_gettime(&timeval);
56298+ runtime = timeval.tv_sec - task->start_time.tv_sec;
56299+ wday = runtime / (3600 * 24);
56300+ runtime -= wday * (3600 * 24);
56301+ whr = runtime / 3600;
56302+ runtime -= whr * 3600;
56303+ wmin = runtime / 60;
56304+ runtime -= wmin * 60;
56305+ wsec = runtime;
56306+
56307+ cputime = (task->utime + task->stime) / HZ;
56308+ cday = cputime / (3600 * 24);
56309+ cputime -= cday * (3600 * 24);
56310+ chr = cputime / 3600;
56311+ cputime -= chr * 3600;
56312+ cmin = cputime / 60;
56313+ cputime -= cmin * 60;
56314+ csec = cputime;
56315+
56316+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
56317+
56318+ return;
56319+}
56320+
56321+void gr_set_kernel_label(struct task_struct *task)
56322+{
56323+ if (gr_status & GR_READY) {
56324+ task->role = kernel_role;
56325+ task->acl = kernel_role->root_label;
56326+ }
56327+ return;
56328+}
56329+
56330+#ifdef CONFIG_TASKSTATS
56331+int gr_is_taskstats_denied(int pid)
56332+{
56333+ struct task_struct *task;
56334+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56335+ const struct cred *cred;
56336+#endif
56337+ int ret = 0;
56338+
56339+ /* restrict taskstats viewing to un-chrooted root users
56340+ who have the 'view' subject flag if the RBAC system is enabled
56341+ */
56342+
56343+ rcu_read_lock();
56344+ read_lock(&tasklist_lock);
56345+ task = find_task_by_vpid(pid);
56346+ if (task) {
56347+#ifdef CONFIG_GRKERNSEC_CHROOT
56348+ if (proc_is_chrooted(task))
56349+ ret = -EACCES;
56350+#endif
56351+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56352+ cred = __task_cred(task);
56353+#ifdef CONFIG_GRKERNSEC_PROC_USER
56354+ if (cred->uid != 0)
56355+ ret = -EACCES;
56356+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56357+ if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
56358+ ret = -EACCES;
56359+#endif
56360+#endif
56361+ if (gr_status & GR_READY) {
56362+ if (!(task->acl->mode & GR_VIEW))
56363+ ret = -EACCES;
56364+ }
56365+ } else
56366+ ret = -ENOENT;
56367+
56368+ read_unlock(&tasklist_lock);
56369+ rcu_read_unlock();
56370+
56371+ return ret;
56372+}
56373+#endif
56374+
56375+/* AUXV entries are filled via a descendant of search_binary_handler
56376+ after we've already applied the subject for the target
56377+*/
56378+int gr_acl_enable_at_secure(void)
56379+{
56380+ if (unlikely(!(gr_status & GR_READY)))
56381+ return 0;
56382+
56383+ if (current->acl->mode & GR_ATSECURE)
56384+ return 1;
56385+
56386+ return 0;
56387+}
56388+
56389+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
56390+{
56391+ struct task_struct *task = current;
56392+ struct dentry *dentry = file->f_path.dentry;
56393+ struct vfsmount *mnt = file->f_path.mnt;
56394+ struct acl_object_label *obj, *tmp;
56395+ struct acl_subject_label *subj;
56396+ unsigned int bufsize;
56397+ int is_not_root;
56398+ char *path;
56399+ dev_t dev = __get_dev(dentry);
56400+
56401+ if (unlikely(!(gr_status & GR_READY)))
56402+ return 1;
56403+
56404+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
56405+ return 1;
56406+
56407+ /* ignore Eric Biederman */
56408+ if (IS_PRIVATE(dentry->d_inode))
56409+ return 1;
56410+
56411+ subj = task->acl;
56412+ do {
56413+ obj = lookup_acl_obj_label(ino, dev, subj);
56414+ if (obj != NULL)
56415+ return (obj->mode & GR_FIND) ? 1 : 0;
56416+ } while ((subj = subj->parent_subject));
56417+
56418+ /* this is purely an optimization since we're looking for an object
56419+ for the directory we're doing a readdir on
56420+ if it's possible for any globbed object to match the entry we're
56421+ filling into the directory, then the object we find here will be
56422+ an anchor point with attached globbed objects
56423+ */
56424+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
56425+ if (obj->globbed == NULL)
56426+ return (obj->mode & GR_FIND) ? 1 : 0;
56427+
56428+ is_not_root = ((obj->filename[0] == '/') &&
56429+ (obj->filename[1] == '\0')) ? 0 : 1;
56430+ bufsize = PAGE_SIZE - namelen - is_not_root;
56431+
56432+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
56433+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
56434+ return 1;
56435+
56436+ preempt_disable();
56437+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
56438+ bufsize);
56439+
56440+ bufsize = strlen(path);
56441+
56442+ /* if base is "/", don't append an additional slash */
56443+ if (is_not_root)
56444+ *(path + bufsize) = '/';
56445+ memcpy(path + bufsize + is_not_root, name, namelen);
56446+ *(path + bufsize + namelen + is_not_root) = '\0';
56447+
56448+ tmp = obj->globbed;
56449+ while (tmp) {
56450+ if (!glob_match(tmp->filename, path)) {
56451+ preempt_enable();
56452+ return (tmp->mode & GR_FIND) ? 1 : 0;
56453+ }
56454+ tmp = tmp->next;
56455+ }
56456+ preempt_enable();
56457+ return (obj->mode & GR_FIND) ? 1 : 0;
56458+}
56459+
56460+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
56461+EXPORT_SYMBOL(gr_acl_is_enabled);
56462+#endif
56463+EXPORT_SYMBOL(gr_learn_resource);
56464+EXPORT_SYMBOL(gr_set_kernel_label);
56465+#ifdef CONFIG_SECURITY
56466+EXPORT_SYMBOL(gr_check_user_change);
56467+EXPORT_SYMBOL(gr_check_group_change);
56468+#endif
56469+
56470diff -urNp linux-2.6.32.48/grsecurity/gracl_cap.c linux-2.6.32.48/grsecurity/gracl_cap.c
56471--- linux-2.6.32.48/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
56472+++ linux-2.6.32.48/grsecurity/gracl_cap.c 2011-11-15 19:59:43.000000000 -0500
56473@@ -0,0 +1,101 @@
56474+#include <linux/kernel.h>
56475+#include <linux/module.h>
56476+#include <linux/sched.h>
56477+#include <linux/gracl.h>
56478+#include <linux/grsecurity.h>
56479+#include <linux/grinternal.h>
56480+
56481+extern const char *captab_log[];
56482+extern int captab_log_entries;
56483+
56484+int
56485+gr_acl_is_capable(const int cap)
56486+{
56487+ struct task_struct *task = current;
56488+ const struct cred *cred = current_cred();
56489+ struct acl_subject_label *curracl;
56490+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56491+ kernel_cap_t cap_audit = __cap_empty_set;
56492+
56493+ if (!gr_acl_is_enabled())
56494+ return 1;
56495+
56496+ curracl = task->acl;
56497+
56498+ cap_drop = curracl->cap_lower;
56499+ cap_mask = curracl->cap_mask;
56500+ cap_audit = curracl->cap_invert_audit;
56501+
56502+ while ((curracl = curracl->parent_subject)) {
56503+ /* if the cap isn't specified in the current computed mask but is specified in the
56504+ current level subject, and is lowered in the current level subject, then add
56505+ it to the set of dropped capabilities
56506+ otherwise, add the current level subject's mask to the current computed mask
56507+ */
56508+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56509+ cap_raise(cap_mask, cap);
56510+ if (cap_raised(curracl->cap_lower, cap))
56511+ cap_raise(cap_drop, cap);
56512+ if (cap_raised(curracl->cap_invert_audit, cap))
56513+ cap_raise(cap_audit, cap);
56514+ }
56515+ }
56516+
56517+ if (!cap_raised(cap_drop, cap)) {
56518+ if (cap_raised(cap_audit, cap))
56519+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
56520+ return 1;
56521+ }
56522+
56523+ curracl = task->acl;
56524+
56525+ if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
56526+ && cap_raised(cred->cap_effective, cap)) {
56527+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
56528+ task->role->roletype, cred->uid,
56529+ cred->gid, task->exec_file ?
56530+ gr_to_filename(task->exec_file->f_path.dentry,
56531+ task->exec_file->f_path.mnt) : curracl->filename,
56532+ curracl->filename, 0UL,
56533+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
56534+ return 1;
56535+ }
56536+
56537+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
56538+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
56539+ return 0;
56540+}
56541+
56542+int
56543+gr_acl_is_capable_nolog(const int cap)
56544+{
56545+ struct acl_subject_label *curracl;
56546+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
56547+
56548+ if (!gr_acl_is_enabled())
56549+ return 1;
56550+
56551+ curracl = current->acl;
56552+
56553+ cap_drop = curracl->cap_lower;
56554+ cap_mask = curracl->cap_mask;
56555+
56556+ while ((curracl = curracl->parent_subject)) {
56557+ /* if the cap isn't specified in the current computed mask but is specified in the
56558+ current level subject, and is lowered in the current level subject, then add
56559+ it to the set of dropped capabilities
56560+ otherwise, add the current level subject's mask to the current computed mask
56561+ */
56562+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
56563+ cap_raise(cap_mask, cap);
56564+ if (cap_raised(curracl->cap_lower, cap))
56565+ cap_raise(cap_drop, cap);
56566+ }
56567+ }
56568+
56569+ if (!cap_raised(cap_drop, cap))
56570+ return 1;
56571+
56572+ return 0;
56573+}
56574+
56575diff -urNp linux-2.6.32.48/grsecurity/gracl_fs.c linux-2.6.32.48/grsecurity/gracl_fs.c
56576--- linux-2.6.32.48/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
56577+++ linux-2.6.32.48/grsecurity/gracl_fs.c 2011-11-15 19:59:43.000000000 -0500
56578@@ -0,0 +1,431 @@
56579+#include <linux/kernel.h>
56580+#include <linux/sched.h>
56581+#include <linux/types.h>
56582+#include <linux/fs.h>
56583+#include <linux/file.h>
56584+#include <linux/stat.h>
56585+#include <linux/grsecurity.h>
56586+#include <linux/grinternal.h>
56587+#include <linux/gracl.h>
56588+
56589+__u32
56590+gr_acl_handle_hidden_file(const struct dentry * dentry,
56591+ const struct vfsmount * mnt)
56592+{
56593+ __u32 mode;
56594+
56595+ if (unlikely(!dentry->d_inode))
56596+ return GR_FIND;
56597+
56598+ mode =
56599+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
56600+
56601+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
56602+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56603+ return mode;
56604+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
56605+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
56606+ return 0;
56607+ } else if (unlikely(!(mode & GR_FIND)))
56608+ return 0;
56609+
56610+ return GR_FIND;
56611+}
56612+
56613+__u32
56614+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
56615+ const int fmode)
56616+{
56617+ __u32 reqmode = GR_FIND;
56618+ __u32 mode;
56619+
56620+ if (unlikely(!dentry->d_inode))
56621+ return reqmode;
56622+
56623+ if (unlikely(fmode & O_APPEND))
56624+ reqmode |= GR_APPEND;
56625+ else if (unlikely(fmode & FMODE_WRITE))
56626+ reqmode |= GR_WRITE;
56627+ if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56628+ reqmode |= GR_READ;
56629+ if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
56630+ reqmode &= ~GR_READ;
56631+ mode =
56632+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56633+ mnt);
56634+
56635+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56636+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56637+ reqmode & GR_READ ? " reading" : "",
56638+ reqmode & GR_WRITE ? " writing" : reqmode &
56639+ GR_APPEND ? " appending" : "");
56640+ return reqmode;
56641+ } else
56642+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56643+ {
56644+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
56645+ reqmode & GR_READ ? " reading" : "",
56646+ reqmode & GR_WRITE ? " writing" : reqmode &
56647+ GR_APPEND ? " appending" : "");
56648+ return 0;
56649+ } else if (unlikely((mode & reqmode) != reqmode))
56650+ return 0;
56651+
56652+ return reqmode;
56653+}
56654+
56655+__u32
56656+gr_acl_handle_creat(const struct dentry * dentry,
56657+ const struct dentry * p_dentry,
56658+ const struct vfsmount * p_mnt, const int fmode,
56659+ const int imode)
56660+{
56661+ __u32 reqmode = GR_WRITE | GR_CREATE;
56662+ __u32 mode;
56663+
56664+ if (unlikely(fmode & O_APPEND))
56665+ reqmode |= GR_APPEND;
56666+ if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
56667+ reqmode |= GR_READ;
56668+ if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
56669+ reqmode |= GR_SETID;
56670+
56671+ mode =
56672+ gr_check_create(dentry, p_dentry, p_mnt,
56673+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56674+
56675+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56676+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56677+ reqmode & GR_READ ? " reading" : "",
56678+ reqmode & GR_WRITE ? " writing" : reqmode &
56679+ GR_APPEND ? " appending" : "");
56680+ return reqmode;
56681+ } else
56682+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56683+ {
56684+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
56685+ reqmode & GR_READ ? " reading" : "",
56686+ reqmode & GR_WRITE ? " writing" : reqmode &
56687+ GR_APPEND ? " appending" : "");
56688+ return 0;
56689+ } else if (unlikely((mode & reqmode) != reqmode))
56690+ return 0;
56691+
56692+ return reqmode;
56693+}
56694+
56695+__u32
56696+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
56697+ const int fmode)
56698+{
56699+ __u32 mode, reqmode = GR_FIND;
56700+
56701+ if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
56702+ reqmode |= GR_EXEC;
56703+ if (fmode & S_IWOTH)
56704+ reqmode |= GR_WRITE;
56705+ if (fmode & S_IROTH)
56706+ reqmode |= GR_READ;
56707+
56708+ mode =
56709+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
56710+ mnt);
56711+
56712+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
56713+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56714+ reqmode & GR_READ ? " reading" : "",
56715+ reqmode & GR_WRITE ? " writing" : "",
56716+ reqmode & GR_EXEC ? " executing" : "");
56717+ return reqmode;
56718+ } else
56719+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
56720+ {
56721+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
56722+ reqmode & GR_READ ? " reading" : "",
56723+ reqmode & GR_WRITE ? " writing" : "",
56724+ reqmode & GR_EXEC ? " executing" : "");
56725+ return 0;
56726+ } else if (unlikely((mode & reqmode) != reqmode))
56727+ return 0;
56728+
56729+ return reqmode;
56730+}
56731+
56732+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
56733+{
56734+ __u32 mode;
56735+
56736+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
56737+
56738+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56739+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
56740+ return mode;
56741+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56742+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
56743+ return 0;
56744+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
56745+ return 0;
56746+
56747+ return (reqmode);
56748+}
56749+
56750+__u32
56751+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
56752+{
56753+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
56754+}
56755+
56756+__u32
56757+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
56758+{
56759+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
56760+}
56761+
56762+__u32
56763+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
56764+{
56765+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
56766+}
56767+
56768+__u32
56769+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
56770+{
56771+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
56772+}
56773+
56774+__u32
56775+gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
56776+ mode_t mode)
56777+{
56778+ if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
56779+ return 1;
56780+
56781+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56782+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56783+ GR_FCHMOD_ACL_MSG);
56784+ } else {
56785+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
56786+ }
56787+}
56788+
56789+__u32
56790+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
56791+ mode_t mode)
56792+{
56793+ if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
56794+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
56795+ GR_CHMOD_ACL_MSG);
56796+ } else {
56797+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
56798+ }
56799+}
56800+
56801+__u32
56802+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
56803+{
56804+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
56805+}
56806+
56807+__u32
56808+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
56809+{
56810+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
56811+}
56812+
56813+__u32
56814+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
56815+{
56816+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
56817+}
56818+
56819+__u32
56820+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
56821+{
56822+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
56823+ GR_UNIXCONNECT_ACL_MSG);
56824+}
56825+
56826+/* hardlinks require at minimum create and link permission,
56827+ any additional privilege required is based on the
56828+ privilege of the file being linked to
56829+*/
56830+__u32
56831+gr_acl_handle_link(const struct dentry * new_dentry,
56832+ const struct dentry * parent_dentry,
56833+ const struct vfsmount * parent_mnt,
56834+ const struct dentry * old_dentry,
56835+ const struct vfsmount * old_mnt, const char *to)
56836+{
56837+ __u32 mode;
56838+ __u32 needmode = GR_CREATE | GR_LINK;
56839+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
56840+
56841+ mode =
56842+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
56843+ old_mnt);
56844+
56845+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
56846+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56847+ return mode;
56848+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56849+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
56850+ return 0;
56851+ } else if (unlikely((mode & needmode) != needmode))
56852+ return 0;
56853+
56854+ return 1;
56855+}
56856+
56857+__u32
56858+gr_acl_handle_symlink(const struct dentry * new_dentry,
56859+ const struct dentry * parent_dentry,
56860+ const struct vfsmount * parent_mnt, const char *from)
56861+{
56862+ __u32 needmode = GR_WRITE | GR_CREATE;
56863+ __u32 mode;
56864+
56865+ mode =
56866+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
56867+ GR_CREATE | GR_AUDIT_CREATE |
56868+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
56869+
56870+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
56871+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56872+ return mode;
56873+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
56874+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
56875+ return 0;
56876+ } else if (unlikely((mode & needmode) != needmode))
56877+ return 0;
56878+
56879+ return (GR_WRITE | GR_CREATE);
56880+}
56881+
56882+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
56883+{
56884+ __u32 mode;
56885+
56886+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
56887+
56888+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
56889+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
56890+ return mode;
56891+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
56892+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
56893+ return 0;
56894+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
56895+ return 0;
56896+
56897+ return (reqmode);
56898+}
56899+
56900+__u32
56901+gr_acl_handle_mknod(const struct dentry * new_dentry,
56902+ const struct dentry * parent_dentry,
56903+ const struct vfsmount * parent_mnt,
56904+ const int mode)
56905+{
56906+ __u32 reqmode = GR_WRITE | GR_CREATE;
56907+ if (unlikely(mode & (S_ISUID | S_ISGID)))
56908+ reqmode |= GR_SETID;
56909+
56910+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56911+ reqmode, GR_MKNOD_ACL_MSG);
56912+}
56913+
56914+__u32
56915+gr_acl_handle_mkdir(const struct dentry *new_dentry,
56916+ const struct dentry *parent_dentry,
56917+ const struct vfsmount *parent_mnt)
56918+{
56919+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
56920+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
56921+}
56922+
56923+#define RENAME_CHECK_SUCCESS(old, new) \
56924+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
56925+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
56926+
56927+int
56928+gr_acl_handle_rename(struct dentry *new_dentry,
56929+ struct dentry *parent_dentry,
56930+ const struct vfsmount *parent_mnt,
56931+ struct dentry *old_dentry,
56932+ struct inode *old_parent_inode,
56933+ struct vfsmount *old_mnt, const char *newname)
56934+{
56935+ __u32 comp1, comp2;
56936+ int error = 0;
56937+
56938+ if (unlikely(!gr_acl_is_enabled()))
56939+ return 0;
56940+
56941+ if (!new_dentry->d_inode) {
56942+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
56943+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
56944+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
56945+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
56946+ GR_DELETE | GR_AUDIT_DELETE |
56947+ GR_AUDIT_READ | GR_AUDIT_WRITE |
56948+ GR_SUPPRESS, old_mnt);
56949+ } else {
56950+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
56951+ GR_CREATE | GR_DELETE |
56952+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
56953+ GR_AUDIT_READ | GR_AUDIT_WRITE |
56954+ GR_SUPPRESS, parent_mnt);
56955+ comp2 =
56956+ gr_search_file(old_dentry,
56957+ GR_READ | GR_WRITE | GR_AUDIT_READ |
56958+ GR_DELETE | GR_AUDIT_DELETE |
56959+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
56960+ }
56961+
56962+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
56963+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
56964+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56965+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
56966+ && !(comp2 & GR_SUPPRESS)) {
56967+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
56968+ error = -EACCES;
56969+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
56970+ error = -EACCES;
56971+
56972+ return error;
56973+}
56974+
56975+void
56976+gr_acl_handle_exit(void)
56977+{
56978+ u16 id;
56979+ char *rolename;
56980+ struct file *exec_file;
56981+
56982+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
56983+ !(current->role->roletype & GR_ROLE_PERSIST))) {
56984+ id = current->acl_role_id;
56985+ rolename = current->role->rolename;
56986+ gr_set_acls(1);
56987+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
56988+ }
56989+
56990+ write_lock(&grsec_exec_file_lock);
56991+ exec_file = current->exec_file;
56992+ current->exec_file = NULL;
56993+ write_unlock(&grsec_exec_file_lock);
56994+
56995+ if (exec_file)
56996+ fput(exec_file);
56997+}
56998+
56999+int
57000+gr_acl_handle_procpidmem(const struct task_struct *task)
57001+{
57002+ if (unlikely(!gr_acl_is_enabled()))
57003+ return 0;
57004+
57005+ if (task != current && task->acl->mode & GR_PROTPROCFD)
57006+ return -EACCES;
57007+
57008+ return 0;
57009+}
57010diff -urNp linux-2.6.32.48/grsecurity/gracl_ip.c linux-2.6.32.48/grsecurity/gracl_ip.c
57011--- linux-2.6.32.48/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
57012+++ linux-2.6.32.48/grsecurity/gracl_ip.c 2011-11-15 19:59:43.000000000 -0500
57013@@ -0,0 +1,382 @@
57014+#include <linux/kernel.h>
57015+#include <asm/uaccess.h>
57016+#include <asm/errno.h>
57017+#include <net/sock.h>
57018+#include <linux/file.h>
57019+#include <linux/fs.h>
57020+#include <linux/net.h>
57021+#include <linux/in.h>
57022+#include <linux/skbuff.h>
57023+#include <linux/ip.h>
57024+#include <linux/udp.h>
57025+#include <linux/smp_lock.h>
57026+#include <linux/types.h>
57027+#include <linux/sched.h>
57028+#include <linux/netdevice.h>
57029+#include <linux/inetdevice.h>
57030+#include <linux/gracl.h>
57031+#include <linux/grsecurity.h>
57032+#include <linux/grinternal.h>
57033+
57034+#define GR_BIND 0x01
57035+#define GR_CONNECT 0x02
57036+#define GR_INVERT 0x04
57037+#define GR_BINDOVERRIDE 0x08
57038+#define GR_CONNECTOVERRIDE 0x10
57039+#define GR_SOCK_FAMILY 0x20
57040+
57041+static const char * gr_protocols[IPPROTO_MAX] = {
57042+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
57043+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
57044+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
57045+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
57046+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
57047+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
57048+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
57049+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
57050+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
57051+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
57052+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
57053+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
57054+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
57055+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
57056+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
57057+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
57058+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
57059+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
57060+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
57061+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
57062+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
57063+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
57064+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
57065+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
57066+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
57067+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
57068+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
57069+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
57070+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
57071+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
57072+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
57073+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
57074+ };
57075+
57076+static const char * gr_socktypes[SOCK_MAX] = {
57077+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
57078+ "unknown:7", "unknown:8", "unknown:9", "packet"
57079+ };
57080+
57081+static const char * gr_sockfamilies[AF_MAX+1] = {
57082+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
57083+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
57084+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
57085+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
57086+ };
57087+
57088+const char *
57089+gr_proto_to_name(unsigned char proto)
57090+{
57091+ return gr_protocols[proto];
57092+}
57093+
57094+const char *
57095+gr_socktype_to_name(unsigned char type)
57096+{
57097+ return gr_socktypes[type];
57098+}
57099+
57100+const char *
57101+gr_sockfamily_to_name(unsigned char family)
57102+{
57103+ return gr_sockfamilies[family];
57104+}
57105+
57106+int
57107+gr_search_socket(const int domain, const int type, const int protocol)
57108+{
57109+ struct acl_subject_label *curr;
57110+ const struct cred *cred = current_cred();
57111+
57112+ if (unlikely(!gr_acl_is_enabled()))
57113+ goto exit;
57114+
57115+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
57116+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
57117+ goto exit; // let the kernel handle it
57118+
57119+ curr = current->acl;
57120+
57121+ if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
57122+ /* the family is allowed, if this is PF_INET allow it only if
57123+ the extra sock type/protocol checks pass */
57124+ if (domain == PF_INET)
57125+ goto inet_check;
57126+ goto exit;
57127+ } else {
57128+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57129+ __u32 fakeip = 0;
57130+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57131+ current->role->roletype, cred->uid,
57132+ cred->gid, current->exec_file ?
57133+ gr_to_filename(current->exec_file->f_path.dentry,
57134+ current->exec_file->f_path.mnt) :
57135+ curr->filename, curr->filename,
57136+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
57137+ &current->signal->saved_ip);
57138+ goto exit;
57139+ }
57140+ goto exit_fail;
57141+ }
57142+
57143+inet_check:
57144+ /* the rest of this checking is for IPv4 only */
57145+ if (!curr->ips)
57146+ goto exit;
57147+
57148+ if ((curr->ip_type & (1 << type)) &&
57149+ (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
57150+ goto exit;
57151+
57152+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57153+ /* we don't place acls on raw sockets , and sometimes
57154+ dgram/ip sockets are opened for ioctl and not
57155+ bind/connect, so we'll fake a bind learn log */
57156+ if (type == SOCK_RAW || type == SOCK_PACKET) {
57157+ __u32 fakeip = 0;
57158+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57159+ current->role->roletype, cred->uid,
57160+ cred->gid, current->exec_file ?
57161+ gr_to_filename(current->exec_file->f_path.dentry,
57162+ current->exec_file->f_path.mnt) :
57163+ curr->filename, curr->filename,
57164+ &fakeip, 0, type,
57165+ protocol, GR_CONNECT, &current->signal->saved_ip);
57166+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
57167+ __u32 fakeip = 0;
57168+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57169+ current->role->roletype, cred->uid,
57170+ cred->gid, current->exec_file ?
57171+ gr_to_filename(current->exec_file->f_path.dentry,
57172+ current->exec_file->f_path.mnt) :
57173+ curr->filename, curr->filename,
57174+ &fakeip, 0, type,
57175+ protocol, GR_BIND, &current->signal->saved_ip);
57176+ }
57177+ /* we'll log when they use connect or bind */
57178+ goto exit;
57179+ }
57180+
57181+exit_fail:
57182+ if (domain == PF_INET)
57183+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
57184+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
57185+ else
57186+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
57187+ gr_socktype_to_name(type), protocol);
57188+
57189+ return 0;
57190+exit:
57191+ return 1;
57192+}
57193+
57194+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
57195+{
57196+ if ((ip->mode & mode) &&
57197+ (ip_port >= ip->low) &&
57198+ (ip_port <= ip->high) &&
57199+ ((ntohl(ip_addr) & our_netmask) ==
57200+ (ntohl(our_addr) & our_netmask))
57201+ && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
57202+ && (ip->type & (1 << type))) {
57203+ if (ip->mode & GR_INVERT)
57204+ return 2; // specifically denied
57205+ else
57206+ return 1; // allowed
57207+ }
57208+
57209+ return 0; // not specifically allowed, may continue parsing
57210+}
57211+
57212+static int
57213+gr_search_connectbind(const int full_mode, struct sock *sk,
57214+ struct sockaddr_in *addr, const int type)
57215+{
57216+ char iface[IFNAMSIZ] = {0};
57217+ struct acl_subject_label *curr;
57218+ struct acl_ip_label *ip;
57219+ struct inet_sock *isk;
57220+ struct net_device *dev;
57221+ struct in_device *idev;
57222+ unsigned long i;
57223+ int ret;
57224+ int mode = full_mode & (GR_BIND | GR_CONNECT);
57225+ __u32 ip_addr = 0;
57226+ __u32 our_addr;
57227+ __u32 our_netmask;
57228+ char *p;
57229+ __u16 ip_port = 0;
57230+ const struct cred *cred = current_cred();
57231+
57232+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
57233+ return 0;
57234+
57235+ curr = current->acl;
57236+ isk = inet_sk(sk);
57237+
57238+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
57239+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
57240+ addr->sin_addr.s_addr = curr->inaddr_any_override;
57241+ if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
57242+ struct sockaddr_in saddr;
57243+ int err;
57244+
57245+ saddr.sin_family = AF_INET;
57246+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
57247+ saddr.sin_port = isk->sport;
57248+
57249+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57250+ if (err)
57251+ return err;
57252+
57253+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
57254+ if (err)
57255+ return err;
57256+ }
57257+
57258+ if (!curr->ips)
57259+ return 0;
57260+
57261+ ip_addr = addr->sin_addr.s_addr;
57262+ ip_port = ntohs(addr->sin_port);
57263+
57264+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
57265+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
57266+ current->role->roletype, cred->uid,
57267+ cred->gid, current->exec_file ?
57268+ gr_to_filename(current->exec_file->f_path.dentry,
57269+ current->exec_file->f_path.mnt) :
57270+ curr->filename, curr->filename,
57271+ &ip_addr, ip_port, type,
57272+ sk->sk_protocol, mode, &current->signal->saved_ip);
57273+ return 0;
57274+ }
57275+
57276+ for (i = 0; i < curr->ip_num; i++) {
57277+ ip = *(curr->ips + i);
57278+ if (ip->iface != NULL) {
57279+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
57280+ p = strchr(iface, ':');
57281+ if (p != NULL)
57282+ *p = '\0';
57283+ dev = dev_get_by_name(sock_net(sk), iface);
57284+ if (dev == NULL)
57285+ continue;
57286+ idev = in_dev_get(dev);
57287+ if (idev == NULL) {
57288+ dev_put(dev);
57289+ continue;
57290+ }
57291+ rcu_read_lock();
57292+ for_ifa(idev) {
57293+ if (!strcmp(ip->iface, ifa->ifa_label)) {
57294+ our_addr = ifa->ifa_address;
57295+ our_netmask = 0xffffffff;
57296+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57297+ if (ret == 1) {
57298+ rcu_read_unlock();
57299+ in_dev_put(idev);
57300+ dev_put(dev);
57301+ return 0;
57302+ } else if (ret == 2) {
57303+ rcu_read_unlock();
57304+ in_dev_put(idev);
57305+ dev_put(dev);
57306+ goto denied;
57307+ }
57308+ }
57309+ } endfor_ifa(idev);
57310+ rcu_read_unlock();
57311+ in_dev_put(idev);
57312+ dev_put(dev);
57313+ } else {
57314+ our_addr = ip->addr;
57315+ our_netmask = ip->netmask;
57316+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
57317+ if (ret == 1)
57318+ return 0;
57319+ else if (ret == 2)
57320+ goto denied;
57321+ }
57322+ }
57323+
57324+denied:
57325+ if (mode == GR_BIND)
57326+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57327+ else if (mode == GR_CONNECT)
57328+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
57329+
57330+ return -EACCES;
57331+}
57332+
57333+int
57334+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
57335+{
57336+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
57337+}
57338+
57339+int
57340+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
57341+{
57342+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
57343+}
57344+
57345+int gr_search_listen(struct socket *sock)
57346+{
57347+ struct sock *sk = sock->sk;
57348+ struct sockaddr_in addr;
57349+
57350+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57351+ addr.sin_port = inet_sk(sk)->sport;
57352+
57353+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57354+}
57355+
57356+int gr_search_accept(struct socket *sock)
57357+{
57358+ struct sock *sk = sock->sk;
57359+ struct sockaddr_in addr;
57360+
57361+ addr.sin_addr.s_addr = inet_sk(sk)->saddr;
57362+ addr.sin_port = inet_sk(sk)->sport;
57363+
57364+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
57365+}
57366+
57367+int
57368+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
57369+{
57370+ if (addr)
57371+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
57372+ else {
57373+ struct sockaddr_in sin;
57374+ const struct inet_sock *inet = inet_sk(sk);
57375+
57376+ sin.sin_addr.s_addr = inet->daddr;
57377+ sin.sin_port = inet->dport;
57378+
57379+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57380+ }
57381+}
57382+
57383+int
57384+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
57385+{
57386+ struct sockaddr_in sin;
57387+
57388+ if (unlikely(skb->len < sizeof (struct udphdr)))
57389+ return 0; // skip this packet
57390+
57391+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
57392+ sin.sin_port = udp_hdr(skb)->source;
57393+
57394+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
57395+}
57396diff -urNp linux-2.6.32.48/grsecurity/gracl_learn.c linux-2.6.32.48/grsecurity/gracl_learn.c
57397--- linux-2.6.32.48/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
57398+++ linux-2.6.32.48/grsecurity/gracl_learn.c 2011-11-15 19:59:43.000000000 -0500
57399@@ -0,0 +1,208 @@
57400+#include <linux/kernel.h>
57401+#include <linux/mm.h>
57402+#include <linux/sched.h>
57403+#include <linux/poll.h>
57404+#include <linux/smp_lock.h>
57405+#include <linux/string.h>
57406+#include <linux/file.h>
57407+#include <linux/types.h>
57408+#include <linux/vmalloc.h>
57409+#include <linux/grinternal.h>
57410+
57411+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
57412+ size_t count, loff_t *ppos);
57413+extern int gr_acl_is_enabled(void);
57414+
57415+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
57416+static int gr_learn_attached;
57417+
57418+/* use a 512k buffer */
57419+#define LEARN_BUFFER_SIZE (512 * 1024)
57420+
57421+static DEFINE_SPINLOCK(gr_learn_lock);
57422+static DEFINE_MUTEX(gr_learn_user_mutex);
57423+
57424+/* we need to maintain two buffers, so that the kernel context of grlearn
57425+ uses a semaphore around the userspace copying, and the other kernel contexts
57426+ use a spinlock when copying into the buffer, since they cannot sleep
57427+*/
57428+static char *learn_buffer;
57429+static char *learn_buffer_user;
57430+static int learn_buffer_len;
57431+static int learn_buffer_user_len;
57432+
57433+static ssize_t
57434+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
57435+{
57436+ DECLARE_WAITQUEUE(wait, current);
57437+ ssize_t retval = 0;
57438+
57439+ add_wait_queue(&learn_wait, &wait);
57440+ set_current_state(TASK_INTERRUPTIBLE);
57441+ do {
57442+ mutex_lock(&gr_learn_user_mutex);
57443+ spin_lock(&gr_learn_lock);
57444+ if (learn_buffer_len)
57445+ break;
57446+ spin_unlock(&gr_learn_lock);
57447+ mutex_unlock(&gr_learn_user_mutex);
57448+ if (file->f_flags & O_NONBLOCK) {
57449+ retval = -EAGAIN;
57450+ goto out;
57451+ }
57452+ if (signal_pending(current)) {
57453+ retval = -ERESTARTSYS;
57454+ goto out;
57455+ }
57456+
57457+ schedule();
57458+ } while (1);
57459+
57460+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
57461+ learn_buffer_user_len = learn_buffer_len;
57462+ retval = learn_buffer_len;
57463+ learn_buffer_len = 0;
57464+
57465+ spin_unlock(&gr_learn_lock);
57466+
57467+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
57468+ retval = -EFAULT;
57469+
57470+ mutex_unlock(&gr_learn_user_mutex);
57471+out:
57472+ set_current_state(TASK_RUNNING);
57473+ remove_wait_queue(&learn_wait, &wait);
57474+ return retval;
57475+}
57476+
57477+static unsigned int
57478+poll_learn(struct file * file, poll_table * wait)
57479+{
57480+ poll_wait(file, &learn_wait, wait);
57481+
57482+ if (learn_buffer_len)
57483+ return (POLLIN | POLLRDNORM);
57484+
57485+ return 0;
57486+}
57487+
57488+void
57489+gr_clear_learn_entries(void)
57490+{
57491+ char *tmp;
57492+
57493+ mutex_lock(&gr_learn_user_mutex);
57494+ spin_lock(&gr_learn_lock);
57495+ tmp = learn_buffer;
57496+ learn_buffer = NULL;
57497+ spin_unlock(&gr_learn_lock);
57498+ if (tmp)
57499+ vfree(tmp);
57500+ if (learn_buffer_user != NULL) {
57501+ vfree(learn_buffer_user);
57502+ learn_buffer_user = NULL;
57503+ }
57504+ learn_buffer_len = 0;
57505+ mutex_unlock(&gr_learn_user_mutex);
57506+
57507+ return;
57508+}
57509+
57510+void
57511+gr_add_learn_entry(const char *fmt, ...)
57512+{
57513+ va_list args;
57514+ unsigned int len;
57515+
57516+ if (!gr_learn_attached)
57517+ return;
57518+
57519+ spin_lock(&gr_learn_lock);
57520+
57521+ /* leave a gap at the end so we know when it's "full" but don't have to
57522+ compute the exact length of the string we're trying to append
57523+ */
57524+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
57525+ spin_unlock(&gr_learn_lock);
57526+ wake_up_interruptible(&learn_wait);
57527+ return;
57528+ }
57529+ if (learn_buffer == NULL) {
57530+ spin_unlock(&gr_learn_lock);
57531+ return;
57532+ }
57533+
57534+ va_start(args, fmt);
57535+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
57536+ va_end(args);
57537+
57538+ learn_buffer_len += len + 1;
57539+
57540+ spin_unlock(&gr_learn_lock);
57541+ wake_up_interruptible(&learn_wait);
57542+
57543+ return;
57544+}
57545+
57546+static int
57547+open_learn(struct inode *inode, struct file *file)
57548+{
57549+ if (file->f_mode & FMODE_READ && gr_learn_attached)
57550+ return -EBUSY;
57551+ if (file->f_mode & FMODE_READ) {
57552+ int retval = 0;
57553+ mutex_lock(&gr_learn_user_mutex);
57554+ if (learn_buffer == NULL)
57555+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
57556+ if (learn_buffer_user == NULL)
57557+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
57558+ if (learn_buffer == NULL) {
57559+ retval = -ENOMEM;
57560+ goto out_error;
57561+ }
57562+ if (learn_buffer_user == NULL) {
57563+ retval = -ENOMEM;
57564+ goto out_error;
57565+ }
57566+ learn_buffer_len = 0;
57567+ learn_buffer_user_len = 0;
57568+ gr_learn_attached = 1;
57569+out_error:
57570+ mutex_unlock(&gr_learn_user_mutex);
57571+ return retval;
57572+ }
57573+ return 0;
57574+}
57575+
57576+static int
57577+close_learn(struct inode *inode, struct file *file)
57578+{
57579+ if (file->f_mode & FMODE_READ) {
57580+ char *tmp = NULL;
57581+ mutex_lock(&gr_learn_user_mutex);
57582+ spin_lock(&gr_learn_lock);
57583+ tmp = learn_buffer;
57584+ learn_buffer = NULL;
57585+ spin_unlock(&gr_learn_lock);
57586+ if (tmp)
57587+ vfree(tmp);
57588+ if (learn_buffer_user != NULL) {
57589+ vfree(learn_buffer_user);
57590+ learn_buffer_user = NULL;
57591+ }
57592+ learn_buffer_len = 0;
57593+ learn_buffer_user_len = 0;
57594+ gr_learn_attached = 0;
57595+ mutex_unlock(&gr_learn_user_mutex);
57596+ }
57597+
57598+ return 0;
57599+}
57600+
57601+const struct file_operations grsec_fops = {
57602+ .read = read_learn,
57603+ .write = write_grsec_handler,
57604+ .open = open_learn,
57605+ .release = close_learn,
57606+ .poll = poll_learn,
57607+};
57608diff -urNp linux-2.6.32.48/grsecurity/gracl_res.c linux-2.6.32.48/grsecurity/gracl_res.c
57609--- linux-2.6.32.48/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
57610+++ linux-2.6.32.48/grsecurity/gracl_res.c 2011-11-15 19:59:43.000000000 -0500
57611@@ -0,0 +1,67 @@
57612+#include <linux/kernel.h>
57613+#include <linux/sched.h>
57614+#include <linux/gracl.h>
57615+#include <linux/grinternal.h>
57616+
57617+static const char *restab_log[] = {
57618+ [RLIMIT_CPU] = "RLIMIT_CPU",
57619+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
57620+ [RLIMIT_DATA] = "RLIMIT_DATA",
57621+ [RLIMIT_STACK] = "RLIMIT_STACK",
57622+ [RLIMIT_CORE] = "RLIMIT_CORE",
57623+ [RLIMIT_RSS] = "RLIMIT_RSS",
57624+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
57625+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
57626+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
57627+ [RLIMIT_AS] = "RLIMIT_AS",
57628+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
57629+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
57630+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
57631+ [RLIMIT_NICE] = "RLIMIT_NICE",
57632+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
57633+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
57634+ [GR_CRASH_RES] = "RLIMIT_CRASH"
57635+};
57636+
57637+void
57638+gr_log_resource(const struct task_struct *task,
57639+ const int res, const unsigned long wanted, const int gt)
57640+{
57641+ const struct cred *cred;
57642+ unsigned long rlim;
57643+
57644+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
57645+ return;
57646+
57647+ // not yet supported resource
57648+ if (unlikely(!restab_log[res]))
57649+ return;
57650+
57651+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
57652+ rlim = task->signal->rlim[res].rlim_max;
57653+ else
57654+ rlim = task->signal->rlim[res].rlim_cur;
57655+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
57656+ return;
57657+
57658+ rcu_read_lock();
57659+ cred = __task_cred(task);
57660+
57661+ if (res == RLIMIT_NPROC &&
57662+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
57663+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
57664+ goto out_rcu_unlock;
57665+ else if (res == RLIMIT_MEMLOCK &&
57666+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
57667+ goto out_rcu_unlock;
57668+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
57669+ goto out_rcu_unlock;
57670+ rcu_read_unlock();
57671+
57672+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
57673+
57674+ return;
57675+out_rcu_unlock:
57676+ rcu_read_unlock();
57677+ return;
57678+}
57679diff -urNp linux-2.6.32.48/grsecurity/gracl_segv.c linux-2.6.32.48/grsecurity/gracl_segv.c
57680--- linux-2.6.32.48/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
57681+++ linux-2.6.32.48/grsecurity/gracl_segv.c 2011-11-17 20:48:17.000000000 -0500
57682@@ -0,0 +1,284 @@
57683+#include <linux/kernel.h>
57684+#include <linux/mm.h>
57685+#include <asm/uaccess.h>
57686+#include <asm/errno.h>
57687+#include <asm/mman.h>
57688+#include <net/sock.h>
57689+#include <linux/file.h>
57690+#include <linux/fs.h>
57691+#include <linux/net.h>
57692+#include <linux/in.h>
57693+#include <linux/smp_lock.h>
57694+#include <linux/slab.h>
57695+#include <linux/types.h>
57696+#include <linux/sched.h>
57697+#include <linux/timer.h>
57698+#include <linux/gracl.h>
57699+#include <linux/grsecurity.h>
57700+#include <linux/grinternal.h>
57701+
57702+static struct crash_uid *uid_set;
57703+static unsigned short uid_used;
57704+static DEFINE_SPINLOCK(gr_uid_lock);
57705+extern rwlock_t gr_inode_lock;
57706+extern struct acl_subject_label *
57707+ lookup_acl_subj_label(const ino_t inode, const dev_t dev,
57708+ struct acl_role_label *role);
57709+extern int gr_fake_force_sig(int sig, struct task_struct *t);
57710+
57711+int
57712+gr_init_uidset(void)
57713+{
57714+ uid_set =
57715+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
57716+ uid_used = 0;
57717+
57718+ return uid_set ? 1 : 0;
57719+}
57720+
57721+void
57722+gr_free_uidset(void)
57723+{
57724+ if (uid_set)
57725+ kfree(uid_set);
57726+
57727+ return;
57728+}
57729+
57730+int
57731+gr_find_uid(const uid_t uid)
57732+{
57733+ struct crash_uid *tmp = uid_set;
57734+ uid_t buid;
57735+ int low = 0, high = uid_used - 1, mid;
57736+
57737+ while (high >= low) {
57738+ mid = (low + high) >> 1;
57739+ buid = tmp[mid].uid;
57740+ if (buid == uid)
57741+ return mid;
57742+ if (buid > uid)
57743+ high = mid - 1;
57744+ if (buid < uid)
57745+ low = mid + 1;
57746+ }
57747+
57748+ return -1;
57749+}
57750+
57751+static __inline__ void
57752+gr_insertsort(void)
57753+{
57754+ unsigned short i, j;
57755+ struct crash_uid index;
57756+
57757+ for (i = 1; i < uid_used; i++) {
57758+ index = uid_set[i];
57759+ j = i;
57760+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
57761+ uid_set[j] = uid_set[j - 1];
57762+ j--;
57763+ }
57764+ uid_set[j] = index;
57765+ }
57766+
57767+ return;
57768+}
57769+
57770+static __inline__ void
57771+gr_insert_uid(const uid_t uid, const unsigned long expires)
57772+{
57773+ int loc;
57774+
57775+ if (uid_used == GR_UIDTABLE_MAX)
57776+ return;
57777+
57778+ loc = gr_find_uid(uid);
57779+
57780+ if (loc >= 0) {
57781+ uid_set[loc].expires = expires;
57782+ return;
57783+ }
57784+
57785+ uid_set[uid_used].uid = uid;
57786+ uid_set[uid_used].expires = expires;
57787+ uid_used++;
57788+
57789+ gr_insertsort();
57790+
57791+ return;
57792+}
57793+
57794+void
57795+gr_remove_uid(const unsigned short loc)
57796+{
57797+ unsigned short i;
57798+
57799+ for (i = loc + 1; i < uid_used; i++)
57800+ uid_set[i - 1] = uid_set[i];
57801+
57802+ uid_used--;
57803+
57804+ return;
57805+}
57806+
57807+int
57808+gr_check_crash_uid(const uid_t uid)
57809+{
57810+ int loc;
57811+ int ret = 0;
57812+
57813+ if (unlikely(!gr_acl_is_enabled()))
57814+ return 0;
57815+
57816+ spin_lock(&gr_uid_lock);
57817+ loc = gr_find_uid(uid);
57818+
57819+ if (loc < 0)
57820+ goto out_unlock;
57821+
57822+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
57823+ gr_remove_uid(loc);
57824+ else
57825+ ret = 1;
57826+
57827+out_unlock:
57828+ spin_unlock(&gr_uid_lock);
57829+ return ret;
57830+}
57831+
57832+static __inline__ int
57833+proc_is_setxid(const struct cred *cred)
57834+{
57835+ if (cred->uid != cred->euid || cred->uid != cred->suid ||
57836+ cred->uid != cred->fsuid)
57837+ return 1;
57838+ if (cred->gid != cred->egid || cred->gid != cred->sgid ||
57839+ cred->gid != cred->fsgid)
57840+ return 1;
57841+
57842+ return 0;
57843+}
57844+
57845+void
57846+gr_handle_crash(struct task_struct *task, const int sig)
57847+{
57848+ struct acl_subject_label *curr;
57849+ struct task_struct *tsk, *tsk2;
57850+ const struct cred *cred;
57851+ const struct cred *cred2;
57852+
57853+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
57854+ return;
57855+
57856+ if (unlikely(!gr_acl_is_enabled()))
57857+ return;
57858+
57859+ curr = task->acl;
57860+
57861+ if (!(curr->resmask & (1 << GR_CRASH_RES)))
57862+ return;
57863+
57864+ if (time_before_eq(curr->expires, get_seconds())) {
57865+ curr->expires = 0;
57866+ curr->crashes = 0;
57867+ }
57868+
57869+ curr->crashes++;
57870+
57871+ if (!curr->expires)
57872+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
57873+
57874+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57875+ time_after(curr->expires, get_seconds())) {
57876+ rcu_read_lock();
57877+ cred = __task_cred(task);
57878+ if (cred->uid && proc_is_setxid(cred)) {
57879+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57880+ spin_lock(&gr_uid_lock);
57881+ gr_insert_uid(cred->uid, curr->expires);
57882+ spin_unlock(&gr_uid_lock);
57883+ curr->expires = 0;
57884+ curr->crashes = 0;
57885+ read_lock(&tasklist_lock);
57886+ do_each_thread(tsk2, tsk) {
57887+ cred2 = __task_cred(tsk);
57888+ if (tsk != task && cred2->uid == cred->uid)
57889+ gr_fake_force_sig(SIGKILL, tsk);
57890+ } while_each_thread(tsk2, tsk);
57891+ read_unlock(&tasklist_lock);
57892+ } else {
57893+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
57894+ read_lock(&tasklist_lock);
57895+ read_lock(&grsec_exec_file_lock);
57896+ do_each_thread(tsk2, tsk) {
57897+ if (likely(tsk != task)) {
57898+ // if this thread has the same subject as the one that triggered
57899+ // RES_CRASH and it's the same binary, kill it
57900+ if (tsk->acl == task->acl && tsk->exec_file == task->exec_file)
57901+ gr_fake_force_sig(SIGKILL, tsk);
57902+ }
57903+ } while_each_thread(tsk2, tsk);
57904+ read_unlock(&grsec_exec_file_lock);
57905+ read_unlock(&tasklist_lock);
57906+ }
57907+ rcu_read_unlock();
57908+ }
57909+
57910+ return;
57911+}
57912+
57913+int
57914+gr_check_crash_exec(const struct file *filp)
57915+{
57916+ struct acl_subject_label *curr;
57917+
57918+ if (unlikely(!gr_acl_is_enabled()))
57919+ return 0;
57920+
57921+ read_lock(&gr_inode_lock);
57922+ curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
57923+ filp->f_path.dentry->d_inode->i_sb->s_dev,
57924+ current->role);
57925+ read_unlock(&gr_inode_lock);
57926+
57927+ if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
57928+ (!curr->crashes && !curr->expires))
57929+ return 0;
57930+
57931+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
57932+ time_after(curr->expires, get_seconds()))
57933+ return 1;
57934+ else if (time_before_eq(curr->expires, get_seconds())) {
57935+ curr->crashes = 0;
57936+ curr->expires = 0;
57937+ }
57938+
57939+ return 0;
57940+}
57941+
57942+void
57943+gr_handle_alertkill(struct task_struct *task)
57944+{
57945+ struct acl_subject_label *curracl;
57946+ __u32 curr_ip;
57947+ struct task_struct *p, *p2;
57948+
57949+ if (unlikely(!gr_acl_is_enabled()))
57950+ return;
57951+
57952+ curracl = task->acl;
57953+ curr_ip = task->signal->curr_ip;
57954+
57955+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
57956+ read_lock(&tasklist_lock);
57957+ do_each_thread(p2, p) {
57958+ if (p->signal->curr_ip == curr_ip)
57959+ gr_fake_force_sig(SIGKILL, p);
57960+ } while_each_thread(p2, p);
57961+ read_unlock(&tasklist_lock);
57962+ } else if (curracl->mode & GR_KILLPROC)
57963+ gr_fake_force_sig(SIGKILL, task);
57964+
57965+ return;
57966+}
57967diff -urNp linux-2.6.32.48/grsecurity/gracl_shm.c linux-2.6.32.48/grsecurity/gracl_shm.c
57968--- linux-2.6.32.48/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
57969+++ linux-2.6.32.48/grsecurity/gracl_shm.c 2011-11-15 19:59:43.000000000 -0500
57970@@ -0,0 +1,40 @@
57971+#include <linux/kernel.h>
57972+#include <linux/mm.h>
57973+#include <linux/sched.h>
57974+#include <linux/file.h>
57975+#include <linux/ipc.h>
57976+#include <linux/gracl.h>
57977+#include <linux/grsecurity.h>
57978+#include <linux/grinternal.h>
57979+
57980+int
57981+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
57982+ const time_t shm_createtime, const uid_t cuid, const int shmid)
57983+{
57984+ struct task_struct *task;
57985+
57986+ if (!gr_acl_is_enabled())
57987+ return 1;
57988+
57989+ rcu_read_lock();
57990+ read_lock(&tasklist_lock);
57991+
57992+ task = find_task_by_vpid(shm_cprid);
57993+
57994+ if (unlikely(!task))
57995+ task = find_task_by_vpid(shm_lapid);
57996+
57997+ if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
57998+ (task->pid == shm_lapid)) &&
57999+ (task->acl->mode & GR_PROTSHM) &&
58000+ (task->acl != current->acl))) {
58001+ read_unlock(&tasklist_lock);
58002+ rcu_read_unlock();
58003+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
58004+ return 0;
58005+ }
58006+ read_unlock(&tasklist_lock);
58007+ rcu_read_unlock();
58008+
58009+ return 1;
58010+}
58011diff -urNp linux-2.6.32.48/grsecurity/grsec_chdir.c linux-2.6.32.48/grsecurity/grsec_chdir.c
58012--- linux-2.6.32.48/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
58013+++ linux-2.6.32.48/grsecurity/grsec_chdir.c 2011-11-15 19:59:43.000000000 -0500
58014@@ -0,0 +1,19 @@
58015+#include <linux/kernel.h>
58016+#include <linux/sched.h>
58017+#include <linux/fs.h>
58018+#include <linux/file.h>
58019+#include <linux/grsecurity.h>
58020+#include <linux/grinternal.h>
58021+
58022+void
58023+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
58024+{
58025+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
58026+ if ((grsec_enable_chdir && grsec_enable_group &&
58027+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
58028+ !grsec_enable_group)) {
58029+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
58030+ }
58031+#endif
58032+ return;
58033+}
58034diff -urNp linux-2.6.32.48/grsecurity/grsec_chroot.c linux-2.6.32.48/grsecurity/grsec_chroot.c
58035--- linux-2.6.32.48/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
58036+++ linux-2.6.32.48/grsecurity/grsec_chroot.c 2011-11-15 19:59:43.000000000 -0500
58037@@ -0,0 +1,386 @@
58038+#include <linux/kernel.h>
58039+#include <linux/module.h>
58040+#include <linux/sched.h>
58041+#include <linux/file.h>
58042+#include <linux/fs.h>
58043+#include <linux/mount.h>
58044+#include <linux/types.h>
58045+#include <linux/pid_namespace.h>
58046+#include <linux/grsecurity.h>
58047+#include <linux/grinternal.h>
58048+
58049+void gr_set_chroot_entries(struct task_struct *task, struct path *path)
58050+{
58051+#ifdef CONFIG_GRKERNSEC
58052+ if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
58053+ path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
58054+ task->gr_is_chrooted = 1;
58055+ else
58056+ task->gr_is_chrooted = 0;
58057+
58058+ task->gr_chroot_dentry = path->dentry;
58059+#endif
58060+ return;
58061+}
58062+
58063+void gr_clear_chroot_entries(struct task_struct *task)
58064+{
58065+#ifdef CONFIG_GRKERNSEC
58066+ task->gr_is_chrooted = 0;
58067+ task->gr_chroot_dentry = NULL;
58068+#endif
58069+ return;
58070+}
58071+
58072+int
58073+gr_handle_chroot_unix(const pid_t pid)
58074+{
58075+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
58076+ struct task_struct *p;
58077+
58078+ if (unlikely(!grsec_enable_chroot_unix))
58079+ return 1;
58080+
58081+ if (likely(!proc_is_chrooted(current)))
58082+ return 1;
58083+
58084+ rcu_read_lock();
58085+ read_lock(&tasklist_lock);
58086+
58087+ p = find_task_by_vpid_unrestricted(pid);
58088+ if (unlikely(p && !have_same_root(current, p))) {
58089+ read_unlock(&tasklist_lock);
58090+ rcu_read_unlock();
58091+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
58092+ return 0;
58093+ }
58094+ read_unlock(&tasklist_lock);
58095+ rcu_read_unlock();
58096+#endif
58097+ return 1;
58098+}
58099+
58100+int
58101+gr_handle_chroot_nice(void)
58102+{
58103+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58104+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
58105+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
58106+ return -EPERM;
58107+ }
58108+#endif
58109+ return 0;
58110+}
58111+
58112+int
58113+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
58114+{
58115+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
58116+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
58117+ && proc_is_chrooted(current)) {
58118+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
58119+ return -EACCES;
58120+ }
58121+#endif
58122+ return 0;
58123+}
58124+
58125+int
58126+gr_handle_chroot_rawio(const struct inode *inode)
58127+{
58128+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58129+ if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
58130+ inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
58131+ return 1;
58132+#endif
58133+ return 0;
58134+}
58135+
58136+int
58137+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
58138+{
58139+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58140+ struct task_struct *p;
58141+ int ret = 0;
58142+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
58143+ return ret;
58144+
58145+ read_lock(&tasklist_lock);
58146+ do_each_pid_task(pid, type, p) {
58147+ if (!have_same_root(current, p)) {
58148+ ret = 1;
58149+ goto out;
58150+ }
58151+ } while_each_pid_task(pid, type, p);
58152+out:
58153+ read_unlock(&tasklist_lock);
58154+ return ret;
58155+#endif
58156+ return 0;
58157+}
58158+
58159+int
58160+gr_pid_is_chrooted(struct task_struct *p)
58161+{
58162+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
58163+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
58164+ return 0;
58165+
58166+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
58167+ !have_same_root(current, p)) {
58168+ return 1;
58169+ }
58170+#endif
58171+ return 0;
58172+}
58173+
58174+EXPORT_SYMBOL(gr_pid_is_chrooted);
58175+
58176+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
58177+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
58178+{
58179+ struct dentry *dentry = (struct dentry *)u_dentry;
58180+ struct vfsmount *mnt = (struct vfsmount *)u_mnt;
58181+ struct dentry *realroot;
58182+ struct vfsmount *realrootmnt;
58183+ struct dentry *currentroot;
58184+ struct vfsmount *currentmnt;
58185+ struct task_struct *reaper = &init_task;
58186+ int ret = 1;
58187+
58188+ read_lock(&reaper->fs->lock);
58189+ realrootmnt = mntget(reaper->fs->root.mnt);
58190+ realroot = dget(reaper->fs->root.dentry);
58191+ read_unlock(&reaper->fs->lock);
58192+
58193+ read_lock(&current->fs->lock);
58194+ currentmnt = mntget(current->fs->root.mnt);
58195+ currentroot = dget(current->fs->root.dentry);
58196+ read_unlock(&current->fs->lock);
58197+
58198+ spin_lock(&dcache_lock);
58199+ for (;;) {
58200+ if (unlikely((dentry == realroot && mnt == realrootmnt)
58201+ || (dentry == currentroot && mnt == currentmnt)))
58202+ break;
58203+ if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
58204+ if (mnt->mnt_parent == mnt)
58205+ break;
58206+ dentry = mnt->mnt_mountpoint;
58207+ mnt = mnt->mnt_parent;
58208+ continue;
58209+ }
58210+ dentry = dentry->d_parent;
58211+ }
58212+ spin_unlock(&dcache_lock);
58213+
58214+ dput(currentroot);
58215+ mntput(currentmnt);
58216+
58217+ /* access is outside of chroot */
58218+ if (dentry == realroot && mnt == realrootmnt)
58219+ ret = 0;
58220+
58221+ dput(realroot);
58222+ mntput(realrootmnt);
58223+ return ret;
58224+}
58225+#endif
58226+
58227+int
58228+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
58229+{
58230+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
58231+ if (!grsec_enable_chroot_fchdir)
58232+ return 1;
58233+
58234+ if (!proc_is_chrooted(current))
58235+ return 1;
58236+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
58237+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
58238+ return 0;
58239+ }
58240+#endif
58241+ return 1;
58242+}
58243+
58244+int
58245+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58246+ const time_t shm_createtime)
58247+{
58248+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
58249+ struct task_struct *p;
58250+ time_t starttime;
58251+
58252+ if (unlikely(!grsec_enable_chroot_shmat))
58253+ return 1;
58254+
58255+ if (likely(!proc_is_chrooted(current)))
58256+ return 1;
58257+
58258+ rcu_read_lock();
58259+ read_lock(&tasklist_lock);
58260+
58261+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
58262+ starttime = p->start_time.tv_sec;
58263+ if (time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime)) {
58264+ if (have_same_root(current, p)) {
58265+ goto allow;
58266+ } else {
58267+ read_unlock(&tasklist_lock);
58268+ rcu_read_unlock();
58269+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58270+ return 0;
58271+ }
58272+ }
58273+ /* creator exited, pid reuse, fall through to next check */
58274+ }
58275+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
58276+ if (unlikely(!have_same_root(current, p))) {
58277+ read_unlock(&tasklist_lock);
58278+ rcu_read_unlock();
58279+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
58280+ return 0;
58281+ }
58282+ }
58283+
58284+allow:
58285+ read_unlock(&tasklist_lock);
58286+ rcu_read_unlock();
58287+#endif
58288+ return 1;
58289+}
58290+
58291+void
58292+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
58293+{
58294+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
58295+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
58296+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
58297+#endif
58298+ return;
58299+}
58300+
58301+int
58302+gr_handle_chroot_mknod(const struct dentry *dentry,
58303+ const struct vfsmount *mnt, const int mode)
58304+{
58305+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
58306+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
58307+ proc_is_chrooted(current)) {
58308+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
58309+ return -EPERM;
58310+ }
58311+#endif
58312+ return 0;
58313+}
58314+
58315+int
58316+gr_handle_chroot_mount(const struct dentry *dentry,
58317+ const struct vfsmount *mnt, const char *dev_name)
58318+{
58319+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
58320+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
58321+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
58322+ return -EPERM;
58323+ }
58324+#endif
58325+ return 0;
58326+}
58327+
58328+int
58329+gr_handle_chroot_pivot(void)
58330+{
58331+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
58332+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
58333+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
58334+ return -EPERM;
58335+ }
58336+#endif
58337+ return 0;
58338+}
58339+
58340+int
58341+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
58342+{
58343+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
58344+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
58345+ !gr_is_outside_chroot(dentry, mnt)) {
58346+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
58347+ return -EPERM;
58348+ }
58349+#endif
58350+ return 0;
58351+}
58352+
58353+extern const char *captab_log[];
58354+extern int captab_log_entries;
58355+
58356+int
58357+gr_chroot_is_capable(const int cap)
58358+{
58359+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58360+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58361+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58362+ if (cap_raised(chroot_caps, cap)) {
58363+ const struct cred *creds = current_cred();
58364+ if (cap_raised(creds->cap_effective, cap) && cap < captab_log_entries) {
58365+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, current, captab_log[cap]);
58366+ }
58367+ return 0;
58368+ }
58369+ }
58370+#endif
58371+ return 1;
58372+}
58373+
58374+int
58375+gr_chroot_is_capable_nolog(const int cap)
58376+{
58377+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
58378+ if (grsec_enable_chroot_caps && proc_is_chrooted(current)) {
58379+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
58380+ if (cap_raised(chroot_caps, cap)) {
58381+ return 0;
58382+ }
58383+ }
58384+#endif
58385+ return 1;
58386+}
58387+
58388+int
58389+gr_handle_chroot_sysctl(const int op)
58390+{
58391+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
58392+ if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
58393+ && (op & MAY_WRITE))
58394+ return -EACCES;
58395+#endif
58396+ return 0;
58397+}
58398+
58399+void
58400+gr_handle_chroot_chdir(struct path *path)
58401+{
58402+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
58403+ if (grsec_enable_chroot_chdir)
58404+ set_fs_pwd(current->fs, path);
58405+#endif
58406+ return;
58407+}
58408+
58409+int
58410+gr_handle_chroot_chmod(const struct dentry *dentry,
58411+ const struct vfsmount *mnt, const int mode)
58412+{
58413+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
58414+ /* allow chmod +s on directories, but not on files */
58415+ if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
58416+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
58417+ proc_is_chrooted(current)) {
58418+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
58419+ return -EPERM;
58420+ }
58421+#endif
58422+ return 0;
58423+}
58424diff -urNp linux-2.6.32.48/grsecurity/grsec_disabled.c linux-2.6.32.48/grsecurity/grsec_disabled.c
58425--- linux-2.6.32.48/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
58426+++ linux-2.6.32.48/grsecurity/grsec_disabled.c 2011-11-15 19:59:43.000000000 -0500
58427@@ -0,0 +1,439 @@
58428+#include <linux/kernel.h>
58429+#include <linux/module.h>
58430+#include <linux/sched.h>
58431+#include <linux/file.h>
58432+#include <linux/fs.h>
58433+#include <linux/kdev_t.h>
58434+#include <linux/net.h>
58435+#include <linux/in.h>
58436+#include <linux/ip.h>
58437+#include <linux/skbuff.h>
58438+#include <linux/sysctl.h>
58439+
58440+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
58441+void
58442+pax_set_initial_flags(struct linux_binprm *bprm)
58443+{
58444+ return;
58445+}
58446+#endif
58447+
58448+#ifdef CONFIG_SYSCTL
58449+__u32
58450+gr_handle_sysctl(const struct ctl_table * table, const int op)
58451+{
58452+ return 0;
58453+}
58454+#endif
58455+
58456+#ifdef CONFIG_TASKSTATS
58457+int gr_is_taskstats_denied(int pid)
58458+{
58459+ return 0;
58460+}
58461+#endif
58462+
58463+int
58464+gr_acl_is_enabled(void)
58465+{
58466+ return 0;
58467+}
58468+
58469+void
58470+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
58471+{
58472+ return;
58473+}
58474+
58475+int
58476+gr_handle_rawio(const struct inode *inode)
58477+{
58478+ return 0;
58479+}
58480+
58481+void
58482+gr_acl_handle_psacct(struct task_struct *task, const long code)
58483+{
58484+ return;
58485+}
58486+
58487+int
58488+gr_handle_ptrace(struct task_struct *task, const long request)
58489+{
58490+ return 0;
58491+}
58492+
58493+int
58494+gr_handle_proc_ptrace(struct task_struct *task)
58495+{
58496+ return 0;
58497+}
58498+
58499+void
58500+gr_learn_resource(const struct task_struct *task,
58501+ const int res, const unsigned long wanted, const int gt)
58502+{
58503+ return;
58504+}
58505+
58506+int
58507+gr_set_acls(const int type)
58508+{
58509+ return 0;
58510+}
58511+
58512+int
58513+gr_check_hidden_task(const struct task_struct *tsk)
58514+{
58515+ return 0;
58516+}
58517+
58518+int
58519+gr_check_protected_task(const struct task_struct *task)
58520+{
58521+ return 0;
58522+}
58523+
58524+int
58525+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
58526+{
58527+ return 0;
58528+}
58529+
58530+void
58531+gr_copy_label(struct task_struct *tsk)
58532+{
58533+ return;
58534+}
58535+
58536+void
58537+gr_set_pax_flags(struct task_struct *task)
58538+{
58539+ return;
58540+}
58541+
58542+int
58543+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
58544+ const int unsafe_share)
58545+{
58546+ return 0;
58547+}
58548+
58549+void
58550+gr_handle_delete(const ino_t ino, const dev_t dev)
58551+{
58552+ return;
58553+}
58554+
58555+void
58556+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
58557+{
58558+ return;
58559+}
58560+
58561+void
58562+gr_handle_crash(struct task_struct *task, const int sig)
58563+{
58564+ return;
58565+}
58566+
58567+int
58568+gr_check_crash_exec(const struct file *filp)
58569+{
58570+ return 0;
58571+}
58572+
58573+int
58574+gr_check_crash_uid(const uid_t uid)
58575+{
58576+ return 0;
58577+}
58578+
58579+void
58580+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
58581+ struct dentry *old_dentry,
58582+ struct dentry *new_dentry,
58583+ struct vfsmount *mnt, const __u8 replace)
58584+{
58585+ return;
58586+}
58587+
58588+int
58589+gr_search_socket(const int family, const int type, const int protocol)
58590+{
58591+ return 1;
58592+}
58593+
58594+int
58595+gr_search_connectbind(const int mode, const struct socket *sock,
58596+ const struct sockaddr_in *addr)
58597+{
58598+ return 0;
58599+}
58600+
58601+void
58602+gr_handle_alertkill(struct task_struct *task)
58603+{
58604+ return;
58605+}
58606+
58607+__u32
58608+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
58609+{
58610+ return 1;
58611+}
58612+
58613+__u32
58614+gr_acl_handle_hidden_file(const struct dentry * dentry,
58615+ const struct vfsmount * mnt)
58616+{
58617+ return 1;
58618+}
58619+
58620+__u32
58621+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
58622+ const int fmode)
58623+{
58624+ return 1;
58625+}
58626+
58627+__u32
58628+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
58629+{
58630+ return 1;
58631+}
58632+
58633+__u32
58634+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
58635+{
58636+ return 1;
58637+}
58638+
58639+int
58640+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
58641+ unsigned int *vm_flags)
58642+{
58643+ return 1;
58644+}
58645+
58646+__u32
58647+gr_acl_handle_truncate(const struct dentry * dentry,
58648+ const struct vfsmount * mnt)
58649+{
58650+ return 1;
58651+}
58652+
58653+__u32
58654+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
58655+{
58656+ return 1;
58657+}
58658+
58659+__u32
58660+gr_acl_handle_access(const struct dentry * dentry,
58661+ const struct vfsmount * mnt, const int fmode)
58662+{
58663+ return 1;
58664+}
58665+
58666+__u32
58667+gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
58668+ mode_t mode)
58669+{
58670+ return 1;
58671+}
58672+
58673+__u32
58674+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
58675+ mode_t mode)
58676+{
58677+ return 1;
58678+}
58679+
58680+__u32
58681+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
58682+{
58683+ return 1;
58684+}
58685+
58686+__u32
58687+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
58688+{
58689+ return 1;
58690+}
58691+
58692+void
58693+grsecurity_init(void)
58694+{
58695+ return;
58696+}
58697+
58698+__u32
58699+gr_acl_handle_mknod(const struct dentry * new_dentry,
58700+ const struct dentry * parent_dentry,
58701+ const struct vfsmount * parent_mnt,
58702+ const int mode)
58703+{
58704+ return 1;
58705+}
58706+
58707+__u32
58708+gr_acl_handle_mkdir(const struct dentry * new_dentry,
58709+ const struct dentry * parent_dentry,
58710+ const struct vfsmount * parent_mnt)
58711+{
58712+ return 1;
58713+}
58714+
58715+__u32
58716+gr_acl_handle_symlink(const struct dentry * new_dentry,
58717+ const struct dentry * parent_dentry,
58718+ const struct vfsmount * parent_mnt, const char *from)
58719+{
58720+ return 1;
58721+}
58722+
58723+__u32
58724+gr_acl_handle_link(const struct dentry * new_dentry,
58725+ const struct dentry * parent_dentry,
58726+ const struct vfsmount * parent_mnt,
58727+ const struct dentry * old_dentry,
58728+ const struct vfsmount * old_mnt, const char *to)
58729+{
58730+ return 1;
58731+}
58732+
58733+int
58734+gr_acl_handle_rename(const struct dentry *new_dentry,
58735+ const struct dentry *parent_dentry,
58736+ const struct vfsmount *parent_mnt,
58737+ const struct dentry *old_dentry,
58738+ const struct inode *old_parent_inode,
58739+ const struct vfsmount *old_mnt, const char *newname)
58740+{
58741+ return 0;
58742+}
58743+
58744+int
58745+gr_acl_handle_filldir(const struct file *file, const char *name,
58746+ const int namelen, const ino_t ino)
58747+{
58748+ return 1;
58749+}
58750+
58751+int
58752+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58753+ const time_t shm_createtime, const uid_t cuid, const int shmid)
58754+{
58755+ return 1;
58756+}
58757+
58758+int
58759+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
58760+{
58761+ return 0;
58762+}
58763+
58764+int
58765+gr_search_accept(const struct socket *sock)
58766+{
58767+ return 0;
58768+}
58769+
58770+int
58771+gr_search_listen(const struct socket *sock)
58772+{
58773+ return 0;
58774+}
58775+
58776+int
58777+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
58778+{
58779+ return 0;
58780+}
58781+
58782+__u32
58783+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
58784+{
58785+ return 1;
58786+}
58787+
58788+__u32
58789+gr_acl_handle_creat(const struct dentry * dentry,
58790+ const struct dentry * p_dentry,
58791+ const struct vfsmount * p_mnt, const int fmode,
58792+ const int imode)
58793+{
58794+ return 1;
58795+}
58796+
58797+void
58798+gr_acl_handle_exit(void)
58799+{
58800+ return;
58801+}
58802+
58803+int
58804+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
58805+{
58806+ return 1;
58807+}
58808+
58809+void
58810+gr_set_role_label(const uid_t uid, const gid_t gid)
58811+{
58812+ return;
58813+}
58814+
58815+int
58816+gr_acl_handle_procpidmem(const struct task_struct *task)
58817+{
58818+ return 0;
58819+}
58820+
58821+int
58822+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
58823+{
58824+ return 0;
58825+}
58826+
58827+int
58828+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
58829+{
58830+ return 0;
58831+}
58832+
58833+void
58834+gr_set_kernel_label(struct task_struct *task)
58835+{
58836+ return;
58837+}
58838+
58839+int
58840+gr_check_user_change(int real, int effective, int fs)
58841+{
58842+ return 0;
58843+}
58844+
58845+int
58846+gr_check_group_change(int real, int effective, int fs)
58847+{
58848+ return 0;
58849+}
58850+
58851+int gr_acl_enable_at_secure(void)
58852+{
58853+ return 0;
58854+}
58855+
58856+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
58857+{
58858+ return dentry->d_inode->i_sb->s_dev;
58859+}
58860+
58861+EXPORT_SYMBOL(gr_learn_resource);
58862+EXPORT_SYMBOL(gr_set_kernel_label);
58863+#ifdef CONFIG_SECURITY
58864+EXPORT_SYMBOL(gr_check_user_change);
58865+EXPORT_SYMBOL(gr_check_group_change);
58866+#endif
58867diff -urNp linux-2.6.32.48/grsecurity/grsec_exec.c linux-2.6.32.48/grsecurity/grsec_exec.c
58868--- linux-2.6.32.48/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
58869+++ linux-2.6.32.48/grsecurity/grsec_exec.c 2011-11-15 19:59:43.000000000 -0500
58870@@ -0,0 +1,204 @@
58871+#include <linux/kernel.h>
58872+#include <linux/sched.h>
58873+#include <linux/file.h>
58874+#include <linux/binfmts.h>
58875+#include <linux/smp_lock.h>
58876+#include <linux/fs.h>
58877+#include <linux/types.h>
58878+#include <linux/grdefs.h>
58879+#include <linux/grinternal.h>
58880+#include <linux/capability.h>
58881+#include <linux/compat.h>
58882+#include <linux/module.h>
58883+
58884+#include <asm/uaccess.h>
58885+
58886+#ifdef CONFIG_GRKERNSEC_EXECLOG
58887+static char gr_exec_arg_buf[132];
58888+static DEFINE_MUTEX(gr_exec_arg_mutex);
58889+#endif
58890+
58891+void
58892+gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
58893+{
58894+#ifdef CONFIG_GRKERNSEC_EXECLOG
58895+ char *grarg = gr_exec_arg_buf;
58896+ unsigned int i, x, execlen = 0;
58897+ char c;
58898+
58899+ if (!((grsec_enable_execlog && grsec_enable_group &&
58900+ in_group_p(grsec_audit_gid))
58901+ || (grsec_enable_execlog && !grsec_enable_group)))
58902+ return;
58903+
58904+ mutex_lock(&gr_exec_arg_mutex);
58905+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
58906+
58907+ if (unlikely(argv == NULL))
58908+ goto log;
58909+
58910+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
58911+ const char __user *p;
58912+ unsigned int len;
58913+
58914+ if (copy_from_user(&p, argv + i, sizeof(p)))
58915+ goto log;
58916+ if (!p)
58917+ goto log;
58918+ len = strnlen_user(p, 128 - execlen);
58919+ if (len > 128 - execlen)
58920+ len = 128 - execlen;
58921+ else if (len > 0)
58922+ len--;
58923+ if (copy_from_user(grarg + execlen, p, len))
58924+ goto log;
58925+
58926+ /* rewrite unprintable characters */
58927+ for (x = 0; x < len; x++) {
58928+ c = *(grarg + execlen + x);
58929+ if (c < 32 || c > 126)
58930+ *(grarg + execlen + x) = ' ';
58931+ }
58932+
58933+ execlen += len;
58934+ *(grarg + execlen) = ' ';
58935+ *(grarg + execlen + 1) = '\0';
58936+ execlen++;
58937+ }
58938+
58939+ log:
58940+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58941+ bprm->file->f_path.mnt, grarg);
58942+ mutex_unlock(&gr_exec_arg_mutex);
58943+#endif
58944+ return;
58945+}
58946+
58947+#ifdef CONFIG_COMPAT
58948+void
58949+gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
58950+{
58951+#ifdef CONFIG_GRKERNSEC_EXECLOG
58952+ char *grarg = gr_exec_arg_buf;
58953+ unsigned int i, x, execlen = 0;
58954+ char c;
58955+
58956+ if (!((grsec_enable_execlog && grsec_enable_group &&
58957+ in_group_p(grsec_audit_gid))
58958+ || (grsec_enable_execlog && !grsec_enable_group)))
58959+ return;
58960+
58961+ mutex_lock(&gr_exec_arg_mutex);
58962+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
58963+
58964+ if (unlikely(argv == NULL))
58965+ goto log;
58966+
58967+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
58968+ compat_uptr_t p;
58969+ unsigned int len;
58970+
58971+ if (get_user(p, argv + i))
58972+ goto log;
58973+ len = strnlen_user(compat_ptr(p), 128 - execlen);
58974+ if (len > 128 - execlen)
58975+ len = 128 - execlen;
58976+ else if (len > 0)
58977+ len--;
58978+ else
58979+ goto log;
58980+ if (copy_from_user(grarg + execlen, compat_ptr(p), len))
58981+ goto log;
58982+
58983+ /* rewrite unprintable characters */
58984+ for (x = 0; x < len; x++) {
58985+ c = *(grarg + execlen + x);
58986+ if (c < 32 || c > 126)
58987+ *(grarg + execlen + x) = ' ';
58988+ }
58989+
58990+ execlen += len;
58991+ *(grarg + execlen) = ' ';
58992+ *(grarg + execlen + 1) = '\0';
58993+ execlen++;
58994+ }
58995+
58996+ log:
58997+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
58998+ bprm->file->f_path.mnt, grarg);
58999+ mutex_unlock(&gr_exec_arg_mutex);
59000+#endif
59001+ return;
59002+}
59003+#endif
59004+
59005+#ifdef CONFIG_GRKERNSEC
59006+extern int gr_acl_is_capable(const int cap);
59007+extern int gr_acl_is_capable_nolog(const int cap);
59008+extern int gr_chroot_is_capable(const int cap);
59009+extern int gr_chroot_is_capable_nolog(const int cap);
59010+#endif
59011+
59012+const char *captab_log[] = {
59013+ "CAP_CHOWN",
59014+ "CAP_DAC_OVERRIDE",
59015+ "CAP_DAC_READ_SEARCH",
59016+ "CAP_FOWNER",
59017+ "CAP_FSETID",
59018+ "CAP_KILL",
59019+ "CAP_SETGID",
59020+ "CAP_SETUID",
59021+ "CAP_SETPCAP",
59022+ "CAP_LINUX_IMMUTABLE",
59023+ "CAP_NET_BIND_SERVICE",
59024+ "CAP_NET_BROADCAST",
59025+ "CAP_NET_ADMIN",
59026+ "CAP_NET_RAW",
59027+ "CAP_IPC_LOCK",
59028+ "CAP_IPC_OWNER",
59029+ "CAP_SYS_MODULE",
59030+ "CAP_SYS_RAWIO",
59031+ "CAP_SYS_CHROOT",
59032+ "CAP_SYS_PTRACE",
59033+ "CAP_SYS_PACCT",
59034+ "CAP_SYS_ADMIN",
59035+ "CAP_SYS_BOOT",
59036+ "CAP_SYS_NICE",
59037+ "CAP_SYS_RESOURCE",
59038+ "CAP_SYS_TIME",
59039+ "CAP_SYS_TTY_CONFIG",
59040+ "CAP_MKNOD",
59041+ "CAP_LEASE",
59042+ "CAP_AUDIT_WRITE",
59043+ "CAP_AUDIT_CONTROL",
59044+ "CAP_SETFCAP",
59045+ "CAP_MAC_OVERRIDE",
59046+ "CAP_MAC_ADMIN"
59047+};
59048+
59049+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
59050+
59051+int gr_is_capable(const int cap)
59052+{
59053+#ifdef CONFIG_GRKERNSEC
59054+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
59055+ return 1;
59056+ return 0;
59057+#else
59058+ return 1;
59059+#endif
59060+}
59061+
59062+int gr_is_capable_nolog(const int cap)
59063+{
59064+#ifdef CONFIG_GRKERNSEC
59065+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
59066+ return 1;
59067+ return 0;
59068+#else
59069+ return 1;
59070+#endif
59071+}
59072+
59073+EXPORT_SYMBOL(gr_is_capable);
59074+EXPORT_SYMBOL(gr_is_capable_nolog);
59075diff -urNp linux-2.6.32.48/grsecurity/grsec_fifo.c linux-2.6.32.48/grsecurity/grsec_fifo.c
59076--- linux-2.6.32.48/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
59077+++ linux-2.6.32.48/grsecurity/grsec_fifo.c 2011-11-15 19:59:43.000000000 -0500
59078@@ -0,0 +1,24 @@
59079+#include <linux/kernel.h>
59080+#include <linux/sched.h>
59081+#include <linux/fs.h>
59082+#include <linux/file.h>
59083+#include <linux/grinternal.h>
59084+
59085+int
59086+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
59087+ const struct dentry *dir, const int flag, const int acc_mode)
59088+{
59089+#ifdef CONFIG_GRKERNSEC_FIFO
59090+ const struct cred *cred = current_cred();
59091+
59092+ if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
59093+ !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
59094+ (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
59095+ (cred->fsuid != dentry->d_inode->i_uid)) {
59096+ if (!inode_permission(dentry->d_inode, acc_mode))
59097+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
59098+ return -EACCES;
59099+ }
59100+#endif
59101+ return 0;
59102+}
59103diff -urNp linux-2.6.32.48/grsecurity/grsec_fork.c linux-2.6.32.48/grsecurity/grsec_fork.c
59104--- linux-2.6.32.48/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
59105+++ linux-2.6.32.48/grsecurity/grsec_fork.c 2011-11-15 19:59:43.000000000 -0500
59106@@ -0,0 +1,23 @@
59107+#include <linux/kernel.h>
59108+#include <linux/sched.h>
59109+#include <linux/grsecurity.h>
59110+#include <linux/grinternal.h>
59111+#include <linux/errno.h>
59112+
59113+void
59114+gr_log_forkfail(const int retval)
59115+{
59116+#ifdef CONFIG_GRKERNSEC_FORKFAIL
59117+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
59118+ switch (retval) {
59119+ case -EAGAIN:
59120+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
59121+ break;
59122+ case -ENOMEM:
59123+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
59124+ break;
59125+ }
59126+ }
59127+#endif
59128+ return;
59129+}
59130diff -urNp linux-2.6.32.48/grsecurity/grsec_init.c linux-2.6.32.48/grsecurity/grsec_init.c
59131--- linux-2.6.32.48/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
59132+++ linux-2.6.32.48/grsecurity/grsec_init.c 2011-11-15 19:59:43.000000000 -0500
59133@@ -0,0 +1,270 @@
59134+#include <linux/kernel.h>
59135+#include <linux/sched.h>
59136+#include <linux/mm.h>
59137+#include <linux/smp_lock.h>
59138+#include <linux/gracl.h>
59139+#include <linux/slab.h>
59140+#include <linux/vmalloc.h>
59141+#include <linux/percpu.h>
59142+#include <linux/module.h>
59143+
59144+int grsec_enable_brute;
59145+int grsec_enable_link;
59146+int grsec_enable_dmesg;
59147+int grsec_enable_harden_ptrace;
59148+int grsec_enable_fifo;
59149+int grsec_enable_execlog;
59150+int grsec_enable_signal;
59151+int grsec_enable_forkfail;
59152+int grsec_enable_audit_ptrace;
59153+int grsec_enable_time;
59154+int grsec_enable_audit_textrel;
59155+int grsec_enable_group;
59156+int grsec_audit_gid;
59157+int grsec_enable_chdir;
59158+int grsec_enable_mount;
59159+int grsec_enable_rofs;
59160+int grsec_enable_chroot_findtask;
59161+int grsec_enable_chroot_mount;
59162+int grsec_enable_chroot_shmat;
59163+int grsec_enable_chroot_fchdir;
59164+int grsec_enable_chroot_double;
59165+int grsec_enable_chroot_pivot;
59166+int grsec_enable_chroot_chdir;
59167+int grsec_enable_chroot_chmod;
59168+int grsec_enable_chroot_mknod;
59169+int grsec_enable_chroot_nice;
59170+int grsec_enable_chroot_execlog;
59171+int grsec_enable_chroot_caps;
59172+int grsec_enable_chroot_sysctl;
59173+int grsec_enable_chroot_unix;
59174+int grsec_enable_tpe;
59175+int grsec_tpe_gid;
59176+int grsec_enable_blackhole;
59177+#ifdef CONFIG_IPV6_MODULE
59178+EXPORT_SYMBOL(grsec_enable_blackhole);
59179+#endif
59180+int grsec_lastack_retries;
59181+int grsec_enable_tpe_all;
59182+int grsec_enable_tpe_invert;
59183+int grsec_enable_socket_all;
59184+int grsec_socket_all_gid;
59185+int grsec_enable_socket_client;
59186+int grsec_socket_client_gid;
59187+int grsec_enable_socket_server;
59188+int grsec_socket_server_gid;
59189+int grsec_resource_logging;
59190+int grsec_disable_privio;
59191+int grsec_enable_log_rwxmaps;
59192+int grsec_lock;
59193+
59194+DEFINE_SPINLOCK(grsec_alert_lock);
59195+unsigned long grsec_alert_wtime = 0;
59196+unsigned long grsec_alert_fyet = 0;
59197+
59198+DEFINE_SPINLOCK(grsec_audit_lock);
59199+
59200+DEFINE_RWLOCK(grsec_exec_file_lock);
59201+
59202+char *gr_shared_page[4];
59203+
59204+char *gr_alert_log_fmt;
59205+char *gr_audit_log_fmt;
59206+char *gr_alert_log_buf;
59207+char *gr_audit_log_buf;
59208+
59209+extern struct gr_arg *gr_usermode;
59210+extern unsigned char *gr_system_salt;
59211+extern unsigned char *gr_system_sum;
59212+
59213+void __init
59214+grsecurity_init(void)
59215+{
59216+ int j;
59217+ /* create the per-cpu shared pages */
59218+
59219+#ifdef CONFIG_X86
59220+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
59221+#endif
59222+
59223+ for (j = 0; j < 4; j++) {
59224+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
59225+ if (gr_shared_page[j] == NULL) {
59226+ panic("Unable to allocate grsecurity shared page");
59227+ return;
59228+ }
59229+ }
59230+
59231+ /* allocate log buffers */
59232+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
59233+ if (!gr_alert_log_fmt) {
59234+ panic("Unable to allocate grsecurity alert log format buffer");
59235+ return;
59236+ }
59237+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
59238+ if (!gr_audit_log_fmt) {
59239+ panic("Unable to allocate grsecurity audit log format buffer");
59240+ return;
59241+ }
59242+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59243+ if (!gr_alert_log_buf) {
59244+ panic("Unable to allocate grsecurity alert log buffer");
59245+ return;
59246+ }
59247+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
59248+ if (!gr_audit_log_buf) {
59249+ panic("Unable to allocate grsecurity audit log buffer");
59250+ return;
59251+ }
59252+
59253+ /* allocate memory for authentication structure */
59254+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
59255+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
59256+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
59257+
59258+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
59259+ panic("Unable to allocate grsecurity authentication structure");
59260+ return;
59261+ }
59262+
59263+
59264+#ifdef CONFIG_GRKERNSEC_IO
59265+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
59266+ grsec_disable_privio = 1;
59267+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59268+ grsec_disable_privio = 1;
59269+#else
59270+ grsec_disable_privio = 0;
59271+#endif
59272+#endif
59273+
59274+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
59275+ /* for backward compatibility, tpe_invert always defaults to on if
59276+ enabled in the kernel
59277+ */
59278+ grsec_enable_tpe_invert = 1;
59279+#endif
59280+
59281+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
59282+#ifndef CONFIG_GRKERNSEC_SYSCTL
59283+ grsec_lock = 1;
59284+#endif
59285+
59286+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59287+ grsec_enable_audit_textrel = 1;
59288+#endif
59289+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59290+ grsec_enable_log_rwxmaps = 1;
59291+#endif
59292+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
59293+ grsec_enable_group = 1;
59294+ grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
59295+#endif
59296+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
59297+ grsec_enable_chdir = 1;
59298+#endif
59299+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
59300+ grsec_enable_harden_ptrace = 1;
59301+#endif
59302+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59303+ grsec_enable_mount = 1;
59304+#endif
59305+#ifdef CONFIG_GRKERNSEC_LINK
59306+ grsec_enable_link = 1;
59307+#endif
59308+#ifdef CONFIG_GRKERNSEC_BRUTE
59309+ grsec_enable_brute = 1;
59310+#endif
59311+#ifdef CONFIG_GRKERNSEC_DMESG
59312+ grsec_enable_dmesg = 1;
59313+#endif
59314+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
59315+ grsec_enable_blackhole = 1;
59316+ grsec_lastack_retries = 4;
59317+#endif
59318+#ifdef CONFIG_GRKERNSEC_FIFO
59319+ grsec_enable_fifo = 1;
59320+#endif
59321+#ifdef CONFIG_GRKERNSEC_EXECLOG
59322+ grsec_enable_execlog = 1;
59323+#endif
59324+#ifdef CONFIG_GRKERNSEC_SIGNAL
59325+ grsec_enable_signal = 1;
59326+#endif
59327+#ifdef CONFIG_GRKERNSEC_FORKFAIL
59328+ grsec_enable_forkfail = 1;
59329+#endif
59330+#ifdef CONFIG_GRKERNSEC_TIME
59331+ grsec_enable_time = 1;
59332+#endif
59333+#ifdef CONFIG_GRKERNSEC_RESLOG
59334+ grsec_resource_logging = 1;
59335+#endif
59336+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
59337+ grsec_enable_chroot_findtask = 1;
59338+#endif
59339+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
59340+ grsec_enable_chroot_unix = 1;
59341+#endif
59342+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
59343+ grsec_enable_chroot_mount = 1;
59344+#endif
59345+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
59346+ grsec_enable_chroot_fchdir = 1;
59347+#endif
59348+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
59349+ grsec_enable_chroot_shmat = 1;
59350+#endif
59351+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59352+ grsec_enable_audit_ptrace = 1;
59353+#endif
59354+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
59355+ grsec_enable_chroot_double = 1;
59356+#endif
59357+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
59358+ grsec_enable_chroot_pivot = 1;
59359+#endif
59360+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
59361+ grsec_enable_chroot_chdir = 1;
59362+#endif
59363+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
59364+ grsec_enable_chroot_chmod = 1;
59365+#endif
59366+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
59367+ grsec_enable_chroot_mknod = 1;
59368+#endif
59369+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
59370+ grsec_enable_chroot_nice = 1;
59371+#endif
59372+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
59373+ grsec_enable_chroot_execlog = 1;
59374+#endif
59375+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
59376+ grsec_enable_chroot_caps = 1;
59377+#endif
59378+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
59379+ grsec_enable_chroot_sysctl = 1;
59380+#endif
59381+#ifdef CONFIG_GRKERNSEC_TPE
59382+ grsec_enable_tpe = 1;
59383+ grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
59384+#ifdef CONFIG_GRKERNSEC_TPE_ALL
59385+ grsec_enable_tpe_all = 1;
59386+#endif
59387+#endif
59388+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
59389+ grsec_enable_socket_all = 1;
59390+ grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
59391+#endif
59392+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
59393+ grsec_enable_socket_client = 1;
59394+ grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
59395+#endif
59396+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
59397+ grsec_enable_socket_server = 1;
59398+ grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
59399+#endif
59400+#endif
59401+
59402+ return;
59403+}
59404diff -urNp linux-2.6.32.48/grsecurity/grsec_link.c linux-2.6.32.48/grsecurity/grsec_link.c
59405--- linux-2.6.32.48/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
59406+++ linux-2.6.32.48/grsecurity/grsec_link.c 2011-11-15 19:59:43.000000000 -0500
59407@@ -0,0 +1,43 @@
59408+#include <linux/kernel.h>
59409+#include <linux/sched.h>
59410+#include <linux/fs.h>
59411+#include <linux/file.h>
59412+#include <linux/grinternal.h>
59413+
59414+int
59415+gr_handle_follow_link(const struct inode *parent,
59416+ const struct inode *inode,
59417+ const struct dentry *dentry, const struct vfsmount *mnt)
59418+{
59419+#ifdef CONFIG_GRKERNSEC_LINK
59420+ const struct cred *cred = current_cred();
59421+
59422+ if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
59423+ (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
59424+ (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
59425+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
59426+ return -EACCES;
59427+ }
59428+#endif
59429+ return 0;
59430+}
59431+
59432+int
59433+gr_handle_hardlink(const struct dentry *dentry,
59434+ const struct vfsmount *mnt,
59435+ struct inode *inode, const int mode, const char *to)
59436+{
59437+#ifdef CONFIG_GRKERNSEC_LINK
59438+ const struct cred *cred = current_cred();
59439+
59440+ if (grsec_enable_link && cred->fsuid != inode->i_uid &&
59441+ (!S_ISREG(mode) || (mode & S_ISUID) ||
59442+ ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
59443+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
59444+ !capable(CAP_FOWNER) && cred->uid) {
59445+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
59446+ return -EPERM;
59447+ }
59448+#endif
59449+ return 0;
59450+}
59451diff -urNp linux-2.6.32.48/grsecurity/grsec_log.c linux-2.6.32.48/grsecurity/grsec_log.c
59452--- linux-2.6.32.48/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
59453+++ linux-2.6.32.48/grsecurity/grsec_log.c 2011-11-15 19:59:43.000000000 -0500
59454@@ -0,0 +1,322 @@
59455+#include <linux/kernel.h>
59456+#include <linux/sched.h>
59457+#include <linux/file.h>
59458+#include <linux/tty.h>
59459+#include <linux/fs.h>
59460+#include <linux/grinternal.h>
59461+
59462+#ifdef CONFIG_TREE_PREEMPT_RCU
59463+#define DISABLE_PREEMPT() preempt_disable()
59464+#define ENABLE_PREEMPT() preempt_enable()
59465+#else
59466+#define DISABLE_PREEMPT()
59467+#define ENABLE_PREEMPT()
59468+#endif
59469+
59470+#define BEGIN_LOCKS(x) \
59471+ DISABLE_PREEMPT(); \
59472+ rcu_read_lock(); \
59473+ read_lock(&tasklist_lock); \
59474+ read_lock(&grsec_exec_file_lock); \
59475+ if (x != GR_DO_AUDIT) \
59476+ spin_lock(&grsec_alert_lock); \
59477+ else \
59478+ spin_lock(&grsec_audit_lock)
59479+
59480+#define END_LOCKS(x) \
59481+ if (x != GR_DO_AUDIT) \
59482+ spin_unlock(&grsec_alert_lock); \
59483+ else \
59484+ spin_unlock(&grsec_audit_lock); \
59485+ read_unlock(&grsec_exec_file_lock); \
59486+ read_unlock(&tasklist_lock); \
59487+ rcu_read_unlock(); \
59488+ ENABLE_PREEMPT(); \
59489+ if (x == GR_DONT_AUDIT) \
59490+ gr_handle_alertkill(current)
59491+
59492+enum {
59493+ FLOODING,
59494+ NO_FLOODING
59495+};
59496+
59497+extern char *gr_alert_log_fmt;
59498+extern char *gr_audit_log_fmt;
59499+extern char *gr_alert_log_buf;
59500+extern char *gr_audit_log_buf;
59501+
59502+static int gr_log_start(int audit)
59503+{
59504+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
59505+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
59506+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59507+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
59508+ unsigned long curr_secs = get_seconds();
59509+
59510+ if (audit == GR_DO_AUDIT)
59511+ goto set_fmt;
59512+
59513+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
59514+ grsec_alert_wtime = curr_secs;
59515+ grsec_alert_fyet = 0;
59516+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
59517+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
59518+ grsec_alert_fyet++;
59519+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
59520+ grsec_alert_wtime = curr_secs;
59521+ grsec_alert_fyet++;
59522+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
59523+ return FLOODING;
59524+ }
59525+ else return FLOODING;
59526+
59527+set_fmt:
59528+#endif
59529+ memset(buf, 0, PAGE_SIZE);
59530+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
59531+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
59532+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59533+ } else if (current->signal->curr_ip) {
59534+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
59535+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
59536+ } else if (gr_acl_is_enabled()) {
59537+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
59538+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
59539+ } else {
59540+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
59541+ strcpy(buf, fmt);
59542+ }
59543+
59544+ return NO_FLOODING;
59545+}
59546+
59547+static void gr_log_middle(int audit, const char *msg, va_list ap)
59548+ __attribute__ ((format (printf, 2, 0)));
59549+
59550+static void gr_log_middle(int audit, const char *msg, va_list ap)
59551+{
59552+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59553+ unsigned int len = strlen(buf);
59554+
59555+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59556+
59557+ return;
59558+}
59559+
59560+static void gr_log_middle_varargs(int audit, const char *msg, ...)
59561+ __attribute__ ((format (printf, 2, 3)));
59562+
59563+static void gr_log_middle_varargs(int audit, const char *msg, ...)
59564+{
59565+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59566+ unsigned int len = strlen(buf);
59567+ va_list ap;
59568+
59569+ va_start(ap, msg);
59570+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
59571+ va_end(ap);
59572+
59573+ return;
59574+}
59575+
59576+static void gr_log_end(int audit, int append_default)
59577+{
59578+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
59579+
59580+ if (append_default) {
59581+ unsigned int len = strlen(buf);
59582+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
59583+ }
59584+
59585+ printk("%s\n", buf);
59586+
59587+ return;
59588+}
59589+
59590+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
59591+{
59592+ int logtype;
59593+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
59594+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
59595+ void *voidptr = NULL;
59596+ int num1 = 0, num2 = 0;
59597+ unsigned long ulong1 = 0, ulong2 = 0;
59598+ struct dentry *dentry = NULL;
59599+ struct vfsmount *mnt = NULL;
59600+ struct file *file = NULL;
59601+ struct task_struct *task = NULL;
59602+ const struct cred *cred, *pcred;
59603+ va_list ap;
59604+
59605+ BEGIN_LOCKS(audit);
59606+ logtype = gr_log_start(audit);
59607+ if (logtype == FLOODING) {
59608+ END_LOCKS(audit);
59609+ return;
59610+ }
59611+ va_start(ap, argtypes);
59612+ switch (argtypes) {
59613+ case GR_TTYSNIFF:
59614+ task = va_arg(ap, struct task_struct *);
59615+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
59616+ break;
59617+ case GR_SYSCTL_HIDDEN:
59618+ str1 = va_arg(ap, char *);
59619+ gr_log_middle_varargs(audit, msg, result, str1);
59620+ break;
59621+ case GR_RBAC:
59622+ dentry = va_arg(ap, struct dentry *);
59623+ mnt = va_arg(ap, struct vfsmount *);
59624+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
59625+ break;
59626+ case GR_RBAC_STR:
59627+ dentry = va_arg(ap, struct dentry *);
59628+ mnt = va_arg(ap, struct vfsmount *);
59629+ str1 = va_arg(ap, char *);
59630+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
59631+ break;
59632+ case GR_STR_RBAC:
59633+ str1 = va_arg(ap, char *);
59634+ dentry = va_arg(ap, struct dentry *);
59635+ mnt = va_arg(ap, struct vfsmount *);
59636+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
59637+ break;
59638+ case GR_RBAC_MODE2:
59639+ dentry = va_arg(ap, struct dentry *);
59640+ mnt = va_arg(ap, struct vfsmount *);
59641+ str1 = va_arg(ap, char *);
59642+ str2 = va_arg(ap, char *);
59643+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
59644+ break;
59645+ case GR_RBAC_MODE3:
59646+ dentry = va_arg(ap, struct dentry *);
59647+ mnt = va_arg(ap, struct vfsmount *);
59648+ str1 = va_arg(ap, char *);
59649+ str2 = va_arg(ap, char *);
59650+ str3 = va_arg(ap, char *);
59651+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
59652+ break;
59653+ case GR_FILENAME:
59654+ dentry = va_arg(ap, struct dentry *);
59655+ mnt = va_arg(ap, struct vfsmount *);
59656+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
59657+ break;
59658+ case GR_STR_FILENAME:
59659+ str1 = va_arg(ap, char *);
59660+ dentry = va_arg(ap, struct dentry *);
59661+ mnt = va_arg(ap, struct vfsmount *);
59662+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
59663+ break;
59664+ case GR_FILENAME_STR:
59665+ dentry = va_arg(ap, struct dentry *);
59666+ mnt = va_arg(ap, struct vfsmount *);
59667+ str1 = va_arg(ap, char *);
59668+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
59669+ break;
59670+ case GR_FILENAME_TWO_INT:
59671+ dentry = va_arg(ap, struct dentry *);
59672+ mnt = va_arg(ap, struct vfsmount *);
59673+ num1 = va_arg(ap, int);
59674+ num2 = va_arg(ap, int);
59675+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
59676+ break;
59677+ case GR_FILENAME_TWO_INT_STR:
59678+ dentry = va_arg(ap, struct dentry *);
59679+ mnt = va_arg(ap, struct vfsmount *);
59680+ num1 = va_arg(ap, int);
59681+ num2 = va_arg(ap, int);
59682+ str1 = va_arg(ap, char *);
59683+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
59684+ break;
59685+ case GR_TEXTREL:
59686+ file = va_arg(ap, struct file *);
59687+ ulong1 = va_arg(ap, unsigned long);
59688+ ulong2 = va_arg(ap, unsigned long);
59689+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
59690+ break;
59691+ case GR_PTRACE:
59692+ task = va_arg(ap, struct task_struct *);
59693+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
59694+ break;
59695+ case GR_RESOURCE:
59696+ task = va_arg(ap, struct task_struct *);
59697+ cred = __task_cred(task);
59698+ pcred = __task_cred(task->real_parent);
59699+ ulong1 = va_arg(ap, unsigned long);
59700+ str1 = va_arg(ap, char *);
59701+ ulong2 = va_arg(ap, unsigned long);
59702+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59703+ break;
59704+ case GR_CAP:
59705+ task = va_arg(ap, struct task_struct *);
59706+ cred = __task_cred(task);
59707+ pcred = __task_cred(task->real_parent);
59708+ str1 = va_arg(ap, char *);
59709+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59710+ break;
59711+ case GR_SIG:
59712+ str1 = va_arg(ap, char *);
59713+ voidptr = va_arg(ap, void *);
59714+ gr_log_middle_varargs(audit, msg, str1, voidptr);
59715+ break;
59716+ case GR_SIG2:
59717+ task = va_arg(ap, struct task_struct *);
59718+ cred = __task_cred(task);
59719+ pcred = __task_cred(task->real_parent);
59720+ num1 = va_arg(ap, int);
59721+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59722+ break;
59723+ case GR_CRASH1:
59724+ task = va_arg(ap, struct task_struct *);
59725+ cred = __task_cred(task);
59726+ pcred = __task_cred(task->real_parent);
59727+ ulong1 = va_arg(ap, unsigned long);
59728+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
59729+ break;
59730+ case GR_CRASH2:
59731+ task = va_arg(ap, struct task_struct *);
59732+ cred = __task_cred(task);
59733+ pcred = __task_cred(task->real_parent);
59734+ ulong1 = va_arg(ap, unsigned long);
59735+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
59736+ break;
59737+ case GR_RWXMAP:
59738+ file = va_arg(ap, struct file *);
59739+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
59740+ break;
59741+ case GR_PSACCT:
59742+ {
59743+ unsigned int wday, cday;
59744+ __u8 whr, chr;
59745+ __u8 wmin, cmin;
59746+ __u8 wsec, csec;
59747+ char cur_tty[64] = { 0 };
59748+ char parent_tty[64] = { 0 };
59749+
59750+ task = va_arg(ap, struct task_struct *);
59751+ wday = va_arg(ap, unsigned int);
59752+ cday = va_arg(ap, unsigned int);
59753+ whr = va_arg(ap, int);
59754+ chr = va_arg(ap, int);
59755+ wmin = va_arg(ap, int);
59756+ cmin = va_arg(ap, int);
59757+ wsec = va_arg(ap, int);
59758+ csec = va_arg(ap, int);
59759+ ulong1 = va_arg(ap, unsigned long);
59760+ cred = __task_cred(task);
59761+ pcred = __task_cred(task->real_parent);
59762+
59763+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
59764+ }
59765+ break;
59766+ default:
59767+ gr_log_middle(audit, msg, ap);
59768+ }
59769+ va_end(ap);
59770+ // these don't need DEFAULTSECARGS printed on the end
59771+ if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
59772+ gr_log_end(audit, 0);
59773+ else
59774+ gr_log_end(audit, 1);
59775+ END_LOCKS(audit);
59776+}
59777diff -urNp linux-2.6.32.48/grsecurity/grsec_mem.c linux-2.6.32.48/grsecurity/grsec_mem.c
59778--- linux-2.6.32.48/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
59779+++ linux-2.6.32.48/grsecurity/grsec_mem.c 2011-11-15 19:59:43.000000000 -0500
59780@@ -0,0 +1,33 @@
59781+#include <linux/kernel.h>
59782+#include <linux/sched.h>
59783+#include <linux/mm.h>
59784+#include <linux/mman.h>
59785+#include <linux/grinternal.h>
59786+
59787+void
59788+gr_handle_ioperm(void)
59789+{
59790+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
59791+ return;
59792+}
59793+
59794+void
59795+gr_handle_iopl(void)
59796+{
59797+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
59798+ return;
59799+}
59800+
59801+void
59802+gr_handle_mem_readwrite(u64 from, u64 to)
59803+{
59804+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
59805+ return;
59806+}
59807+
59808+void
59809+gr_handle_vm86(void)
59810+{
59811+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
59812+ return;
59813+}
59814diff -urNp linux-2.6.32.48/grsecurity/grsec_mount.c linux-2.6.32.48/grsecurity/grsec_mount.c
59815--- linux-2.6.32.48/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
59816+++ linux-2.6.32.48/grsecurity/grsec_mount.c 2011-11-15 19:59:43.000000000 -0500
59817@@ -0,0 +1,62 @@
59818+#include <linux/kernel.h>
59819+#include <linux/sched.h>
59820+#include <linux/mount.h>
59821+#include <linux/grsecurity.h>
59822+#include <linux/grinternal.h>
59823+
59824+void
59825+gr_log_remount(const char *devname, const int retval)
59826+{
59827+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59828+ if (grsec_enable_mount && (retval >= 0))
59829+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
59830+#endif
59831+ return;
59832+}
59833+
59834+void
59835+gr_log_unmount(const char *devname, const int retval)
59836+{
59837+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59838+ if (grsec_enable_mount && (retval >= 0))
59839+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
59840+#endif
59841+ return;
59842+}
59843+
59844+void
59845+gr_log_mount(const char *from, const char *to, const int retval)
59846+{
59847+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
59848+ if (grsec_enable_mount && (retval >= 0))
59849+ gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
59850+#endif
59851+ return;
59852+}
59853+
59854+int
59855+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
59856+{
59857+#ifdef CONFIG_GRKERNSEC_ROFS
59858+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
59859+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
59860+ return -EPERM;
59861+ } else
59862+ return 0;
59863+#endif
59864+ return 0;
59865+}
59866+
59867+int
59868+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
59869+{
59870+#ifdef CONFIG_GRKERNSEC_ROFS
59871+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
59872+ dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
59873+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
59874+ return -EPERM;
59875+ } else
59876+ return 0;
59877+#endif
59878+ return 0;
59879+}
59880diff -urNp linux-2.6.32.48/grsecurity/grsec_pax.c linux-2.6.32.48/grsecurity/grsec_pax.c
59881--- linux-2.6.32.48/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
59882+++ linux-2.6.32.48/grsecurity/grsec_pax.c 2011-11-15 19:59:43.000000000 -0500
59883@@ -0,0 +1,36 @@
59884+#include <linux/kernel.h>
59885+#include <linux/sched.h>
59886+#include <linux/mm.h>
59887+#include <linux/file.h>
59888+#include <linux/grinternal.h>
59889+#include <linux/grsecurity.h>
59890+
59891+void
59892+gr_log_textrel(struct vm_area_struct * vma)
59893+{
59894+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
59895+ if (grsec_enable_audit_textrel)
59896+ gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
59897+#endif
59898+ return;
59899+}
59900+
59901+void
59902+gr_log_rwxmmap(struct file *file)
59903+{
59904+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59905+ if (grsec_enable_log_rwxmaps)
59906+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
59907+#endif
59908+ return;
59909+}
59910+
59911+void
59912+gr_log_rwxmprotect(struct file *file)
59913+{
59914+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
59915+ if (grsec_enable_log_rwxmaps)
59916+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
59917+#endif
59918+ return;
59919+}
59920diff -urNp linux-2.6.32.48/grsecurity/grsec_ptrace.c linux-2.6.32.48/grsecurity/grsec_ptrace.c
59921--- linux-2.6.32.48/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
59922+++ linux-2.6.32.48/grsecurity/grsec_ptrace.c 2011-11-15 19:59:43.000000000 -0500
59923@@ -0,0 +1,14 @@
59924+#include <linux/kernel.h>
59925+#include <linux/sched.h>
59926+#include <linux/grinternal.h>
59927+#include <linux/grsecurity.h>
59928+
59929+void
59930+gr_audit_ptrace(struct task_struct *task)
59931+{
59932+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
59933+ if (grsec_enable_audit_ptrace)
59934+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
59935+#endif
59936+ return;
59937+}
59938diff -urNp linux-2.6.32.48/grsecurity/grsec_sig.c linux-2.6.32.48/grsecurity/grsec_sig.c
59939--- linux-2.6.32.48/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
59940+++ linux-2.6.32.48/grsecurity/grsec_sig.c 2011-11-15 19:59:43.000000000 -0500
59941@@ -0,0 +1,205 @@
59942+#include <linux/kernel.h>
59943+#include <linux/sched.h>
59944+#include <linux/delay.h>
59945+#include <linux/grsecurity.h>
59946+#include <linux/grinternal.h>
59947+#include <linux/hardirq.h>
59948+
59949+char *signames[] = {
59950+ [SIGSEGV] = "Segmentation fault",
59951+ [SIGILL] = "Illegal instruction",
59952+ [SIGABRT] = "Abort",
59953+ [SIGBUS] = "Invalid alignment/Bus error"
59954+};
59955+
59956+void
59957+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
59958+{
59959+#ifdef CONFIG_GRKERNSEC_SIGNAL
59960+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
59961+ (sig == SIGABRT) || (sig == SIGBUS))) {
59962+ if (t->pid == current->pid) {
59963+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
59964+ } else {
59965+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
59966+ }
59967+ }
59968+#endif
59969+ return;
59970+}
59971+
59972+int
59973+gr_handle_signal(const struct task_struct *p, const int sig)
59974+{
59975+#ifdef CONFIG_GRKERNSEC
59976+ if (current->pid > 1 && gr_check_protected_task(p)) {
59977+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
59978+ return -EPERM;
59979+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
59980+ return -EPERM;
59981+ }
59982+#endif
59983+ return 0;
59984+}
59985+
59986+#ifdef CONFIG_GRKERNSEC
59987+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
59988+
59989+int gr_fake_force_sig(int sig, struct task_struct *t)
59990+{
59991+ unsigned long int flags;
59992+ int ret, blocked, ignored;
59993+ struct k_sigaction *action;
59994+
59995+ spin_lock_irqsave(&t->sighand->siglock, flags);
59996+ action = &t->sighand->action[sig-1];
59997+ ignored = action->sa.sa_handler == SIG_IGN;
59998+ blocked = sigismember(&t->blocked, sig);
59999+ if (blocked || ignored) {
60000+ action->sa.sa_handler = SIG_DFL;
60001+ if (blocked) {
60002+ sigdelset(&t->blocked, sig);
60003+ recalc_sigpending_and_wake(t);
60004+ }
60005+ }
60006+ if (action->sa.sa_handler == SIG_DFL)
60007+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
60008+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
60009+
60010+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
60011+
60012+ return ret;
60013+}
60014+#endif
60015+
60016+#ifdef CONFIG_GRKERNSEC_BRUTE
60017+#define GR_USER_BAN_TIME (15 * 60)
60018+
60019+static int __get_dumpable(unsigned long mm_flags)
60020+{
60021+ int ret;
60022+
60023+ ret = mm_flags & MMF_DUMPABLE_MASK;
60024+ return (ret >= 2) ? 2 : ret;
60025+}
60026+#endif
60027+
60028+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
60029+{
60030+#ifdef CONFIG_GRKERNSEC_BRUTE
60031+ uid_t uid = 0;
60032+
60033+ if (!grsec_enable_brute)
60034+ return;
60035+
60036+ rcu_read_lock();
60037+ read_lock(&tasklist_lock);
60038+ read_lock(&grsec_exec_file_lock);
60039+ if (p->real_parent && p->real_parent->exec_file == p->exec_file)
60040+ p->real_parent->brute = 1;
60041+ else {
60042+ const struct cred *cred = __task_cred(p), *cred2;
60043+ struct task_struct *tsk, *tsk2;
60044+
60045+ if (!__get_dumpable(mm_flags) && cred->uid) {
60046+ struct user_struct *user;
60047+
60048+ uid = cred->uid;
60049+
60050+ /* this is put upon execution past expiration */
60051+ user = find_user(uid);
60052+ if (user == NULL)
60053+ goto unlock;
60054+ user->banned = 1;
60055+ user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
60056+ if (user->ban_expires == ~0UL)
60057+ user->ban_expires--;
60058+
60059+ do_each_thread(tsk2, tsk) {
60060+ cred2 = __task_cred(tsk);
60061+ if (tsk != p && cred2->uid == uid)
60062+ gr_fake_force_sig(SIGKILL, tsk);
60063+ } while_each_thread(tsk2, tsk);
60064+ }
60065+ }
60066+unlock:
60067+ read_unlock(&grsec_exec_file_lock);
60068+ read_unlock(&tasklist_lock);
60069+ rcu_read_unlock();
60070+
60071+ if (uid)
60072+ printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
60073+#endif
60074+ return;
60075+}
60076+
60077+void gr_handle_brute_check(void)
60078+{
60079+#ifdef CONFIG_GRKERNSEC_BRUTE
60080+ if (current->brute)
60081+ msleep(30 * 1000);
60082+#endif
60083+ return;
60084+}
60085+
60086+void gr_handle_kernel_exploit(void)
60087+{
60088+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
60089+ const struct cred *cred;
60090+ struct task_struct *tsk, *tsk2;
60091+ struct user_struct *user;
60092+ uid_t uid;
60093+
60094+ if (in_irq() || in_serving_softirq() || in_nmi())
60095+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
60096+
60097+ uid = current_uid();
60098+
60099+ if (uid == 0)
60100+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
60101+ else {
60102+ /* kill all the processes of this user, hold a reference
60103+ to their creds struct, and prevent them from creating
60104+ another process until system reset
60105+ */
60106+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
60107+ /* we intentionally leak this ref */
60108+ user = get_uid(current->cred->user);
60109+ if (user) {
60110+ user->banned = 1;
60111+ user->ban_expires = ~0UL;
60112+ }
60113+
60114+ read_lock(&tasklist_lock);
60115+ do_each_thread(tsk2, tsk) {
60116+ cred = __task_cred(tsk);
60117+ if (cred->uid == uid)
60118+ gr_fake_force_sig(SIGKILL, tsk);
60119+ } while_each_thread(tsk2, tsk);
60120+ read_unlock(&tasklist_lock);
60121+ }
60122+#endif
60123+}
60124+
60125+int __gr_process_user_ban(struct user_struct *user)
60126+{
60127+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60128+ if (unlikely(user->banned)) {
60129+ if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
60130+ user->banned = 0;
60131+ user->ban_expires = 0;
60132+ free_uid(user);
60133+ } else
60134+ return -EPERM;
60135+ }
60136+#endif
60137+ return 0;
60138+}
60139+
60140+int gr_process_user_ban(void)
60141+{
60142+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
60143+ return __gr_process_user_ban(current->cred->user);
60144+#endif
60145+ return 0;
60146+}
60147diff -urNp linux-2.6.32.48/grsecurity/grsec_sock.c linux-2.6.32.48/grsecurity/grsec_sock.c
60148--- linux-2.6.32.48/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
60149+++ linux-2.6.32.48/grsecurity/grsec_sock.c 2011-11-15 19:59:43.000000000 -0500
60150@@ -0,0 +1,275 @@
60151+#include <linux/kernel.h>
60152+#include <linux/module.h>
60153+#include <linux/sched.h>
60154+#include <linux/file.h>
60155+#include <linux/net.h>
60156+#include <linux/in.h>
60157+#include <linux/ip.h>
60158+#include <net/sock.h>
60159+#include <net/inet_sock.h>
60160+#include <linux/grsecurity.h>
60161+#include <linux/grinternal.h>
60162+#include <linux/gracl.h>
60163+
60164+kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
60165+EXPORT_SYMBOL(gr_cap_rtnetlink);
60166+
60167+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
60168+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
60169+
60170+EXPORT_SYMBOL(gr_search_udp_recvmsg);
60171+EXPORT_SYMBOL(gr_search_udp_sendmsg);
60172+
60173+#ifdef CONFIG_UNIX_MODULE
60174+EXPORT_SYMBOL(gr_acl_handle_unix);
60175+EXPORT_SYMBOL(gr_acl_handle_mknod);
60176+EXPORT_SYMBOL(gr_handle_chroot_unix);
60177+EXPORT_SYMBOL(gr_handle_create);
60178+#endif
60179+
60180+#ifdef CONFIG_GRKERNSEC
60181+#define gr_conn_table_size 32749
60182+struct conn_table_entry {
60183+ struct conn_table_entry *next;
60184+ struct signal_struct *sig;
60185+};
60186+
60187+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
60188+DEFINE_SPINLOCK(gr_conn_table_lock);
60189+
60190+extern const char * gr_socktype_to_name(unsigned char type);
60191+extern const char * gr_proto_to_name(unsigned char proto);
60192+extern const char * gr_sockfamily_to_name(unsigned char family);
60193+
60194+static __inline__ int
60195+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
60196+{
60197+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
60198+}
60199+
60200+static __inline__ int
60201+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
60202+ __u16 sport, __u16 dport)
60203+{
60204+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
60205+ sig->gr_sport == sport && sig->gr_dport == dport))
60206+ return 1;
60207+ else
60208+ return 0;
60209+}
60210+
60211+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
60212+{
60213+ struct conn_table_entry **match;
60214+ unsigned int index;
60215+
60216+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60217+ sig->gr_sport, sig->gr_dport,
60218+ gr_conn_table_size);
60219+
60220+ newent->sig = sig;
60221+
60222+ match = &gr_conn_table[index];
60223+ newent->next = *match;
60224+ *match = newent;
60225+
60226+ return;
60227+}
60228+
60229+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
60230+{
60231+ struct conn_table_entry *match, *last = NULL;
60232+ unsigned int index;
60233+
60234+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
60235+ sig->gr_sport, sig->gr_dport,
60236+ gr_conn_table_size);
60237+
60238+ match = gr_conn_table[index];
60239+ while (match && !conn_match(match->sig,
60240+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
60241+ sig->gr_dport)) {
60242+ last = match;
60243+ match = match->next;
60244+ }
60245+
60246+ if (match) {
60247+ if (last)
60248+ last->next = match->next;
60249+ else
60250+ gr_conn_table[index] = NULL;
60251+ kfree(match);
60252+ }
60253+
60254+ return;
60255+}
60256+
60257+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
60258+ __u16 sport, __u16 dport)
60259+{
60260+ struct conn_table_entry *match;
60261+ unsigned int index;
60262+
60263+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
60264+
60265+ match = gr_conn_table[index];
60266+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
60267+ match = match->next;
60268+
60269+ if (match)
60270+ return match->sig;
60271+ else
60272+ return NULL;
60273+}
60274+
60275+#endif
60276+
60277+void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
60278+{
60279+#ifdef CONFIG_GRKERNSEC
60280+ struct signal_struct *sig = task->signal;
60281+ struct conn_table_entry *newent;
60282+
60283+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
60284+ if (newent == NULL)
60285+ return;
60286+ /* no bh lock needed since we are called with bh disabled */
60287+ spin_lock(&gr_conn_table_lock);
60288+ gr_del_task_from_ip_table_nolock(sig);
60289+ sig->gr_saddr = inet->rcv_saddr;
60290+ sig->gr_daddr = inet->daddr;
60291+ sig->gr_sport = inet->sport;
60292+ sig->gr_dport = inet->dport;
60293+ gr_add_to_task_ip_table_nolock(sig, newent);
60294+ spin_unlock(&gr_conn_table_lock);
60295+#endif
60296+ return;
60297+}
60298+
60299+void gr_del_task_from_ip_table(struct task_struct *task)
60300+{
60301+#ifdef CONFIG_GRKERNSEC
60302+ spin_lock_bh(&gr_conn_table_lock);
60303+ gr_del_task_from_ip_table_nolock(task->signal);
60304+ spin_unlock_bh(&gr_conn_table_lock);
60305+#endif
60306+ return;
60307+}
60308+
60309+void
60310+gr_attach_curr_ip(const struct sock *sk)
60311+{
60312+#ifdef CONFIG_GRKERNSEC
60313+ struct signal_struct *p, *set;
60314+ const struct inet_sock *inet = inet_sk(sk);
60315+
60316+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
60317+ return;
60318+
60319+ set = current->signal;
60320+
60321+ spin_lock_bh(&gr_conn_table_lock);
60322+ p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
60323+ inet->dport, inet->sport);
60324+ if (unlikely(p != NULL)) {
60325+ set->curr_ip = p->curr_ip;
60326+ set->used_accept = 1;
60327+ gr_del_task_from_ip_table_nolock(p);
60328+ spin_unlock_bh(&gr_conn_table_lock);
60329+ return;
60330+ }
60331+ spin_unlock_bh(&gr_conn_table_lock);
60332+
60333+ set->curr_ip = inet->daddr;
60334+ set->used_accept = 1;
60335+#endif
60336+ return;
60337+}
60338+
60339+int
60340+gr_handle_sock_all(const int family, const int type, const int protocol)
60341+{
60342+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60343+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
60344+ (family != AF_UNIX)) {
60345+ if (family == AF_INET)
60346+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
60347+ else
60348+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
60349+ return -EACCES;
60350+ }
60351+#endif
60352+ return 0;
60353+}
60354+
60355+int
60356+gr_handle_sock_server(const struct sockaddr *sck)
60357+{
60358+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60359+ if (grsec_enable_socket_server &&
60360+ in_group_p(grsec_socket_server_gid) &&
60361+ sck && (sck->sa_family != AF_UNIX) &&
60362+ (sck->sa_family != AF_LOCAL)) {
60363+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60364+ return -EACCES;
60365+ }
60366+#endif
60367+ return 0;
60368+}
60369+
60370+int
60371+gr_handle_sock_server_other(const struct sock *sck)
60372+{
60373+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60374+ if (grsec_enable_socket_server &&
60375+ in_group_p(grsec_socket_server_gid) &&
60376+ sck && (sck->sk_family != AF_UNIX) &&
60377+ (sck->sk_family != AF_LOCAL)) {
60378+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
60379+ return -EACCES;
60380+ }
60381+#endif
60382+ return 0;
60383+}
60384+
60385+int
60386+gr_handle_sock_client(const struct sockaddr *sck)
60387+{
60388+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60389+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
60390+ sck && (sck->sa_family != AF_UNIX) &&
60391+ (sck->sa_family != AF_LOCAL)) {
60392+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
60393+ return -EACCES;
60394+ }
60395+#endif
60396+ return 0;
60397+}
60398+
60399+kernel_cap_t
60400+gr_cap_rtnetlink(struct sock *sock)
60401+{
60402+#ifdef CONFIG_GRKERNSEC
60403+ if (!gr_acl_is_enabled())
60404+ return current_cap();
60405+ else if (sock->sk_protocol == NETLINK_ISCSI &&
60406+ cap_raised(current_cap(), CAP_SYS_ADMIN) &&
60407+ gr_is_capable(CAP_SYS_ADMIN))
60408+ return current_cap();
60409+ else if (sock->sk_protocol == NETLINK_AUDIT &&
60410+ cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
60411+ gr_is_capable(CAP_AUDIT_WRITE) &&
60412+ cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
60413+ gr_is_capable(CAP_AUDIT_CONTROL))
60414+ return current_cap();
60415+ else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
60416+ ((sock->sk_protocol == NETLINK_ROUTE) ?
60417+ gr_is_capable_nolog(CAP_NET_ADMIN) :
60418+ gr_is_capable(CAP_NET_ADMIN)))
60419+ return current_cap();
60420+ else
60421+ return __cap_empty_set;
60422+#else
60423+ return current_cap();
60424+#endif
60425+}
60426diff -urNp linux-2.6.32.48/grsecurity/grsec_sysctl.c linux-2.6.32.48/grsecurity/grsec_sysctl.c
60427--- linux-2.6.32.48/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
60428+++ linux-2.6.32.48/grsecurity/grsec_sysctl.c 2011-11-15 19:59:43.000000000 -0500
60429@@ -0,0 +1,479 @@
60430+#include <linux/kernel.h>
60431+#include <linux/sched.h>
60432+#include <linux/sysctl.h>
60433+#include <linux/grsecurity.h>
60434+#include <linux/grinternal.h>
60435+
60436+int
60437+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
60438+{
60439+#ifdef CONFIG_GRKERNSEC_SYSCTL
60440+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
60441+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
60442+ return -EACCES;
60443+ }
60444+#endif
60445+ return 0;
60446+}
60447+
60448+#ifdef CONFIG_GRKERNSEC_ROFS
60449+static int __maybe_unused one = 1;
60450+#endif
60451+
60452+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
60453+ctl_table grsecurity_table[] = {
60454+#ifdef CONFIG_GRKERNSEC_SYSCTL
60455+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
60456+#ifdef CONFIG_GRKERNSEC_IO
60457+ {
60458+ .ctl_name = CTL_UNNUMBERED,
60459+ .procname = "disable_priv_io",
60460+ .data = &grsec_disable_privio,
60461+ .maxlen = sizeof(int),
60462+ .mode = 0600,
60463+ .proc_handler = &proc_dointvec,
60464+ },
60465+#endif
60466+#endif
60467+#ifdef CONFIG_GRKERNSEC_LINK
60468+ {
60469+ .ctl_name = CTL_UNNUMBERED,
60470+ .procname = "linking_restrictions",
60471+ .data = &grsec_enable_link,
60472+ .maxlen = sizeof(int),
60473+ .mode = 0600,
60474+ .proc_handler = &proc_dointvec,
60475+ },
60476+#endif
60477+#ifdef CONFIG_GRKERNSEC_BRUTE
60478+ {
60479+ .ctl_name = CTL_UNNUMBERED,
60480+ .procname = "deter_bruteforce",
60481+ .data = &grsec_enable_brute,
60482+ .maxlen = sizeof(int),
60483+ .mode = 0600,
60484+ .proc_handler = &proc_dointvec,
60485+ },
60486+#endif
60487+#ifdef CONFIG_GRKERNSEC_FIFO
60488+ {
60489+ .ctl_name = CTL_UNNUMBERED,
60490+ .procname = "fifo_restrictions",
60491+ .data = &grsec_enable_fifo,
60492+ .maxlen = sizeof(int),
60493+ .mode = 0600,
60494+ .proc_handler = &proc_dointvec,
60495+ },
60496+#endif
60497+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
60498+ {
60499+ .ctl_name = CTL_UNNUMBERED,
60500+ .procname = "ip_blackhole",
60501+ .data = &grsec_enable_blackhole,
60502+ .maxlen = sizeof(int),
60503+ .mode = 0600,
60504+ .proc_handler = &proc_dointvec,
60505+ },
60506+ {
60507+ .ctl_name = CTL_UNNUMBERED,
60508+ .procname = "lastack_retries",
60509+ .data = &grsec_lastack_retries,
60510+ .maxlen = sizeof(int),
60511+ .mode = 0600,
60512+ .proc_handler = &proc_dointvec,
60513+ },
60514+#endif
60515+#ifdef CONFIG_GRKERNSEC_EXECLOG
60516+ {
60517+ .ctl_name = CTL_UNNUMBERED,
60518+ .procname = "exec_logging",
60519+ .data = &grsec_enable_execlog,
60520+ .maxlen = sizeof(int),
60521+ .mode = 0600,
60522+ .proc_handler = &proc_dointvec,
60523+ },
60524+#endif
60525+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
60526+ {
60527+ .ctl_name = CTL_UNNUMBERED,
60528+ .procname = "rwxmap_logging",
60529+ .data = &grsec_enable_log_rwxmaps,
60530+ .maxlen = sizeof(int),
60531+ .mode = 0600,
60532+ .proc_handler = &proc_dointvec,
60533+ },
60534+#endif
60535+#ifdef CONFIG_GRKERNSEC_SIGNAL
60536+ {
60537+ .ctl_name = CTL_UNNUMBERED,
60538+ .procname = "signal_logging",
60539+ .data = &grsec_enable_signal,
60540+ .maxlen = sizeof(int),
60541+ .mode = 0600,
60542+ .proc_handler = &proc_dointvec,
60543+ },
60544+#endif
60545+#ifdef CONFIG_GRKERNSEC_FORKFAIL
60546+ {
60547+ .ctl_name = CTL_UNNUMBERED,
60548+ .procname = "forkfail_logging",
60549+ .data = &grsec_enable_forkfail,
60550+ .maxlen = sizeof(int),
60551+ .mode = 0600,
60552+ .proc_handler = &proc_dointvec,
60553+ },
60554+#endif
60555+#ifdef CONFIG_GRKERNSEC_TIME
60556+ {
60557+ .ctl_name = CTL_UNNUMBERED,
60558+ .procname = "timechange_logging",
60559+ .data = &grsec_enable_time,
60560+ .maxlen = sizeof(int),
60561+ .mode = 0600,
60562+ .proc_handler = &proc_dointvec,
60563+ },
60564+#endif
60565+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
60566+ {
60567+ .ctl_name = CTL_UNNUMBERED,
60568+ .procname = "chroot_deny_shmat",
60569+ .data = &grsec_enable_chroot_shmat,
60570+ .maxlen = sizeof(int),
60571+ .mode = 0600,
60572+ .proc_handler = &proc_dointvec,
60573+ },
60574+#endif
60575+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
60576+ {
60577+ .ctl_name = CTL_UNNUMBERED,
60578+ .procname = "chroot_deny_unix",
60579+ .data = &grsec_enable_chroot_unix,
60580+ .maxlen = sizeof(int),
60581+ .mode = 0600,
60582+ .proc_handler = &proc_dointvec,
60583+ },
60584+#endif
60585+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
60586+ {
60587+ .ctl_name = CTL_UNNUMBERED,
60588+ .procname = "chroot_deny_mount",
60589+ .data = &grsec_enable_chroot_mount,
60590+ .maxlen = sizeof(int),
60591+ .mode = 0600,
60592+ .proc_handler = &proc_dointvec,
60593+ },
60594+#endif
60595+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
60596+ {
60597+ .ctl_name = CTL_UNNUMBERED,
60598+ .procname = "chroot_deny_fchdir",
60599+ .data = &grsec_enable_chroot_fchdir,
60600+ .maxlen = sizeof(int),
60601+ .mode = 0600,
60602+ .proc_handler = &proc_dointvec,
60603+ },
60604+#endif
60605+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
60606+ {
60607+ .ctl_name = CTL_UNNUMBERED,
60608+ .procname = "chroot_deny_chroot",
60609+ .data = &grsec_enable_chroot_double,
60610+ .maxlen = sizeof(int),
60611+ .mode = 0600,
60612+ .proc_handler = &proc_dointvec,
60613+ },
60614+#endif
60615+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
60616+ {
60617+ .ctl_name = CTL_UNNUMBERED,
60618+ .procname = "chroot_deny_pivot",
60619+ .data = &grsec_enable_chroot_pivot,
60620+ .maxlen = sizeof(int),
60621+ .mode = 0600,
60622+ .proc_handler = &proc_dointvec,
60623+ },
60624+#endif
60625+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
60626+ {
60627+ .ctl_name = CTL_UNNUMBERED,
60628+ .procname = "chroot_enforce_chdir",
60629+ .data = &grsec_enable_chroot_chdir,
60630+ .maxlen = sizeof(int),
60631+ .mode = 0600,
60632+ .proc_handler = &proc_dointvec,
60633+ },
60634+#endif
60635+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
60636+ {
60637+ .ctl_name = CTL_UNNUMBERED,
60638+ .procname = "chroot_deny_chmod",
60639+ .data = &grsec_enable_chroot_chmod,
60640+ .maxlen = sizeof(int),
60641+ .mode = 0600,
60642+ .proc_handler = &proc_dointvec,
60643+ },
60644+#endif
60645+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
60646+ {
60647+ .ctl_name = CTL_UNNUMBERED,
60648+ .procname = "chroot_deny_mknod",
60649+ .data = &grsec_enable_chroot_mknod,
60650+ .maxlen = sizeof(int),
60651+ .mode = 0600,
60652+ .proc_handler = &proc_dointvec,
60653+ },
60654+#endif
60655+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
60656+ {
60657+ .ctl_name = CTL_UNNUMBERED,
60658+ .procname = "chroot_restrict_nice",
60659+ .data = &grsec_enable_chroot_nice,
60660+ .maxlen = sizeof(int),
60661+ .mode = 0600,
60662+ .proc_handler = &proc_dointvec,
60663+ },
60664+#endif
60665+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
60666+ {
60667+ .ctl_name = CTL_UNNUMBERED,
60668+ .procname = "chroot_execlog",
60669+ .data = &grsec_enable_chroot_execlog,
60670+ .maxlen = sizeof(int),
60671+ .mode = 0600,
60672+ .proc_handler = &proc_dointvec,
60673+ },
60674+#endif
60675+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
60676+ {
60677+ .ctl_name = CTL_UNNUMBERED,
60678+ .procname = "chroot_caps",
60679+ .data = &grsec_enable_chroot_caps,
60680+ .maxlen = sizeof(int),
60681+ .mode = 0600,
60682+ .proc_handler = &proc_dointvec,
60683+ },
60684+#endif
60685+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
60686+ {
60687+ .ctl_name = CTL_UNNUMBERED,
60688+ .procname = "chroot_deny_sysctl",
60689+ .data = &grsec_enable_chroot_sysctl,
60690+ .maxlen = sizeof(int),
60691+ .mode = 0600,
60692+ .proc_handler = &proc_dointvec,
60693+ },
60694+#endif
60695+#ifdef CONFIG_GRKERNSEC_TPE
60696+ {
60697+ .ctl_name = CTL_UNNUMBERED,
60698+ .procname = "tpe",
60699+ .data = &grsec_enable_tpe,
60700+ .maxlen = sizeof(int),
60701+ .mode = 0600,
60702+ .proc_handler = &proc_dointvec,
60703+ },
60704+ {
60705+ .ctl_name = CTL_UNNUMBERED,
60706+ .procname = "tpe_gid",
60707+ .data = &grsec_tpe_gid,
60708+ .maxlen = sizeof(int),
60709+ .mode = 0600,
60710+ .proc_handler = &proc_dointvec,
60711+ },
60712+#endif
60713+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60714+ {
60715+ .ctl_name = CTL_UNNUMBERED,
60716+ .procname = "tpe_invert",
60717+ .data = &grsec_enable_tpe_invert,
60718+ .maxlen = sizeof(int),
60719+ .mode = 0600,
60720+ .proc_handler = &proc_dointvec,
60721+ },
60722+#endif
60723+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60724+ {
60725+ .ctl_name = CTL_UNNUMBERED,
60726+ .procname = "tpe_restrict_all",
60727+ .data = &grsec_enable_tpe_all,
60728+ .maxlen = sizeof(int),
60729+ .mode = 0600,
60730+ .proc_handler = &proc_dointvec,
60731+ },
60732+#endif
60733+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
60734+ {
60735+ .ctl_name = CTL_UNNUMBERED,
60736+ .procname = "socket_all",
60737+ .data = &grsec_enable_socket_all,
60738+ .maxlen = sizeof(int),
60739+ .mode = 0600,
60740+ .proc_handler = &proc_dointvec,
60741+ },
60742+ {
60743+ .ctl_name = CTL_UNNUMBERED,
60744+ .procname = "socket_all_gid",
60745+ .data = &grsec_socket_all_gid,
60746+ .maxlen = sizeof(int),
60747+ .mode = 0600,
60748+ .proc_handler = &proc_dointvec,
60749+ },
60750+#endif
60751+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
60752+ {
60753+ .ctl_name = CTL_UNNUMBERED,
60754+ .procname = "socket_client",
60755+ .data = &grsec_enable_socket_client,
60756+ .maxlen = sizeof(int),
60757+ .mode = 0600,
60758+ .proc_handler = &proc_dointvec,
60759+ },
60760+ {
60761+ .ctl_name = CTL_UNNUMBERED,
60762+ .procname = "socket_client_gid",
60763+ .data = &grsec_socket_client_gid,
60764+ .maxlen = sizeof(int),
60765+ .mode = 0600,
60766+ .proc_handler = &proc_dointvec,
60767+ },
60768+#endif
60769+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
60770+ {
60771+ .ctl_name = CTL_UNNUMBERED,
60772+ .procname = "socket_server",
60773+ .data = &grsec_enable_socket_server,
60774+ .maxlen = sizeof(int),
60775+ .mode = 0600,
60776+ .proc_handler = &proc_dointvec,
60777+ },
60778+ {
60779+ .ctl_name = CTL_UNNUMBERED,
60780+ .procname = "socket_server_gid",
60781+ .data = &grsec_socket_server_gid,
60782+ .maxlen = sizeof(int),
60783+ .mode = 0600,
60784+ .proc_handler = &proc_dointvec,
60785+ },
60786+#endif
60787+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
60788+ {
60789+ .ctl_name = CTL_UNNUMBERED,
60790+ .procname = "audit_group",
60791+ .data = &grsec_enable_group,
60792+ .maxlen = sizeof(int),
60793+ .mode = 0600,
60794+ .proc_handler = &proc_dointvec,
60795+ },
60796+ {
60797+ .ctl_name = CTL_UNNUMBERED,
60798+ .procname = "audit_gid",
60799+ .data = &grsec_audit_gid,
60800+ .maxlen = sizeof(int),
60801+ .mode = 0600,
60802+ .proc_handler = &proc_dointvec,
60803+ },
60804+#endif
60805+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
60806+ {
60807+ .ctl_name = CTL_UNNUMBERED,
60808+ .procname = "audit_chdir",
60809+ .data = &grsec_enable_chdir,
60810+ .maxlen = sizeof(int),
60811+ .mode = 0600,
60812+ .proc_handler = &proc_dointvec,
60813+ },
60814+#endif
60815+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
60816+ {
60817+ .ctl_name = CTL_UNNUMBERED,
60818+ .procname = "audit_mount",
60819+ .data = &grsec_enable_mount,
60820+ .maxlen = sizeof(int),
60821+ .mode = 0600,
60822+ .proc_handler = &proc_dointvec,
60823+ },
60824+#endif
60825+#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
60826+ {
60827+ .ctl_name = CTL_UNNUMBERED,
60828+ .procname = "audit_textrel",
60829+ .data = &grsec_enable_audit_textrel,
60830+ .maxlen = sizeof(int),
60831+ .mode = 0600,
60832+ .proc_handler = &proc_dointvec,
60833+ },
60834+#endif
60835+#ifdef CONFIG_GRKERNSEC_DMESG
60836+ {
60837+ .ctl_name = CTL_UNNUMBERED,
60838+ .procname = "dmesg",
60839+ .data = &grsec_enable_dmesg,
60840+ .maxlen = sizeof(int),
60841+ .mode = 0600,
60842+ .proc_handler = &proc_dointvec,
60843+ },
60844+#endif
60845+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
60846+ {
60847+ .ctl_name = CTL_UNNUMBERED,
60848+ .procname = "chroot_findtask",
60849+ .data = &grsec_enable_chroot_findtask,
60850+ .maxlen = sizeof(int),
60851+ .mode = 0600,
60852+ .proc_handler = &proc_dointvec,
60853+ },
60854+#endif
60855+#ifdef CONFIG_GRKERNSEC_RESLOG
60856+ {
60857+ .ctl_name = CTL_UNNUMBERED,
60858+ .procname = "resource_logging",
60859+ .data = &grsec_resource_logging,
60860+ .maxlen = sizeof(int),
60861+ .mode = 0600,
60862+ .proc_handler = &proc_dointvec,
60863+ },
60864+#endif
60865+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
60866+ {
60867+ .ctl_name = CTL_UNNUMBERED,
60868+ .procname = "audit_ptrace",
60869+ .data = &grsec_enable_audit_ptrace,
60870+ .maxlen = sizeof(int),
60871+ .mode = 0600,
60872+ .proc_handler = &proc_dointvec,
60873+ },
60874+#endif
60875+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
60876+ {
60877+ .ctl_name = CTL_UNNUMBERED,
60878+ .procname = "harden_ptrace",
60879+ .data = &grsec_enable_harden_ptrace,
60880+ .maxlen = sizeof(int),
60881+ .mode = 0600,
60882+ .proc_handler = &proc_dointvec,
60883+ },
60884+#endif
60885+ {
60886+ .ctl_name = CTL_UNNUMBERED,
60887+ .procname = "grsec_lock",
60888+ .data = &grsec_lock,
60889+ .maxlen = sizeof(int),
60890+ .mode = 0600,
60891+ .proc_handler = &proc_dointvec,
60892+ },
60893+#endif
60894+#ifdef CONFIG_GRKERNSEC_ROFS
60895+ {
60896+ .ctl_name = CTL_UNNUMBERED,
60897+ .procname = "romount_protect",
60898+ .data = &grsec_enable_rofs,
60899+ .maxlen = sizeof(int),
60900+ .mode = 0600,
60901+ .proc_handler = &proc_dointvec_minmax,
60902+ .extra1 = &one,
60903+ .extra2 = &one,
60904+ },
60905+#endif
60906+ { .ctl_name = 0 }
60907+};
60908+#endif
60909diff -urNp linux-2.6.32.48/grsecurity/grsec_time.c linux-2.6.32.48/grsecurity/grsec_time.c
60910--- linux-2.6.32.48/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
60911+++ linux-2.6.32.48/grsecurity/grsec_time.c 2011-11-15 19:59:43.000000000 -0500
60912@@ -0,0 +1,16 @@
60913+#include <linux/kernel.h>
60914+#include <linux/sched.h>
60915+#include <linux/grinternal.h>
60916+#include <linux/module.h>
60917+
60918+void
60919+gr_log_timechange(void)
60920+{
60921+#ifdef CONFIG_GRKERNSEC_TIME
60922+ if (grsec_enable_time)
60923+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
60924+#endif
60925+ return;
60926+}
60927+
60928+EXPORT_SYMBOL(gr_log_timechange);
60929diff -urNp linux-2.6.32.48/grsecurity/grsec_tpe.c linux-2.6.32.48/grsecurity/grsec_tpe.c
60930--- linux-2.6.32.48/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
60931+++ linux-2.6.32.48/grsecurity/grsec_tpe.c 2011-11-15 19:59:43.000000000 -0500
60932@@ -0,0 +1,39 @@
60933+#include <linux/kernel.h>
60934+#include <linux/sched.h>
60935+#include <linux/file.h>
60936+#include <linux/fs.h>
60937+#include <linux/grinternal.h>
60938+
60939+extern int gr_acl_tpe_check(void);
60940+
60941+int
60942+gr_tpe_allow(const struct file *file)
60943+{
60944+#ifdef CONFIG_GRKERNSEC
60945+ struct inode *inode = file->f_path.dentry->d_parent->d_inode;
60946+ const struct cred *cred = current_cred();
60947+
60948+ if (cred->uid && ((grsec_enable_tpe &&
60949+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
60950+ ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
60951+ (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
60952+#else
60953+ in_group_p(grsec_tpe_gid)
60954+#endif
60955+ ) || gr_acl_tpe_check()) &&
60956+ (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
60957+ (inode->i_mode & S_IWOTH))))) {
60958+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60959+ return 0;
60960+ }
60961+#ifdef CONFIG_GRKERNSEC_TPE_ALL
60962+ if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
60963+ ((inode->i_uid && (inode->i_uid != cred->uid)) ||
60964+ (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
60965+ gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
60966+ return 0;
60967+ }
60968+#endif
60969+#endif
60970+ return 1;
60971+}
60972diff -urNp linux-2.6.32.48/grsecurity/grsum.c linux-2.6.32.48/grsecurity/grsum.c
60973--- linux-2.6.32.48/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
60974+++ linux-2.6.32.48/grsecurity/grsum.c 2011-11-15 19:59:43.000000000 -0500
60975@@ -0,0 +1,61 @@
60976+#include <linux/err.h>
60977+#include <linux/kernel.h>
60978+#include <linux/sched.h>
60979+#include <linux/mm.h>
60980+#include <linux/scatterlist.h>
60981+#include <linux/crypto.h>
60982+#include <linux/gracl.h>
60983+
60984+
60985+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
60986+#error "crypto and sha256 must be built into the kernel"
60987+#endif
60988+
60989+int
60990+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
60991+{
60992+ char *p;
60993+ struct crypto_hash *tfm;
60994+ struct hash_desc desc;
60995+ struct scatterlist sg;
60996+ unsigned char temp_sum[GR_SHA_LEN];
60997+ volatile int retval = 0;
60998+ volatile int dummy = 0;
60999+ unsigned int i;
61000+
61001+ sg_init_table(&sg, 1);
61002+
61003+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
61004+ if (IS_ERR(tfm)) {
61005+ /* should never happen, since sha256 should be built in */
61006+ return 1;
61007+ }
61008+
61009+ desc.tfm = tfm;
61010+ desc.flags = 0;
61011+
61012+ crypto_hash_init(&desc);
61013+
61014+ p = salt;
61015+ sg_set_buf(&sg, p, GR_SALT_LEN);
61016+ crypto_hash_update(&desc, &sg, sg.length);
61017+
61018+ p = entry->pw;
61019+ sg_set_buf(&sg, p, strlen(p));
61020+
61021+ crypto_hash_update(&desc, &sg, sg.length);
61022+
61023+ crypto_hash_final(&desc, temp_sum);
61024+
61025+ memset(entry->pw, 0, GR_PW_LEN);
61026+
61027+ for (i = 0; i < GR_SHA_LEN; i++)
61028+ if (sum[i] != temp_sum[i])
61029+ retval = 1;
61030+ else
61031+ dummy = 1; // waste a cycle
61032+
61033+ crypto_free_hash(tfm);
61034+
61035+ return retval;
61036+}
61037diff -urNp linux-2.6.32.48/grsecurity/Kconfig linux-2.6.32.48/grsecurity/Kconfig
61038--- linux-2.6.32.48/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
61039+++ linux-2.6.32.48/grsecurity/Kconfig 2011-11-15 19:59:43.000000000 -0500
61040@@ -0,0 +1,1036 @@
61041+#
61042+# grecurity configuration
61043+#
61044+
61045+menu "Grsecurity"
61046+
61047+config GRKERNSEC
61048+ bool "Grsecurity"
61049+ select CRYPTO
61050+ select CRYPTO_SHA256
61051+ help
61052+ If you say Y here, you will be able to configure many features
61053+ that will enhance the security of your system. It is highly
61054+ recommended that you say Y here and read through the help
61055+ for each option so that you fully understand the features and
61056+ can evaluate their usefulness for your machine.
61057+
61058+choice
61059+ prompt "Security Level"
61060+ depends on GRKERNSEC
61061+ default GRKERNSEC_CUSTOM
61062+
61063+config GRKERNSEC_LOW
61064+ bool "Low"
61065+ select GRKERNSEC_LINK
61066+ select GRKERNSEC_FIFO
61067+ select GRKERNSEC_RANDNET
61068+ select GRKERNSEC_DMESG
61069+ select GRKERNSEC_CHROOT
61070+ select GRKERNSEC_CHROOT_CHDIR
61071+
61072+ help
61073+ If you choose this option, several of the grsecurity options will
61074+ be enabled that will give you greater protection against a number
61075+ of attacks, while assuring that none of your software will have any
61076+ conflicts with the additional security measures. If you run a lot
61077+ of unusual software, or you are having problems with the higher
61078+ security levels, you should say Y here. With this option, the
61079+ following features are enabled:
61080+
61081+ - Linking restrictions
61082+ - FIFO restrictions
61083+ - Restricted dmesg
61084+ - Enforced chdir("/") on chroot
61085+ - Runtime module disabling
61086+
61087+config GRKERNSEC_MEDIUM
61088+ bool "Medium"
61089+ select PAX
61090+ select PAX_EI_PAX
61091+ select PAX_PT_PAX_FLAGS
61092+ select PAX_HAVE_ACL_FLAGS
61093+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
61094+ select GRKERNSEC_CHROOT
61095+ select GRKERNSEC_CHROOT_SYSCTL
61096+ select GRKERNSEC_LINK
61097+ select GRKERNSEC_FIFO
61098+ select GRKERNSEC_DMESG
61099+ select GRKERNSEC_RANDNET
61100+ select GRKERNSEC_FORKFAIL
61101+ select GRKERNSEC_TIME
61102+ select GRKERNSEC_SIGNAL
61103+ select GRKERNSEC_CHROOT
61104+ select GRKERNSEC_CHROOT_UNIX
61105+ select GRKERNSEC_CHROOT_MOUNT
61106+ select GRKERNSEC_CHROOT_PIVOT
61107+ select GRKERNSEC_CHROOT_DOUBLE
61108+ select GRKERNSEC_CHROOT_CHDIR
61109+ select GRKERNSEC_CHROOT_MKNOD
61110+ select GRKERNSEC_PROC
61111+ select GRKERNSEC_PROC_USERGROUP
61112+ select PAX_RANDUSTACK
61113+ select PAX_ASLR
61114+ select PAX_RANDMMAP
61115+ select PAX_REFCOUNT if (X86 || SPARC64)
61116+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
61117+
61118+ help
61119+ If you say Y here, several features in addition to those included
61120+ in the low additional security level will be enabled. These
61121+ features provide even more security to your system, though in rare
61122+ cases they may be incompatible with very old or poorly written
61123+ software. If you enable this option, make sure that your auth
61124+ service (identd) is running as gid 1001. With this option,
61125+ the following features (in addition to those provided in the
61126+ low additional security level) will be enabled:
61127+
61128+ - Failed fork logging
61129+ - Time change logging
61130+ - Signal logging
61131+ - Deny mounts in chroot
61132+ - Deny double chrooting
61133+ - Deny sysctl writes in chroot
61134+ - Deny mknod in chroot
61135+ - Deny access to abstract AF_UNIX sockets out of chroot
61136+ - Deny pivot_root in chroot
61137+ - Denied reads/writes of /dev/kmem, /dev/mem, and /dev/port
61138+ - /proc restrictions with special GID set to 10 (usually wheel)
61139+ - Address Space Layout Randomization (ASLR)
61140+ - Prevent exploitation of most refcount overflows
61141+ - Bounds checking of copying between the kernel and userland
61142+
61143+config GRKERNSEC_HIGH
61144+ bool "High"
61145+ select GRKERNSEC_LINK
61146+ select GRKERNSEC_FIFO
61147+ select GRKERNSEC_DMESG
61148+ select GRKERNSEC_FORKFAIL
61149+ select GRKERNSEC_TIME
61150+ select GRKERNSEC_SIGNAL
61151+ select GRKERNSEC_CHROOT
61152+ select GRKERNSEC_CHROOT_SHMAT
61153+ select GRKERNSEC_CHROOT_UNIX
61154+ select GRKERNSEC_CHROOT_MOUNT
61155+ select GRKERNSEC_CHROOT_FCHDIR
61156+ select GRKERNSEC_CHROOT_PIVOT
61157+ select GRKERNSEC_CHROOT_DOUBLE
61158+ select GRKERNSEC_CHROOT_CHDIR
61159+ select GRKERNSEC_CHROOT_MKNOD
61160+ select GRKERNSEC_CHROOT_CAPS
61161+ select GRKERNSEC_CHROOT_SYSCTL
61162+ select GRKERNSEC_CHROOT_FINDTASK
61163+ select GRKERNSEC_SYSFS_RESTRICT
61164+ select GRKERNSEC_PROC
61165+ select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
61166+ select GRKERNSEC_HIDESYM
61167+ select GRKERNSEC_BRUTE
61168+ select GRKERNSEC_PROC_USERGROUP
61169+ select GRKERNSEC_KMEM
61170+ select GRKERNSEC_RESLOG
61171+ select GRKERNSEC_RANDNET
61172+ select GRKERNSEC_PROC_ADD
61173+ select GRKERNSEC_CHROOT_CHMOD
61174+ select GRKERNSEC_CHROOT_NICE
61175+ select GRKERNSEC_AUDIT_MOUNT
61176+ select GRKERNSEC_MODHARDEN if (MODULES)
61177+ select GRKERNSEC_HARDEN_PTRACE
61178+ select GRKERNSEC_VM86 if (X86_32)
61179+ select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC)
61180+ select PAX
61181+ select PAX_RANDUSTACK
61182+ select PAX_ASLR
61183+ select PAX_RANDMMAP
61184+ select PAX_NOEXEC
61185+ select PAX_MPROTECT
61186+ select PAX_EI_PAX
61187+ select PAX_PT_PAX_FLAGS
61188+ select PAX_HAVE_ACL_FLAGS
61189+ select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
61190+ select PAX_MEMORY_UDEREF if (X86 && !XEN)
61191+ select PAX_RANDKSTACK if (X86_TSC && X86)
61192+ select PAX_SEGMEXEC if (X86_32)
61193+ select PAX_PAGEEXEC
61194+ select PAX_EMUPLT if (ALPHA || PARISC || SPARC)
61195+ select PAX_EMUTRAMP if (PARISC)
61196+ select PAX_EMUSIGRT if (PARISC)
61197+ select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
61198+ select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
61199+ select PAX_REFCOUNT if (X86 || SPARC64)
61200+ select PAX_USERCOPY if ((X86 || SPARC || PPC || ARM) && (SLAB || SLUB || SLOB))
61201+ help
61202+ If you say Y here, many of the features of grsecurity will be
61203+ enabled, which will protect you against many kinds of attacks
61204+ against your system. The heightened security comes at a cost
61205+ of an increased chance of incompatibilities with rare software
61206+ on your machine. Since this security level enables PaX, you should
61207+ view <http://pax.grsecurity.net> and read about the PaX
61208+ project. While you are there, download chpax and run it on
61209+ binaries that cause problems with PaX. Also remember that
61210+ since the /proc restrictions are enabled, you must run your
61211+ identd as gid 1001. This security level enables the following
61212+ features in addition to those listed in the low and medium
61213+ security levels:
61214+
61215+ - Additional /proc restrictions
61216+ - Chmod restrictions in chroot
61217+ - No signals, ptrace, or viewing of processes outside of chroot
61218+ - Capability restrictions in chroot
61219+ - Deny fchdir out of chroot
61220+ - Priority restrictions in chroot
61221+ - Segmentation-based implementation of PaX
61222+ - Mprotect restrictions
61223+ - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
61224+ - Kernel stack randomization
61225+ - Mount/unmount/remount logging
61226+ - Kernel symbol hiding
61227+ - Hardening of module auto-loading
61228+ - Ptrace restrictions
61229+ - Restricted vm86 mode
61230+ - Restricted sysfs/debugfs
61231+ - Active kernel exploit response
61232+
61233+config GRKERNSEC_CUSTOM
61234+ bool "Custom"
61235+ help
61236+ If you say Y here, you will be able to configure every grsecurity
61237+ option, which allows you to enable many more features that aren't
61238+ covered in the basic security levels. These additional features
61239+ include TPE, socket restrictions, and the sysctl system for
61240+ grsecurity. It is advised that you read through the help for
61241+ each option to determine its usefulness in your situation.
61242+
61243+endchoice
61244+
61245+menu "Address Space Protection"
61246+depends on GRKERNSEC
61247+
61248+config GRKERNSEC_KMEM
61249+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
61250+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
61251+ help
61252+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
61253+ be written to or read from to modify or leak the contents of the running
61254+ kernel. /dev/port will also not be allowed to be opened. If you have module
61255+ support disabled, enabling this will close up four ways that are
61256+ currently used to insert malicious code into the running kernel.
61257+ Even with all these features enabled, we still highly recommend that
61258+ you use the RBAC system, as it is still possible for an attacker to
61259+ modify the running kernel through privileged I/O granted by ioperm/iopl.
61260+ If you are not using XFree86, you may be able to stop this additional
61261+ case by enabling the 'Disable privileged I/O' option. Though nothing
61262+ legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
61263+ but only to video memory, which is the only writing we allow in this
61264+ case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
61265+ not be allowed to mprotect it with PROT_WRITE later.
61266+ It is highly recommended that you say Y here if you meet all the
61267+ conditions above.
61268+
61269+config GRKERNSEC_VM86
61270+ bool "Restrict VM86 mode"
61271+ depends on X86_32
61272+
61273+ help
61274+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
61275+ make use of a special execution mode on 32bit x86 processors called
61276+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
61277+ video cards and will still work with this option enabled. The purpose
61278+ of the option is to prevent exploitation of emulation errors in
61279+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
61280+ Nearly all users should be able to enable this option.
61281+
61282+config GRKERNSEC_IO
61283+ bool "Disable privileged I/O"
61284+ depends on X86
61285+ select RTC_CLASS
61286+ select RTC_INTF_DEV
61287+ select RTC_DRV_CMOS
61288+
61289+ help
61290+ If you say Y here, all ioperm and iopl calls will return an error.
61291+ Ioperm and iopl can be used to modify the running kernel.
61292+ Unfortunately, some programs need this access to operate properly,
61293+ the most notable of which are XFree86 and hwclock. hwclock can be
61294+ remedied by having RTC support in the kernel, so real-time
61295+ clock support is enabled if this option is enabled, to ensure
61296+ that hwclock operates correctly. XFree86 still will not
61297+ operate correctly with this option enabled, so DO NOT CHOOSE Y
61298+ IF YOU USE XFree86. If you use XFree86 and you still want to
61299+ protect your kernel against modification, use the RBAC system.
61300+
61301+config GRKERNSEC_PROC_MEMMAP
61302+ bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
61303+ default y if (PAX_NOEXEC || PAX_ASLR)
61304+ depends on PAX_NOEXEC || PAX_ASLR
61305+ help
61306+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
61307+ give no information about the addresses of its mappings if
61308+ PaX features that rely on random addresses are enabled on the task.
61309+ If you use PaX it is greatly recommended that you say Y here as it
61310+ closes up a hole that makes the full ASLR useless for suid
61311+ binaries.
61312+
61313+config GRKERNSEC_BRUTE
61314+ bool "Deter exploit bruteforcing"
61315+ help
61316+ If you say Y here, attempts to bruteforce exploits against forking
61317+ daemons such as apache or sshd, as well as against suid/sgid binaries
61318+ will be deterred. When a child of a forking daemon is killed by PaX
61319+ or crashes due to an illegal instruction or other suspicious signal,
61320+ the parent process will be delayed 30 seconds upon every subsequent
61321+ fork until the administrator is able to assess the situation and
61322+ restart the daemon.
61323+ In the suid/sgid case, the attempt is logged, the user has all their
61324+ processes terminated, and they are prevented from executing any further
61325+ processes for 15 minutes.
61326+ It is recommended that you also enable signal logging in the auditing
61327+ section so that logs are generated when a process triggers a suspicious
61328+ signal.
61329+ If the sysctl option is enabled, a sysctl option with name
61330+ "deter_bruteforce" is created.
61331+
61332+config GRKERNSEC_MODHARDEN
61333+ bool "Harden module auto-loading"
61334+ depends on MODULES
61335+ help
61336+ If you say Y here, module auto-loading in response to use of some
61337+ feature implemented by an unloaded module will be restricted to
61338+ root users. Enabling this option helps defend against attacks
61339+ by unprivileged users who abuse the auto-loading behavior to
61340+ cause a vulnerable module to load that is then exploited.
61341+
61342+ If this option prevents a legitimate use of auto-loading for a
61343+ non-root user, the administrator can execute modprobe manually
61344+ with the exact name of the module mentioned in the alert log.
61345+ Alternatively, the administrator can add the module to the list
61346+ of modules loaded at boot by modifying init scripts.
61347+
61348+ Modification of init scripts will most likely be needed on
61349+ Ubuntu servers with encrypted home directory support enabled,
61350+ as the first non-root user logging in will cause the ecb(aes),
61351+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
61352+
61353+config GRKERNSEC_HIDESYM
61354+ bool "Hide kernel symbols"
61355+ help
61356+ If you say Y here, getting information on loaded modules, and
61357+ displaying all kernel symbols through a syscall will be restricted
61358+ to users with CAP_SYS_MODULE. For software compatibility reasons,
61359+ /proc/kallsyms will be restricted to the root user. The RBAC
61360+ system can hide that entry even from root.
61361+
61362+ This option also prevents leaking of kernel addresses through
61363+ several /proc entries.
61364+
61365+ Note that this option is only effective provided the following
61366+ conditions are met:
61367+ 1) The kernel using grsecurity is not precompiled by some distribution
61368+ 2) You have also enabled GRKERNSEC_DMESG
61369+ 3) You are using the RBAC system and hiding other files such as your
61370+ kernel image and System.map. Alternatively, enabling this option
61371+ causes the permissions on /boot, /lib/modules, and the kernel
61372+ source directory to change at compile time to prevent
61373+ reading by non-root users.
61374+ If the above conditions are met, this option will aid in providing a
61375+ useful protection against local kernel exploitation of overflows
61376+ and arbitrary read/write vulnerabilities.
61377+
61378+config GRKERNSEC_KERN_LOCKOUT
61379+ bool "Active kernel exploit response"
61380+ depends on X86 || ARM || PPC || SPARC
61381+ help
61382+ If you say Y here, when a PaX alert is triggered due to suspicious
61383+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
61384+ or an OOPs occurs due to bad memory accesses, instead of just
61385+ terminating the offending process (and potentially allowing
61386+ a subsequent exploit from the same user), we will take one of two
61387+ actions:
61388+ If the user was root, we will panic the system
61389+ If the user was non-root, we will log the attempt, terminate
61390+ all processes owned by the user, then prevent them from creating
61391+ any new processes until the system is restarted
61392+ This deters repeated kernel exploitation/bruteforcing attempts
61393+ and is useful for later forensics.
61394+
61395+endmenu
61396+menu "Role Based Access Control Options"
61397+depends on GRKERNSEC
61398+
61399+config GRKERNSEC_RBAC_DEBUG
61400+ bool
61401+
61402+config GRKERNSEC_NO_RBAC
61403+ bool "Disable RBAC system"
61404+ help
61405+ If you say Y here, the /dev/grsec device will be removed from the kernel,
61406+ preventing the RBAC system from being enabled. You should only say Y
61407+ here if you have no intention of using the RBAC system, so as to prevent
61408+ an attacker with root access from misusing the RBAC system to hide files
61409+ and processes when loadable module support and /dev/[k]mem have been
61410+ locked down.
61411+
61412+config GRKERNSEC_ACL_HIDEKERN
61413+ bool "Hide kernel processes"
61414+ help
61415+ If you say Y here, all kernel threads will be hidden to all
61416+ processes but those whose subject has the "view hidden processes"
61417+ flag.
61418+
61419+config GRKERNSEC_ACL_MAXTRIES
61420+ int "Maximum tries before password lockout"
61421+ default 3
61422+ help
61423+ This option enforces the maximum number of times a user can attempt
61424+ to authorize themselves with the grsecurity RBAC system before being
61425+ denied the ability to attempt authorization again for a specified time.
61426+ The lower the number, the harder it will be to brute-force a password.
61427+
61428+config GRKERNSEC_ACL_TIMEOUT
61429+ int "Time to wait after max password tries, in seconds"
61430+ default 30
61431+ help
61432+ This option specifies the time the user must wait after attempting to
61433+ authorize to the RBAC system with the maximum number of invalid
61434+ passwords. The higher the number, the harder it will be to brute-force
61435+ a password.
61436+
61437+endmenu
61438+menu "Filesystem Protections"
61439+depends on GRKERNSEC
61440+
61441+config GRKERNSEC_PROC
61442+ bool "Proc restrictions"
61443+ help
61444+ If you say Y here, the permissions of the /proc filesystem
61445+ will be altered to enhance system security and privacy. You MUST
61446+ choose either a user only restriction or a user and group restriction.
61447+ Depending upon the option you choose, you can either restrict users to
61448+ see only the processes they themselves run, or choose a group that can
61449+ view all processes and files normally restricted to root if you choose
61450+ the "restrict to user only" option. NOTE: If you're running identd as
61451+ a non-root user, you will have to run it as the group you specify here.
61452+
61453+config GRKERNSEC_PROC_USER
61454+ bool "Restrict /proc to user only"
61455+ depends on GRKERNSEC_PROC
61456+ help
61457+ If you say Y here, non-root users will only be able to view their own
61458+ processes, and restricts them from viewing network-related information,
61459+ and viewing kernel symbol and module information.
61460+
61461+config GRKERNSEC_PROC_USERGROUP
61462+ bool "Allow special group"
61463+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
61464+ help
61465+ If you say Y here, you will be able to select a group that will be
61466+ able to view all processes and network-related information. If you've
61467+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
61468+ remain hidden. This option is useful if you want to run identd as
61469+ a non-root user.
61470+
61471+config GRKERNSEC_PROC_GID
61472+ int "GID for special group"
61473+ depends on GRKERNSEC_PROC_USERGROUP
61474+ default 1001
61475+
61476+config GRKERNSEC_PROC_ADD
61477+ bool "Additional restrictions"
61478+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
61479+ help
61480+ If you say Y here, additional restrictions will be placed on
61481+ /proc that keep normal users from viewing device information and
61482+ slabinfo information that could be useful for exploits.
61483+
61484+config GRKERNSEC_LINK
61485+ bool "Linking restrictions"
61486+ help
61487+ If you say Y here, /tmp race exploits will be prevented, since users
61488+ will no longer be able to follow symlinks owned by other users in
61489+ world-writable +t directories (e.g. /tmp), unless the owner of the
61490+ symlink is the owner of the directory. users will also not be
61491+ able to hardlink to files they do not own. If the sysctl option is
61492+ enabled, a sysctl option with name "linking_restrictions" is created.
61493+
61494+config GRKERNSEC_FIFO
61495+ bool "FIFO restrictions"
61496+ help
61497+ If you say Y here, users will not be able to write to FIFOs they don't
61498+ own in world-writable +t directories (e.g. /tmp), unless the owner of
61499+ the FIFO is the same owner of the directory it's held in. If the sysctl
61500+ option is enabled, a sysctl option with name "fifo_restrictions" is
61501+ created.
61502+
61503+config GRKERNSEC_SYSFS_RESTRICT
61504+ bool "Sysfs/debugfs restriction"
61505+ depends on SYSFS
61506+ help
61507+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
61508+ any filesystem normally mounted under it (e.g. debugfs) will only
61509+ be accessible by root. These filesystems generally provide access
61510+ to hardware and debug information that isn't appropriate for unprivileged
61511+ users of the system. Sysfs and debugfs have also become a large source
61512+ of new vulnerabilities, ranging from infoleaks to local compromise.
61513+ There has been very little oversight with an eye toward security involved
61514+ in adding new exporters of information to these filesystems, so their
61515+ use is discouraged.
61516+ This option is equivalent to a chmod 0700 of the mount paths.
61517+
61518+config GRKERNSEC_ROFS
61519+ bool "Runtime read-only mount protection"
61520+ help
61521+ If you say Y here, a sysctl option with name "romount_protect" will
61522+ be created. By setting this option to 1 at runtime, filesystems
61523+ will be protected in the following ways:
61524+ * No new writable mounts will be allowed
61525+ * Existing read-only mounts won't be able to be remounted read/write
61526+ * Write operations will be denied on all block devices
61527+ This option acts independently of grsec_lock: once it is set to 1,
61528+ it cannot be turned off. Therefore, please be mindful of the resulting
61529+ behavior if this option is enabled in an init script on a read-only
61530+ filesystem. This feature is mainly intended for secure embedded systems.
61531+
61532+config GRKERNSEC_CHROOT
61533+ bool "Chroot jail restrictions"
61534+ help
61535+ If you say Y here, you will be able to choose several options that will
61536+ make breaking out of a chrooted jail much more difficult. If you
61537+ encounter no software incompatibilities with the following options, it
61538+ is recommended that you enable each one.
61539+
61540+config GRKERNSEC_CHROOT_MOUNT
61541+ bool "Deny mounts"
61542+ depends on GRKERNSEC_CHROOT
61543+ help
61544+ If you say Y here, processes inside a chroot will not be able to
61545+ mount or remount filesystems. If the sysctl option is enabled, a
61546+ sysctl option with name "chroot_deny_mount" is created.
61547+
61548+config GRKERNSEC_CHROOT_DOUBLE
61549+ bool "Deny double-chroots"
61550+ depends on GRKERNSEC_CHROOT
61551+ help
61552+ If you say Y here, processes inside a chroot will not be able to chroot
61553+ again outside the chroot. This is a widely used method of breaking
61554+ out of a chroot jail and should not be allowed. If the sysctl
61555+ option is enabled, a sysctl option with name
61556+ "chroot_deny_chroot" is created.
61557+
61558+config GRKERNSEC_CHROOT_PIVOT
61559+ bool "Deny pivot_root in chroot"
61560+ depends on GRKERNSEC_CHROOT
61561+ help
61562+ If you say Y here, processes inside a chroot will not be able to use
61563+ a function called pivot_root() that was introduced in Linux 2.3.41. It
61564+ works similar to chroot in that it changes the root filesystem. This
61565+ function could be misused in a chrooted process to attempt to break out
61566+ of the chroot, and therefore should not be allowed. If the sysctl
61567+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
61568+ created.
61569+
61570+config GRKERNSEC_CHROOT_CHDIR
61571+ bool "Enforce chdir(\"/\") on all chroots"
61572+ depends on GRKERNSEC_CHROOT
61573+ help
61574+ If you say Y here, the current working directory of all newly-chrooted
61575+ applications will be set to the the root directory of the chroot.
61576+ The man page on chroot(2) states:
61577+ Note that this call does not change the current working
61578+ directory, so that `.' can be outside the tree rooted at
61579+ `/'. In particular, the super-user can escape from a
61580+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
61581+
61582+ It is recommended that you say Y here, since it's not known to break
61583+ any software. If the sysctl option is enabled, a sysctl option with
61584+ name "chroot_enforce_chdir" is created.
61585+
61586+config GRKERNSEC_CHROOT_CHMOD
61587+ bool "Deny (f)chmod +s"
61588+ depends on GRKERNSEC_CHROOT
61589+ help
61590+ If you say Y here, processes inside a chroot will not be able to chmod
61591+ or fchmod files to make them have suid or sgid bits. This protects
61592+ against another published method of breaking a chroot. If the sysctl
61593+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
61594+ created.
61595+
61596+config GRKERNSEC_CHROOT_FCHDIR
61597+ bool "Deny fchdir out of chroot"
61598+ depends on GRKERNSEC_CHROOT
61599+ help
61600+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
61601+ to a file descriptor of the chrooting process that points to a directory
61602+ outside the filesystem will be stopped. If the sysctl option
61603+ is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
61604+
61605+config GRKERNSEC_CHROOT_MKNOD
61606+ bool "Deny mknod"
61607+ depends on GRKERNSEC_CHROOT
61608+ help
61609+ If you say Y here, processes inside a chroot will not be allowed to
61610+ mknod. The problem with using mknod inside a chroot is that it
61611+ would allow an attacker to create a device entry that is the same
61612+ as one on the physical root of your system, which could range from
61613+ anything from the console device to a device for your harddrive (which
61614+ they could then use to wipe the drive or steal data). It is recommended
61615+ that you say Y here, unless you run into software incompatibilities.
61616+ If the sysctl option is enabled, a sysctl option with name
61617+ "chroot_deny_mknod" is created.
61618+
61619+config GRKERNSEC_CHROOT_SHMAT
61620+ bool "Deny shmat() out of chroot"
61621+ depends on GRKERNSEC_CHROOT
61622+ help
61623+ If you say Y here, processes inside a chroot will not be able to attach
61624+ to shared memory segments that were created outside of the chroot jail.
61625+ It is recommended that you say Y here. If the sysctl option is enabled,
61626+ a sysctl option with name "chroot_deny_shmat" is created.
61627+
61628+config GRKERNSEC_CHROOT_UNIX
61629+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
61630+ depends on GRKERNSEC_CHROOT
61631+ help
61632+ If you say Y here, processes inside a chroot will not be able to
61633+ connect to abstract (meaning not belonging to a filesystem) Unix
61634+ domain sockets that were bound outside of a chroot. It is recommended
61635+ that you say Y here. If the sysctl option is enabled, a sysctl option
61636+ with name "chroot_deny_unix" is created.
61637+
61638+config GRKERNSEC_CHROOT_FINDTASK
61639+ bool "Protect outside processes"
61640+ depends on GRKERNSEC_CHROOT
61641+ help
61642+ If you say Y here, processes inside a chroot will not be able to
61643+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
61644+ getsid, or view any process outside of the chroot. If the sysctl
61645+ option is enabled, a sysctl option with name "chroot_findtask" is
61646+ created.
61647+
61648+config GRKERNSEC_CHROOT_NICE
61649+ bool "Restrict priority changes"
61650+ depends on GRKERNSEC_CHROOT
61651+ help
61652+ If you say Y here, processes inside a chroot will not be able to raise
61653+ the priority of processes in the chroot, or alter the priority of
61654+ processes outside the chroot. This provides more security than simply
61655+ removing CAP_SYS_NICE from the process' capability set. If the
61656+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
61657+ is created.
61658+
61659+config GRKERNSEC_CHROOT_SYSCTL
61660+ bool "Deny sysctl writes"
61661+ depends on GRKERNSEC_CHROOT
61662+ help
61663+ If you say Y here, an attacker in a chroot will not be able to
61664+ write to sysctl entries, either by sysctl(2) or through a /proc
61665+ interface. It is strongly recommended that you say Y here. If the
61666+ sysctl option is enabled, a sysctl option with name
61667+ "chroot_deny_sysctl" is created.
61668+
61669+config GRKERNSEC_CHROOT_CAPS
61670+ bool "Capability restrictions"
61671+ depends on GRKERNSEC_CHROOT
61672+ help
61673+ If you say Y here, the capabilities on all processes within a
61674+ chroot jail will be lowered to stop module insertion, raw i/o,
61675+ system and net admin tasks, rebooting the system, modifying immutable
61676+ files, modifying IPC owned by another, and changing the system time.
61677+ This is left an option because it can break some apps. Disable this
61678+ if your chrooted apps are having problems performing those kinds of
61679+ tasks. If the sysctl option is enabled, a sysctl option with
61680+ name "chroot_caps" is created.
61681+
61682+endmenu
61683+menu "Kernel Auditing"
61684+depends on GRKERNSEC
61685+
61686+config GRKERNSEC_AUDIT_GROUP
61687+ bool "Single group for auditing"
61688+ help
61689+ If you say Y here, the exec, chdir, and (un)mount logging features
61690+ will only operate on a group you specify. This option is recommended
61691+ if you only want to watch certain users instead of having a large
61692+ amount of logs from the entire system. If the sysctl option is enabled,
61693+ a sysctl option with name "audit_group" is created.
61694+
61695+config GRKERNSEC_AUDIT_GID
61696+ int "GID for auditing"
61697+ depends on GRKERNSEC_AUDIT_GROUP
61698+ default 1007
61699+
61700+config GRKERNSEC_EXECLOG
61701+ bool "Exec logging"
61702+ help
61703+ If you say Y here, all execve() calls will be logged (since the
61704+ other exec*() calls are frontends to execve(), all execution
61705+ will be logged). Useful for shell-servers that like to keep track
61706+ of their users. If the sysctl option is enabled, a sysctl option with
61707+ name "exec_logging" is created.
61708+ WARNING: This option when enabled will produce a LOT of logs, especially
61709+ on an active system.
61710+
61711+config GRKERNSEC_RESLOG
61712+ bool "Resource logging"
61713+ help
61714+ If you say Y here, all attempts to overstep resource limits will
61715+ be logged with the resource name, the requested size, and the current
61716+ limit. It is highly recommended that you say Y here. If the sysctl
61717+ option is enabled, a sysctl option with name "resource_logging" is
61718+ created. If the RBAC system is enabled, the sysctl value is ignored.
61719+
61720+config GRKERNSEC_CHROOT_EXECLOG
61721+ bool "Log execs within chroot"
61722+ help
61723+ If you say Y here, all executions inside a chroot jail will be logged
61724+ to syslog. This can cause a large amount of logs if certain
61725+ applications (eg. djb's daemontools) are installed on the system, and
61726+ is therefore left as an option. If the sysctl option is enabled, a
61727+ sysctl option with name "chroot_execlog" is created.
61728+
61729+config GRKERNSEC_AUDIT_PTRACE
61730+ bool "Ptrace logging"
61731+ help
61732+ If you say Y here, all attempts to attach to a process via ptrace
61733+ will be logged. If the sysctl option is enabled, a sysctl option
61734+ with name "audit_ptrace" is created.
61735+
61736+config GRKERNSEC_AUDIT_CHDIR
61737+ bool "Chdir logging"
61738+ help
61739+ If you say Y here, all chdir() calls will be logged. If the sysctl
61740+ option is enabled, a sysctl option with name "audit_chdir" is created.
61741+
61742+config GRKERNSEC_AUDIT_MOUNT
61743+ bool "(Un)Mount logging"
61744+ help
61745+ If you say Y here, all mounts and unmounts will be logged. If the
61746+ sysctl option is enabled, a sysctl option with name "audit_mount" is
61747+ created.
61748+
61749+config GRKERNSEC_SIGNAL
61750+ bool "Signal logging"
61751+ help
61752+ If you say Y here, certain important signals will be logged, such as
61753+ SIGSEGV, which will as a result inform you of when a error in a program
61754+ occurred, which in some cases could mean a possible exploit attempt.
61755+ If the sysctl option is enabled, a sysctl option with name
61756+ "signal_logging" is created.
61757+
61758+config GRKERNSEC_FORKFAIL
61759+ bool "Fork failure logging"
61760+ help
61761+ If you say Y here, all failed fork() attempts will be logged.
61762+ This could suggest a fork bomb, or someone attempting to overstep
61763+ their process limit. If the sysctl option is enabled, a sysctl option
61764+ with name "forkfail_logging" is created.
61765+
61766+config GRKERNSEC_TIME
61767+ bool "Time change logging"
61768+ help
61769+ If you say Y here, any changes of the system clock will be logged.
61770+ If the sysctl option is enabled, a sysctl option with name
61771+ "timechange_logging" is created.
61772+
61773+config GRKERNSEC_PROC_IPADDR
61774+ bool "/proc/<pid>/ipaddr support"
61775+ help
61776+ If you say Y here, a new entry will be added to each /proc/<pid>
61777+ directory that contains the IP address of the person using the task.
61778+ The IP is carried across local TCP and AF_UNIX stream sockets.
61779+ This information can be useful for IDS/IPSes to perform remote response
61780+ to a local attack. The entry is readable by only the owner of the
61781+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
61782+ the RBAC system), and thus does not create privacy concerns.
61783+
61784+config GRKERNSEC_RWXMAP_LOG
61785+ bool 'Denied RWX mmap/mprotect logging'
61786+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
61787+ help
61788+ If you say Y here, calls to mmap() and mprotect() with explicit
61789+ usage of PROT_WRITE and PROT_EXEC together will be logged when
61790+ denied by the PAX_MPROTECT feature. If the sysctl option is
61791+ enabled, a sysctl option with name "rwxmap_logging" is created.
61792+
61793+config GRKERNSEC_AUDIT_TEXTREL
61794+ bool 'ELF text relocations logging (READ HELP)'
61795+ depends on PAX_MPROTECT
61796+ help
61797+ If you say Y here, text relocations will be logged with the filename
61798+ of the offending library or binary. The purpose of the feature is
61799+ to help Linux distribution developers get rid of libraries and
61800+ binaries that need text relocations which hinder the future progress
61801+ of PaX. Only Linux distribution developers should say Y here, and
61802+ never on a production machine, as this option creates an information
61803+ leak that could aid an attacker in defeating the randomization of
61804+ a single memory region. If the sysctl option is enabled, a sysctl
61805+ option with name "audit_textrel" is created.
61806+
61807+endmenu
61808+
61809+menu "Executable Protections"
61810+depends on GRKERNSEC
61811+
61812+config GRKERNSEC_DMESG
61813+ bool "Dmesg(8) restriction"
61814+ help
61815+ If you say Y here, non-root users will not be able to use dmesg(8)
61816+ to view up to the last 4kb of messages in the kernel's log buffer.
61817+ The kernel's log buffer often contains kernel addresses and other
61818+ identifying information useful to an attacker in fingerprinting a
61819+ system for a targeted exploit.
61820+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
61821+ created.
61822+
61823+config GRKERNSEC_HARDEN_PTRACE
61824+ bool "Deter ptrace-based process snooping"
61825+ help
61826+ If you say Y here, TTY sniffers and other malicious monitoring
61827+ programs implemented through ptrace will be defeated. If you
61828+ have been using the RBAC system, this option has already been
61829+ enabled for several years for all users, with the ability to make
61830+ fine-grained exceptions.
61831+
61832+ This option only affects the ability of non-root users to ptrace
61833+ processes that are not a descendent of the ptracing process.
61834+ This means that strace ./binary and gdb ./binary will still work,
61835+ but attaching to arbitrary processes will not. If the sysctl
61836+ option is enabled, a sysctl option with name "harden_ptrace" is
61837+ created.
61838+
61839+config GRKERNSEC_TPE
61840+ bool "Trusted Path Execution (TPE)"
61841+ help
61842+ If you say Y here, you will be able to choose a gid to add to the
61843+ supplementary groups of users you want to mark as "untrusted."
61844+ These users will not be able to execute any files that are not in
61845+ root-owned directories writable only by root. If the sysctl option
61846+ is enabled, a sysctl option with name "tpe" is created.
61847+
61848+config GRKERNSEC_TPE_ALL
61849+ bool "Partially restrict all non-root users"
61850+ depends on GRKERNSEC_TPE
61851+ help
61852+ If you say Y here, all non-root users will be covered under
61853+ a weaker TPE restriction. This is separate from, and in addition to,
61854+ the main TPE options that you have selected elsewhere. Thus, if a
61855+ "trusted" GID is chosen, this restriction applies to even that GID.
61856+ Under this restriction, all non-root users will only be allowed to
61857+ execute files in directories they own that are not group or
61858+ world-writable, or in directories owned by root and writable only by
61859+ root. If the sysctl option is enabled, a sysctl option with name
61860+ "tpe_restrict_all" is created.
61861+
61862+config GRKERNSEC_TPE_INVERT
61863+ bool "Invert GID option"
61864+ depends on GRKERNSEC_TPE
61865+ help
61866+ If you say Y here, the group you specify in the TPE configuration will
61867+ decide what group TPE restrictions will be *disabled* for. This
61868+ option is useful if you want TPE restrictions to be applied to most
61869+ users on the system. If the sysctl option is enabled, a sysctl option
61870+ with name "tpe_invert" is created. Unlike other sysctl options, this
61871+ entry will default to on for backward-compatibility.
61872+
61873+config GRKERNSEC_TPE_GID
61874+ int "GID for untrusted users"
61875+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
61876+ default 1005
61877+ help
61878+ Setting this GID determines what group TPE restrictions will be
61879+ *enabled* for. If the sysctl option is enabled, a sysctl option
61880+ with name "tpe_gid" is created.
61881+
61882+config GRKERNSEC_TPE_GID
61883+ int "GID for trusted users"
61884+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
61885+ default 1005
61886+ help
61887+ Setting this GID determines what group TPE restrictions will be
61888+ *disabled* for. If the sysctl option is enabled, a sysctl option
61889+ with name "tpe_gid" is created.
61890+
61891+endmenu
61892+menu "Network Protections"
61893+depends on GRKERNSEC
61894+
61895+config GRKERNSEC_RANDNET
61896+ bool "Larger entropy pools"
61897+ help
61898+ If you say Y here, the entropy pools used for many features of Linux
61899+ and grsecurity will be doubled in size. Since several grsecurity
61900+ features use additional randomness, it is recommended that you say Y
61901+ here. Saying Y here has a similar effect as modifying
61902+ /proc/sys/kernel/random/poolsize.
61903+
61904+config GRKERNSEC_BLACKHOLE
61905+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
61906+ depends on NET
61907+ help
61908+ If you say Y here, neither TCP resets nor ICMP
61909+ destination-unreachable packets will be sent in response to packets
61910+ sent to ports for which no associated listening process exists.
61911+ This feature supports both IPV4 and IPV6 and exempts the
61912+ loopback interface from blackholing. Enabling this feature
61913+ makes a host more resilient to DoS attacks and reduces network
61914+ visibility against scanners.
61915+
61916+ The blackhole feature as-implemented is equivalent to the FreeBSD
61917+ blackhole feature, as it prevents RST responses to all packets, not
61918+ just SYNs. Under most application behavior this causes no
61919+ problems, but applications (like haproxy) may not close certain
61920+ connections in a way that cleanly terminates them on the remote
61921+ end, leaving the remote host in LAST_ACK state. Because of this
61922+ side-effect and to prevent intentional LAST_ACK DoSes, this
61923+ feature also adds automatic mitigation against such attacks.
61924+ The mitigation drastically reduces the amount of time a socket
61925+ can spend in LAST_ACK state. If you're using haproxy and not
61926+ all servers it connects to have this option enabled, consider
61927+ disabling this feature on the haproxy host.
61928+
61929+ If the sysctl option is enabled, two sysctl options with names
61930+ "ip_blackhole" and "lastack_retries" will be created.
61931+ While "ip_blackhole" takes the standard zero/non-zero on/off
61932+ toggle, "lastack_retries" uses the same kinds of values as
61933+ "tcp_retries1" and "tcp_retries2". The default value of 4
61934+ prevents a socket from lasting more than 45 seconds in LAST_ACK
61935+ state.
61936+
61937+config GRKERNSEC_SOCKET
61938+ bool "Socket restrictions"
61939+ depends on NET
61940+ help
61941+ If you say Y here, you will be able to choose from several options.
61942+ If you assign a GID on your system and add it to the supplementary
61943+ groups of users you want to restrict socket access to, this patch
61944+ will perform up to three things, based on the option(s) you choose.
61945+
61946+config GRKERNSEC_SOCKET_ALL
61947+ bool "Deny any sockets to group"
61948+ depends on GRKERNSEC_SOCKET
61949+ help
61950+ If you say Y here, you will be able to choose a GID of whose users will
61951+ be unable to connect to other hosts from your machine or run server
61952+ applications from your machine. If the sysctl option is enabled, a
61953+ sysctl option with name "socket_all" is created.
61954+
61955+config GRKERNSEC_SOCKET_ALL_GID
61956+ int "GID to deny all sockets for"
61957+ depends on GRKERNSEC_SOCKET_ALL
61958+ default 1004
61959+ help
61960+ Here you can choose the GID to disable socket access for. Remember to
61961+ add the users you want socket access disabled for to the GID
61962+ specified here. If the sysctl option is enabled, a sysctl option
61963+ with name "socket_all_gid" is created.
61964+
61965+config GRKERNSEC_SOCKET_CLIENT
61966+ bool "Deny client sockets to group"
61967+ depends on GRKERNSEC_SOCKET
61968+ help
61969+ If you say Y here, you will be able to choose a GID of whose users will
61970+ be unable to connect to other hosts from your machine, but will be
61971+ able to run servers. If this option is enabled, all users in the group
61972+ you specify will have to use passive mode when initiating ftp transfers
61973+ from the shell on your machine. If the sysctl option is enabled, a
61974+ sysctl option with name "socket_client" is created.
61975+
61976+config GRKERNSEC_SOCKET_CLIENT_GID
61977+ int "GID to deny client sockets for"
61978+ depends on GRKERNSEC_SOCKET_CLIENT
61979+ default 1003
61980+ help
61981+ Here you can choose the GID to disable client socket access for.
61982+ Remember to add the users you want client socket access disabled for to
61983+ the GID specified here. If the sysctl option is enabled, a sysctl
61984+ option with name "socket_client_gid" is created.
61985+
61986+config GRKERNSEC_SOCKET_SERVER
61987+ bool "Deny server sockets to group"
61988+ depends on GRKERNSEC_SOCKET
61989+ help
61990+ If you say Y here, you will be able to choose a GID of whose users will
61991+ be unable to run server applications from your machine. If the sysctl
61992+ option is enabled, a sysctl option with name "socket_server" is created.
61993+
61994+config GRKERNSEC_SOCKET_SERVER_GID
61995+ int "GID to deny server sockets for"
61996+ depends on GRKERNSEC_SOCKET_SERVER
61997+ default 1002
61998+ help
61999+ Here you can choose the GID to disable server socket access for.
62000+ Remember to add the users you want server socket access disabled for to
62001+ the GID specified here. If the sysctl option is enabled, a sysctl
62002+ option with name "socket_server_gid" is created.
62003+
62004+endmenu
62005+menu "Sysctl support"
62006+depends on GRKERNSEC && SYSCTL
62007+
62008+config GRKERNSEC_SYSCTL
62009+ bool "Sysctl support"
62010+ help
62011+ If you say Y here, you will be able to change the options that
62012+ grsecurity runs with at bootup, without having to recompile your
62013+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
62014+ to enable (1) or disable (0) various features. All the sysctl entries
62015+ are mutable until the "grsec_lock" entry is set to a non-zero value.
62016+ All features enabled in the kernel configuration are disabled at boot
62017+ if you do not say Y to the "Turn on features by default" option.
62018+ All options should be set at startup, and the grsec_lock entry should
62019+ be set to a non-zero value after all the options are set.
62020+ *THIS IS EXTREMELY IMPORTANT*
62021+
62022+config GRKERNSEC_SYSCTL_DISTRO
62023+ bool "Extra sysctl support for distro makers (READ HELP)"
62024+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
62025+ help
62026+ If you say Y here, additional sysctl options will be created
62027+ for features that affect processes running as root. Therefore,
62028+ it is critical when using this option that the grsec_lock entry be
62029+ enabled after boot. Only distros with prebuilt kernel packages
62030+ with this option enabled that can ensure grsec_lock is enabled
62031+ after boot should use this option.
62032+ *Failure to set grsec_lock after boot makes all grsec features
62033+ this option covers useless*
62034+
62035+ Currently this option creates the following sysctl entries:
62036+ "Disable Privileged I/O": "disable_priv_io"
62037+
62038+config GRKERNSEC_SYSCTL_ON
62039+ bool "Turn on features by default"
62040+ depends on GRKERNSEC_SYSCTL
62041+ help
62042+ If you say Y here, instead of having all features enabled in the
62043+ kernel configuration disabled at boot time, the features will be
62044+ enabled at boot time. It is recommended you say Y here unless
62045+ there is some reason you would want all sysctl-tunable features to
62046+ be disabled by default. As mentioned elsewhere, it is important
62047+ to enable the grsec_lock entry once you have finished modifying
62048+ the sysctl entries.
62049+
62050+endmenu
62051+menu "Logging Options"
62052+depends on GRKERNSEC
62053+
62054+config GRKERNSEC_FLOODTIME
62055+ int "Seconds in between log messages (minimum)"
62056+ default 10
62057+ help
62058+ This option allows you to enforce the number of seconds between
62059+ grsecurity log messages. The default should be suitable for most
62060+ people, however, if you choose to change it, choose a value small enough
62061+ to allow informative logs to be produced, but large enough to
62062+ prevent flooding.
62063+
62064+config GRKERNSEC_FLOODBURST
62065+ int "Number of messages in a burst (maximum)"
62066+ default 6
62067+ help
62068+ This option allows you to choose the maximum number of messages allowed
62069+ within the flood time interval you chose in a separate option. The
62070+ default should be suitable for most people, however if you find that
62071+ many of your logs are being interpreted as flooding, you may want to
62072+ raise this value.
62073+
62074+endmenu
62075+
62076+endmenu
62077diff -urNp linux-2.6.32.48/grsecurity/Makefile linux-2.6.32.48/grsecurity/Makefile
62078--- linux-2.6.32.48/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
62079+++ linux-2.6.32.48/grsecurity/Makefile 2011-11-15 19:59:43.000000000 -0500
62080@@ -0,0 +1,36 @@
62081+# grsecurity's ACL system was originally written in 2001 by Michael Dalton
62082+# during 2001-2009 it has been completely redesigned by Brad Spengler
62083+# into an RBAC system
62084+#
62085+# All code in this directory and various hooks inserted throughout the kernel
62086+# are copyright Brad Spengler - Open Source Security, Inc., and released
62087+# under the GPL v2 or higher
62088+
62089+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
62090+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
62091+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
62092+
62093+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
62094+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
62095+ gracl_learn.o grsec_log.o
62096+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
62097+
62098+ifdef CONFIG_NET
62099+obj-y += grsec_sock.o
62100+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
62101+endif
62102+
62103+ifndef CONFIG_GRKERNSEC
62104+obj-y += grsec_disabled.o
62105+endif
62106+
62107+ifdef CONFIG_GRKERNSEC_HIDESYM
62108+extra-y := grsec_hidesym.o
62109+$(obj)/grsec_hidesym.o:
62110+ @-chmod -f 500 /boot
62111+ @-chmod -f 500 /lib/modules
62112+ @-chmod -f 500 /lib64/modules
62113+ @-chmod -f 500 /lib32/modules
62114+ @-chmod -f 700 .
62115+ @echo ' grsec: protected kernel image paths'
62116+endif
62117diff -urNp linux-2.6.32.48/include/acpi/acpi_bus.h linux-2.6.32.48/include/acpi/acpi_bus.h
62118--- linux-2.6.32.48/include/acpi/acpi_bus.h 2011-11-08 19:02:43.000000000 -0500
62119+++ linux-2.6.32.48/include/acpi/acpi_bus.h 2011-11-15 19:59:43.000000000 -0500
62120@@ -107,7 +107,7 @@ struct acpi_device_ops {
62121 acpi_op_bind bind;
62122 acpi_op_unbind unbind;
62123 acpi_op_notify notify;
62124-};
62125+} __no_const;
62126
62127 #define ACPI_DRIVER_ALL_NOTIFY_EVENTS 0x1 /* system AND device events */
62128
62129diff -urNp linux-2.6.32.48/include/acpi/acpi_drivers.h linux-2.6.32.48/include/acpi/acpi_drivers.h
62130--- linux-2.6.32.48/include/acpi/acpi_drivers.h 2011-11-08 19:02:43.000000000 -0500
62131+++ linux-2.6.32.48/include/acpi/acpi_drivers.h 2011-11-15 19:59:43.000000000 -0500
62132@@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
62133 Dock Station
62134 -------------------------------------------------------------------------- */
62135 struct acpi_dock_ops {
62136- acpi_notify_handler handler;
62137- acpi_notify_handler uevent;
62138+ const acpi_notify_handler handler;
62139+ const acpi_notify_handler uevent;
62140 };
62141
62142 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
62143@@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
62144 extern int register_dock_notifier(struct notifier_block *nb);
62145 extern void unregister_dock_notifier(struct notifier_block *nb);
62146 extern int register_hotplug_dock_device(acpi_handle handle,
62147- struct acpi_dock_ops *ops,
62148+ const struct acpi_dock_ops *ops,
62149 void *context);
62150 extern void unregister_hotplug_dock_device(acpi_handle handle);
62151 #else
62152@@ -144,7 +144,7 @@ static inline void unregister_dock_notif
62153 {
62154 }
62155 static inline int register_hotplug_dock_device(acpi_handle handle,
62156- struct acpi_dock_ops *ops,
62157+ const struct acpi_dock_ops *ops,
62158 void *context)
62159 {
62160 return -ENODEV;
62161diff -urNp linux-2.6.32.48/include/asm-generic/atomic-long.h linux-2.6.32.48/include/asm-generic/atomic-long.h
62162--- linux-2.6.32.48/include/asm-generic/atomic-long.h 2011-11-08 19:02:43.000000000 -0500
62163+++ linux-2.6.32.48/include/asm-generic/atomic-long.h 2011-11-15 19:59:43.000000000 -0500
62164@@ -22,6 +22,12 @@
62165
62166 typedef atomic64_t atomic_long_t;
62167
62168+#ifdef CONFIG_PAX_REFCOUNT
62169+typedef atomic64_unchecked_t atomic_long_unchecked_t;
62170+#else
62171+typedef atomic64_t atomic_long_unchecked_t;
62172+#endif
62173+
62174 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
62175
62176 static inline long atomic_long_read(atomic_long_t *l)
62177@@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
62178 return (long)atomic64_read(v);
62179 }
62180
62181+#ifdef CONFIG_PAX_REFCOUNT
62182+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
62183+{
62184+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62185+
62186+ return (long)atomic64_read_unchecked(v);
62187+}
62188+#endif
62189+
62190 static inline void atomic_long_set(atomic_long_t *l, long i)
62191 {
62192 atomic64_t *v = (atomic64_t *)l;
62193@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
62194 atomic64_set(v, i);
62195 }
62196
62197+#ifdef CONFIG_PAX_REFCOUNT
62198+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
62199+{
62200+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62201+
62202+ atomic64_set_unchecked(v, i);
62203+}
62204+#endif
62205+
62206 static inline void atomic_long_inc(atomic_long_t *l)
62207 {
62208 atomic64_t *v = (atomic64_t *)l;
62209@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
62210 atomic64_inc(v);
62211 }
62212
62213+#ifdef CONFIG_PAX_REFCOUNT
62214+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
62215+{
62216+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62217+
62218+ atomic64_inc_unchecked(v);
62219+}
62220+#endif
62221+
62222 static inline void atomic_long_dec(atomic_long_t *l)
62223 {
62224 atomic64_t *v = (atomic64_t *)l;
62225@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
62226 atomic64_dec(v);
62227 }
62228
62229+#ifdef CONFIG_PAX_REFCOUNT
62230+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
62231+{
62232+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62233+
62234+ atomic64_dec_unchecked(v);
62235+}
62236+#endif
62237+
62238 static inline void atomic_long_add(long i, atomic_long_t *l)
62239 {
62240 atomic64_t *v = (atomic64_t *)l;
62241@@ -59,6 +101,15 @@ static inline void atomic_long_add(long
62242 atomic64_add(i, v);
62243 }
62244
62245+#ifdef CONFIG_PAX_REFCOUNT
62246+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
62247+{
62248+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62249+
62250+ atomic64_add_unchecked(i, v);
62251+}
62252+#endif
62253+
62254 static inline void atomic_long_sub(long i, atomic_long_t *l)
62255 {
62256 atomic64_t *v = (atomic64_t *)l;
62257@@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
62258 return (long)atomic64_inc_return(v);
62259 }
62260
62261+#ifdef CONFIG_PAX_REFCOUNT
62262+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
62263+{
62264+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
62265+
62266+ return (long)atomic64_inc_return_unchecked(v);
62267+}
62268+#endif
62269+
62270 static inline long atomic_long_dec_return(atomic_long_t *l)
62271 {
62272 atomic64_t *v = (atomic64_t *)l;
62273@@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
62274
62275 typedef atomic_t atomic_long_t;
62276
62277+#ifdef CONFIG_PAX_REFCOUNT
62278+typedef atomic_unchecked_t atomic_long_unchecked_t;
62279+#else
62280+typedef atomic_t atomic_long_unchecked_t;
62281+#endif
62282+
62283 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
62284 static inline long atomic_long_read(atomic_long_t *l)
62285 {
62286@@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
62287 return (long)atomic_read(v);
62288 }
62289
62290+#ifdef CONFIG_PAX_REFCOUNT
62291+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
62292+{
62293+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62294+
62295+ return (long)atomic_read_unchecked(v);
62296+}
62297+#endif
62298+
62299 static inline void atomic_long_set(atomic_long_t *l, long i)
62300 {
62301 atomic_t *v = (atomic_t *)l;
62302@@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
62303 atomic_set(v, i);
62304 }
62305
62306+#ifdef CONFIG_PAX_REFCOUNT
62307+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
62308+{
62309+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62310+
62311+ atomic_set_unchecked(v, i);
62312+}
62313+#endif
62314+
62315 static inline void atomic_long_inc(atomic_long_t *l)
62316 {
62317 atomic_t *v = (atomic_t *)l;
62318@@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
62319 atomic_inc(v);
62320 }
62321
62322+#ifdef CONFIG_PAX_REFCOUNT
62323+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
62324+{
62325+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62326+
62327+ atomic_inc_unchecked(v);
62328+}
62329+#endif
62330+
62331 static inline void atomic_long_dec(atomic_long_t *l)
62332 {
62333 atomic_t *v = (atomic_t *)l;
62334@@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
62335 atomic_dec(v);
62336 }
62337
62338+#ifdef CONFIG_PAX_REFCOUNT
62339+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
62340+{
62341+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62342+
62343+ atomic_dec_unchecked(v);
62344+}
62345+#endif
62346+
62347 static inline void atomic_long_add(long i, atomic_long_t *l)
62348 {
62349 atomic_t *v = (atomic_t *)l;
62350@@ -176,6 +278,15 @@ static inline void atomic_long_add(long
62351 atomic_add(i, v);
62352 }
62353
62354+#ifdef CONFIG_PAX_REFCOUNT
62355+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
62356+{
62357+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62358+
62359+ atomic_add_unchecked(i, v);
62360+}
62361+#endif
62362+
62363 static inline void atomic_long_sub(long i, atomic_long_t *l)
62364 {
62365 atomic_t *v = (atomic_t *)l;
62366@@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
62367 return (long)atomic_inc_return(v);
62368 }
62369
62370+#ifdef CONFIG_PAX_REFCOUNT
62371+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
62372+{
62373+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
62374+
62375+ return (long)atomic_inc_return_unchecked(v);
62376+}
62377+#endif
62378+
62379 static inline long atomic_long_dec_return(atomic_long_t *l)
62380 {
62381 atomic_t *v = (atomic_t *)l;
62382@@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
62383
62384 #endif /* BITS_PER_LONG == 64 */
62385
62386+#ifdef CONFIG_PAX_REFCOUNT
62387+static inline void pax_refcount_needs_these_functions(void)
62388+{
62389+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
62390+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
62391+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
62392+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
62393+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
62394+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
62395+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
62396+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
62397+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
62398+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
62399+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
62400+
62401+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
62402+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
62403+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
62404+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
62405+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
62406+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
62407+}
62408+#else
62409+#define atomic_read_unchecked(v) atomic_read(v)
62410+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
62411+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
62412+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
62413+#define atomic_inc_unchecked(v) atomic_inc(v)
62414+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
62415+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
62416+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
62417+#define atomic_dec_unchecked(v) atomic_dec(v)
62418+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
62419+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
62420+
62421+#define atomic_long_read_unchecked(v) atomic_long_read(v)
62422+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
62423+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
62424+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
62425+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
62426+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
62427+#endif
62428+
62429 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
62430diff -urNp linux-2.6.32.48/include/asm-generic/bug.h linux-2.6.32.48/include/asm-generic/bug.h
62431--- linux-2.6.32.48/include/asm-generic/bug.h 2011-11-08 19:02:43.000000000 -0500
62432+++ linux-2.6.32.48/include/asm-generic/bug.h 2011-11-15 19:59:43.000000000 -0500
62433@@ -105,11 +105,11 @@ extern void warn_slowpath_null(const cha
62434
62435 #else /* !CONFIG_BUG */
62436 #ifndef HAVE_ARCH_BUG
62437-#define BUG() do {} while(0)
62438+#define BUG() do { for (;;) ; } while(0)
62439 #endif
62440
62441 #ifndef HAVE_ARCH_BUG_ON
62442-#define BUG_ON(condition) do { if (condition) ; } while(0)
62443+#define BUG_ON(condition) do { if (condition) for (;;) ; } while(0)
62444 #endif
62445
62446 #ifndef HAVE_ARCH_WARN_ON
62447diff -urNp linux-2.6.32.48/include/asm-generic/cache.h linux-2.6.32.48/include/asm-generic/cache.h
62448--- linux-2.6.32.48/include/asm-generic/cache.h 2011-11-08 19:02:43.000000000 -0500
62449+++ linux-2.6.32.48/include/asm-generic/cache.h 2011-11-15 19:59:43.000000000 -0500
62450@@ -6,7 +6,7 @@
62451 * cache lines need to provide their own cache.h.
62452 */
62453
62454-#define L1_CACHE_SHIFT 5
62455-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
62456+#define L1_CACHE_SHIFT 5UL
62457+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
62458
62459 #endif /* __ASM_GENERIC_CACHE_H */
62460diff -urNp linux-2.6.32.48/include/asm-generic/dma-mapping-common.h linux-2.6.32.48/include/asm-generic/dma-mapping-common.h
62461--- linux-2.6.32.48/include/asm-generic/dma-mapping-common.h 2011-11-08 19:02:43.000000000 -0500
62462+++ linux-2.6.32.48/include/asm-generic/dma-mapping-common.h 2011-11-15 19:59:43.000000000 -0500
62463@@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
62464 enum dma_data_direction dir,
62465 struct dma_attrs *attrs)
62466 {
62467- struct dma_map_ops *ops = get_dma_ops(dev);
62468+ const struct dma_map_ops *ops = get_dma_ops(dev);
62469 dma_addr_t addr;
62470
62471 kmemcheck_mark_initialized(ptr, size);
62472@@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
62473 enum dma_data_direction dir,
62474 struct dma_attrs *attrs)
62475 {
62476- struct dma_map_ops *ops = get_dma_ops(dev);
62477+ const struct dma_map_ops *ops = get_dma_ops(dev);
62478
62479 BUG_ON(!valid_dma_direction(dir));
62480 if (ops->unmap_page)
62481@@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
62482 int nents, enum dma_data_direction dir,
62483 struct dma_attrs *attrs)
62484 {
62485- struct dma_map_ops *ops = get_dma_ops(dev);
62486+ const struct dma_map_ops *ops = get_dma_ops(dev);
62487 int i, ents;
62488 struct scatterlist *s;
62489
62490@@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
62491 int nents, enum dma_data_direction dir,
62492 struct dma_attrs *attrs)
62493 {
62494- struct dma_map_ops *ops = get_dma_ops(dev);
62495+ const struct dma_map_ops *ops = get_dma_ops(dev);
62496
62497 BUG_ON(!valid_dma_direction(dir));
62498 debug_dma_unmap_sg(dev, sg, nents, dir);
62499@@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
62500 size_t offset, size_t size,
62501 enum dma_data_direction dir)
62502 {
62503- struct dma_map_ops *ops = get_dma_ops(dev);
62504+ const struct dma_map_ops *ops = get_dma_ops(dev);
62505 dma_addr_t addr;
62506
62507 kmemcheck_mark_initialized(page_address(page) + offset, size);
62508@@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
62509 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
62510 size_t size, enum dma_data_direction dir)
62511 {
62512- struct dma_map_ops *ops = get_dma_ops(dev);
62513+ const struct dma_map_ops *ops = get_dma_ops(dev);
62514
62515 BUG_ON(!valid_dma_direction(dir));
62516 if (ops->unmap_page)
62517@@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
62518 size_t size,
62519 enum dma_data_direction dir)
62520 {
62521- struct dma_map_ops *ops = get_dma_ops(dev);
62522+ const struct dma_map_ops *ops = get_dma_ops(dev);
62523
62524 BUG_ON(!valid_dma_direction(dir));
62525 if (ops->sync_single_for_cpu)
62526@@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
62527 dma_addr_t addr, size_t size,
62528 enum dma_data_direction dir)
62529 {
62530- struct dma_map_ops *ops = get_dma_ops(dev);
62531+ const struct dma_map_ops *ops = get_dma_ops(dev);
62532
62533 BUG_ON(!valid_dma_direction(dir));
62534 if (ops->sync_single_for_device)
62535@@ -123,7 +123,7 @@ static inline void dma_sync_single_range
62536 size_t size,
62537 enum dma_data_direction dir)
62538 {
62539- struct dma_map_ops *ops = get_dma_ops(dev);
62540+ const struct dma_map_ops *ops = get_dma_ops(dev);
62541
62542 BUG_ON(!valid_dma_direction(dir));
62543 if (ops->sync_single_range_for_cpu) {
62544@@ -140,7 +140,7 @@ static inline void dma_sync_single_range
62545 size_t size,
62546 enum dma_data_direction dir)
62547 {
62548- struct dma_map_ops *ops = get_dma_ops(dev);
62549+ const struct dma_map_ops *ops = get_dma_ops(dev);
62550
62551 BUG_ON(!valid_dma_direction(dir));
62552 if (ops->sync_single_range_for_device) {
62553@@ -155,7 +155,7 @@ static inline void
62554 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
62555 int nelems, enum dma_data_direction dir)
62556 {
62557- struct dma_map_ops *ops = get_dma_ops(dev);
62558+ const struct dma_map_ops *ops = get_dma_ops(dev);
62559
62560 BUG_ON(!valid_dma_direction(dir));
62561 if (ops->sync_sg_for_cpu)
62562@@ -167,7 +167,7 @@ static inline void
62563 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
62564 int nelems, enum dma_data_direction dir)
62565 {
62566- struct dma_map_ops *ops = get_dma_ops(dev);
62567+ const struct dma_map_ops *ops = get_dma_ops(dev);
62568
62569 BUG_ON(!valid_dma_direction(dir));
62570 if (ops->sync_sg_for_device)
62571diff -urNp linux-2.6.32.48/include/asm-generic/emergency-restart.h linux-2.6.32.48/include/asm-generic/emergency-restart.h
62572--- linux-2.6.32.48/include/asm-generic/emergency-restart.h 2011-11-08 19:02:43.000000000 -0500
62573+++ linux-2.6.32.48/include/asm-generic/emergency-restart.h 2011-11-15 19:59:43.000000000 -0500
62574@@ -1,7 +1,7 @@
62575 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
62576 #define _ASM_GENERIC_EMERGENCY_RESTART_H
62577
62578-static inline void machine_emergency_restart(void)
62579+static inline __noreturn void machine_emergency_restart(void)
62580 {
62581 machine_restart(NULL);
62582 }
62583diff -urNp linux-2.6.32.48/include/asm-generic/futex.h linux-2.6.32.48/include/asm-generic/futex.h
62584--- linux-2.6.32.48/include/asm-generic/futex.h 2011-11-08 19:02:43.000000000 -0500
62585+++ linux-2.6.32.48/include/asm-generic/futex.h 2011-11-15 19:59:43.000000000 -0500
62586@@ -6,7 +6,7 @@
62587 #include <asm/errno.h>
62588
62589 static inline int
62590-futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
62591+futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
62592 {
62593 int op = (encoded_op >> 28) & 7;
62594 int cmp = (encoded_op >> 24) & 15;
62595@@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
62596 }
62597
62598 static inline int
62599-futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
62600+futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
62601 {
62602 return -ENOSYS;
62603 }
62604diff -urNp linux-2.6.32.48/include/asm-generic/int-l64.h linux-2.6.32.48/include/asm-generic/int-l64.h
62605--- linux-2.6.32.48/include/asm-generic/int-l64.h 2011-11-08 19:02:43.000000000 -0500
62606+++ linux-2.6.32.48/include/asm-generic/int-l64.h 2011-11-15 19:59:43.000000000 -0500
62607@@ -46,6 +46,8 @@ typedef unsigned int u32;
62608 typedef signed long s64;
62609 typedef unsigned long u64;
62610
62611+typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
62612+
62613 #define S8_C(x) x
62614 #define U8_C(x) x ## U
62615 #define S16_C(x) x
62616diff -urNp linux-2.6.32.48/include/asm-generic/int-ll64.h linux-2.6.32.48/include/asm-generic/int-ll64.h
62617--- linux-2.6.32.48/include/asm-generic/int-ll64.h 2011-11-08 19:02:43.000000000 -0500
62618+++ linux-2.6.32.48/include/asm-generic/int-ll64.h 2011-11-15 19:59:43.000000000 -0500
62619@@ -51,6 +51,8 @@ typedef unsigned int u32;
62620 typedef signed long long s64;
62621 typedef unsigned long long u64;
62622
62623+typedef unsigned long long intoverflow_t;
62624+
62625 #define S8_C(x) x
62626 #define U8_C(x) x ## U
62627 #define S16_C(x) x
62628diff -urNp linux-2.6.32.48/include/asm-generic/kmap_types.h linux-2.6.32.48/include/asm-generic/kmap_types.h
62629--- linux-2.6.32.48/include/asm-generic/kmap_types.h 2011-11-08 19:02:43.000000000 -0500
62630+++ linux-2.6.32.48/include/asm-generic/kmap_types.h 2011-11-15 19:59:43.000000000 -0500
62631@@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
62632 KMAP_D(16) KM_IRQ_PTE,
62633 KMAP_D(17) KM_NMI,
62634 KMAP_D(18) KM_NMI_PTE,
62635-KMAP_D(19) KM_TYPE_NR
62636+KMAP_D(19) KM_CLEARPAGE,
62637+KMAP_D(20) KM_TYPE_NR
62638 };
62639
62640 #undef KMAP_D
62641diff -urNp linux-2.6.32.48/include/asm-generic/pgtable.h linux-2.6.32.48/include/asm-generic/pgtable.h
62642--- linux-2.6.32.48/include/asm-generic/pgtable.h 2011-11-08 19:02:43.000000000 -0500
62643+++ linux-2.6.32.48/include/asm-generic/pgtable.h 2011-11-15 19:59:43.000000000 -0500
62644@@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
62645 unsigned long size);
62646 #endif
62647
62648+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
62649+static inline unsigned long pax_open_kernel(void) { return 0; }
62650+#endif
62651+
62652+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
62653+static inline unsigned long pax_close_kernel(void) { return 0; }
62654+#endif
62655+
62656 #endif /* !__ASSEMBLY__ */
62657
62658 #endif /* _ASM_GENERIC_PGTABLE_H */
62659diff -urNp linux-2.6.32.48/include/asm-generic/pgtable-nopmd.h linux-2.6.32.48/include/asm-generic/pgtable-nopmd.h
62660--- linux-2.6.32.48/include/asm-generic/pgtable-nopmd.h 2011-11-08 19:02:43.000000000 -0500
62661+++ linux-2.6.32.48/include/asm-generic/pgtable-nopmd.h 2011-11-15 19:59:43.000000000 -0500
62662@@ -1,14 +1,19 @@
62663 #ifndef _PGTABLE_NOPMD_H
62664 #define _PGTABLE_NOPMD_H
62665
62666-#ifndef __ASSEMBLY__
62667-
62668 #include <asm-generic/pgtable-nopud.h>
62669
62670-struct mm_struct;
62671-
62672 #define __PAGETABLE_PMD_FOLDED
62673
62674+#define PMD_SHIFT PUD_SHIFT
62675+#define PTRS_PER_PMD 1
62676+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
62677+#define PMD_MASK (~(PMD_SIZE-1))
62678+
62679+#ifndef __ASSEMBLY__
62680+
62681+struct mm_struct;
62682+
62683 /*
62684 * Having the pmd type consist of a pud gets the size right, and allows
62685 * us to conceptually access the pud entry that this pmd is folded into
62686@@ -16,11 +21,6 @@ struct mm_struct;
62687 */
62688 typedef struct { pud_t pud; } pmd_t;
62689
62690-#define PMD_SHIFT PUD_SHIFT
62691-#define PTRS_PER_PMD 1
62692-#define PMD_SIZE (1UL << PMD_SHIFT)
62693-#define PMD_MASK (~(PMD_SIZE-1))
62694-
62695 /*
62696 * The "pud_xxx()" functions here are trivial for a folded two-level
62697 * setup: the pmd is never bad, and a pmd always exists (as it's folded
62698diff -urNp linux-2.6.32.48/include/asm-generic/pgtable-nopud.h linux-2.6.32.48/include/asm-generic/pgtable-nopud.h
62699--- linux-2.6.32.48/include/asm-generic/pgtable-nopud.h 2011-11-08 19:02:43.000000000 -0500
62700+++ linux-2.6.32.48/include/asm-generic/pgtable-nopud.h 2011-11-15 19:59:43.000000000 -0500
62701@@ -1,10 +1,15 @@
62702 #ifndef _PGTABLE_NOPUD_H
62703 #define _PGTABLE_NOPUD_H
62704
62705-#ifndef __ASSEMBLY__
62706-
62707 #define __PAGETABLE_PUD_FOLDED
62708
62709+#define PUD_SHIFT PGDIR_SHIFT
62710+#define PTRS_PER_PUD 1
62711+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
62712+#define PUD_MASK (~(PUD_SIZE-1))
62713+
62714+#ifndef __ASSEMBLY__
62715+
62716 /*
62717 * Having the pud type consist of a pgd gets the size right, and allows
62718 * us to conceptually access the pgd entry that this pud is folded into
62719@@ -12,11 +17,6 @@
62720 */
62721 typedef struct { pgd_t pgd; } pud_t;
62722
62723-#define PUD_SHIFT PGDIR_SHIFT
62724-#define PTRS_PER_PUD 1
62725-#define PUD_SIZE (1UL << PUD_SHIFT)
62726-#define PUD_MASK (~(PUD_SIZE-1))
62727-
62728 /*
62729 * The "pgd_xxx()" functions here are trivial for a folded two-level
62730 * setup: the pud is never bad, and a pud always exists (as it's folded
62731diff -urNp linux-2.6.32.48/include/asm-generic/vmlinux.lds.h linux-2.6.32.48/include/asm-generic/vmlinux.lds.h
62732--- linux-2.6.32.48/include/asm-generic/vmlinux.lds.h 2011-11-08 19:02:43.000000000 -0500
62733+++ linux-2.6.32.48/include/asm-generic/vmlinux.lds.h 2011-11-15 19:59:43.000000000 -0500
62734@@ -199,6 +199,7 @@
62735 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
62736 VMLINUX_SYMBOL(__start_rodata) = .; \
62737 *(.rodata) *(.rodata.*) \
62738+ *(.data.read_only) \
62739 *(__vermagic) /* Kernel version magic */ \
62740 *(__markers_strings) /* Markers: strings */ \
62741 *(__tracepoints_strings)/* Tracepoints: strings */ \
62742@@ -656,22 +657,24 @@
62743 * section in the linker script will go there too. @phdr should have
62744 * a leading colon.
62745 *
62746- * Note that this macros defines __per_cpu_load as an absolute symbol.
62747+ * Note that this macros defines per_cpu_load as an absolute symbol.
62748 * If there is no need to put the percpu section at a predetermined
62749 * address, use PERCPU().
62750 */
62751 #define PERCPU_VADDR(vaddr, phdr) \
62752- VMLINUX_SYMBOL(__per_cpu_load) = .; \
62753- .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
62754+ per_cpu_load = .; \
62755+ .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
62756 - LOAD_OFFSET) { \
62757+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
62758 VMLINUX_SYMBOL(__per_cpu_start) = .; \
62759 *(.data.percpu.first) \
62760- *(.data.percpu.page_aligned) \
62761 *(.data.percpu) \
62762+ . = ALIGN(PAGE_SIZE); \
62763+ *(.data.percpu.page_aligned) \
62764 *(.data.percpu.shared_aligned) \
62765 VMLINUX_SYMBOL(__per_cpu_end) = .; \
62766 } phdr \
62767- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
62768+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
62769
62770 /**
62771 * PERCPU - define output section for percpu area, simple version
62772diff -urNp linux-2.6.32.48/include/drm/drm_crtc_helper.h linux-2.6.32.48/include/drm/drm_crtc_helper.h
62773--- linux-2.6.32.48/include/drm/drm_crtc_helper.h 2011-11-08 19:02:43.000000000 -0500
62774+++ linux-2.6.32.48/include/drm/drm_crtc_helper.h 2011-11-15 19:59:43.000000000 -0500
62775@@ -64,7 +64,7 @@ struct drm_crtc_helper_funcs {
62776
62777 /* reload the current crtc LUT */
62778 void (*load_lut)(struct drm_crtc *crtc);
62779-};
62780+} __no_const;
62781
62782 struct drm_encoder_helper_funcs {
62783 void (*dpms)(struct drm_encoder *encoder, int mode);
62784@@ -85,7 +85,7 @@ struct drm_encoder_helper_funcs {
62785 struct drm_connector *connector);
62786 /* disable encoder when not in use - more explicit than dpms off */
62787 void (*disable)(struct drm_encoder *encoder);
62788-};
62789+} __no_const;
62790
62791 struct drm_connector_helper_funcs {
62792 int (*get_modes)(struct drm_connector *connector);
62793diff -urNp linux-2.6.32.48/include/drm/drmP.h linux-2.6.32.48/include/drm/drmP.h
62794--- linux-2.6.32.48/include/drm/drmP.h 2011-11-08 19:02:43.000000000 -0500
62795+++ linux-2.6.32.48/include/drm/drmP.h 2011-11-15 19:59:43.000000000 -0500
62796@@ -71,6 +71,7 @@
62797 #include <linux/workqueue.h>
62798 #include <linux/poll.h>
62799 #include <asm/pgalloc.h>
62800+#include <asm/local.h>
62801 #include "drm.h"
62802
62803 #include <linux/idr.h>
62804@@ -814,7 +815,7 @@ struct drm_driver {
62805 void (*vgaarb_irq)(struct drm_device *dev, bool state);
62806
62807 /* Driver private ops for this object */
62808- struct vm_operations_struct *gem_vm_ops;
62809+ const struct vm_operations_struct *gem_vm_ops;
62810
62811 int major;
62812 int minor;
62813@@ -917,7 +918,7 @@ struct drm_device {
62814
62815 /** \name Usage Counters */
62816 /*@{ */
62817- int open_count; /**< Outstanding files open */
62818+ local_t open_count; /**< Outstanding files open */
62819 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
62820 atomic_t vma_count; /**< Outstanding vma areas open */
62821 int buf_use; /**< Buffers in use -- cannot alloc */
62822@@ -928,7 +929,7 @@ struct drm_device {
62823 /*@{ */
62824 unsigned long counters;
62825 enum drm_stat_type types[15];
62826- atomic_t counts[15];
62827+ atomic_unchecked_t counts[15];
62828 /*@} */
62829
62830 struct list_head filelist;
62831@@ -1016,7 +1017,7 @@ struct drm_device {
62832 struct pci_controller *hose;
62833 #endif
62834 struct drm_sg_mem *sg; /**< Scatter gather memory */
62835- unsigned int num_crtcs; /**< Number of CRTCs on this device */
62836+ unsigned int num_crtcs; /**< Number of CRTCs on this device */
62837 void *dev_private; /**< device private data */
62838 void *mm_private;
62839 struct address_space *dev_mapping;
62840@@ -1042,11 +1043,11 @@ struct drm_device {
62841 spinlock_t object_name_lock;
62842 struct idr object_name_idr;
62843 atomic_t object_count;
62844- atomic_t object_memory;
62845+ atomic_unchecked_t object_memory;
62846 atomic_t pin_count;
62847- atomic_t pin_memory;
62848+ atomic_unchecked_t pin_memory;
62849 atomic_t gtt_count;
62850- atomic_t gtt_memory;
62851+ atomic_unchecked_t gtt_memory;
62852 uint32_t gtt_total;
62853 uint32_t invalidate_domains; /* domains pending invalidation */
62854 uint32_t flush_domains; /* domains pending flush */
62855diff -urNp linux-2.6.32.48/include/drm/ttm/ttm_memory.h linux-2.6.32.48/include/drm/ttm/ttm_memory.h
62856--- linux-2.6.32.48/include/drm/ttm/ttm_memory.h 2011-11-08 19:02:43.000000000 -0500
62857+++ linux-2.6.32.48/include/drm/ttm/ttm_memory.h 2011-11-15 19:59:43.000000000 -0500
62858@@ -47,7 +47,7 @@
62859
62860 struct ttm_mem_shrink {
62861 int (*do_shrink) (struct ttm_mem_shrink *);
62862-};
62863+} __no_const;
62864
62865 /**
62866 * struct ttm_mem_global - Global memory accounting structure.
62867diff -urNp linux-2.6.32.48/include/linux/a.out.h linux-2.6.32.48/include/linux/a.out.h
62868--- linux-2.6.32.48/include/linux/a.out.h 2011-11-08 19:02:43.000000000 -0500
62869+++ linux-2.6.32.48/include/linux/a.out.h 2011-11-15 19:59:43.000000000 -0500
62870@@ -39,6 +39,14 @@ enum machine_type {
62871 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
62872 };
62873
62874+/* Constants for the N_FLAGS field */
62875+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
62876+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
62877+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
62878+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
62879+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
62880+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
62881+
62882 #if !defined (N_MAGIC)
62883 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
62884 #endif
62885diff -urNp linux-2.6.32.48/include/linux/atmdev.h linux-2.6.32.48/include/linux/atmdev.h
62886--- linux-2.6.32.48/include/linux/atmdev.h 2011-11-08 19:02:43.000000000 -0500
62887+++ linux-2.6.32.48/include/linux/atmdev.h 2011-11-15 19:59:43.000000000 -0500
62888@@ -237,7 +237,7 @@ struct compat_atm_iobuf {
62889 #endif
62890
62891 struct k_atm_aal_stats {
62892-#define __HANDLE_ITEM(i) atomic_t i
62893+#define __HANDLE_ITEM(i) atomic_unchecked_t i
62894 __AAL_STAT_ITEMS
62895 #undef __HANDLE_ITEM
62896 };
62897diff -urNp linux-2.6.32.48/include/linux/backlight.h linux-2.6.32.48/include/linux/backlight.h
62898--- linux-2.6.32.48/include/linux/backlight.h 2011-11-08 19:02:43.000000000 -0500
62899+++ linux-2.6.32.48/include/linux/backlight.h 2011-11-15 19:59:43.000000000 -0500
62900@@ -36,18 +36,18 @@ struct backlight_device;
62901 struct fb_info;
62902
62903 struct backlight_ops {
62904- unsigned int options;
62905+ const unsigned int options;
62906
62907 #define BL_CORE_SUSPENDRESUME (1 << 0)
62908
62909 /* Notify the backlight driver some property has changed */
62910- int (*update_status)(struct backlight_device *);
62911+ int (* const update_status)(struct backlight_device *);
62912 /* Return the current backlight brightness (accounting for power,
62913 fb_blank etc.) */
62914- int (*get_brightness)(struct backlight_device *);
62915+ int (* const get_brightness)(struct backlight_device *);
62916 /* Check if given framebuffer device is the one bound to this backlight;
62917 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
62918- int (*check_fb)(struct fb_info *);
62919+ int (* const check_fb)(struct fb_info *);
62920 };
62921
62922 /* This structure defines all the properties of a backlight */
62923@@ -86,7 +86,7 @@ struct backlight_device {
62924 registered this device has been unloaded, and if class_get_devdata()
62925 points to something in the body of that driver, it is also invalid. */
62926 struct mutex ops_lock;
62927- struct backlight_ops *ops;
62928+ const struct backlight_ops *ops;
62929
62930 /* The framebuffer notifier block */
62931 struct notifier_block fb_notif;
62932@@ -103,7 +103,7 @@ static inline void backlight_update_stat
62933 }
62934
62935 extern struct backlight_device *backlight_device_register(const char *name,
62936- struct device *dev, void *devdata, struct backlight_ops *ops);
62937+ struct device *dev, void *devdata, const struct backlight_ops *ops);
62938 extern void backlight_device_unregister(struct backlight_device *bd);
62939 extern void backlight_force_update(struct backlight_device *bd,
62940 enum backlight_update_reason reason);
62941diff -urNp linux-2.6.32.48/include/linux/binfmts.h linux-2.6.32.48/include/linux/binfmts.h
62942--- linux-2.6.32.48/include/linux/binfmts.h 2011-11-08 19:02:43.000000000 -0500
62943+++ linux-2.6.32.48/include/linux/binfmts.h 2011-11-15 19:59:43.000000000 -0500
62944@@ -83,6 +83,7 @@ struct linux_binfmt {
62945 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
62946 int (*load_shlib)(struct file *);
62947 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
62948+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
62949 unsigned long min_coredump; /* minimal dump size */
62950 int hasvdso;
62951 };
62952diff -urNp linux-2.6.32.48/include/linux/blkdev.h linux-2.6.32.48/include/linux/blkdev.h
62953--- linux-2.6.32.48/include/linux/blkdev.h 2011-11-08 19:02:43.000000000 -0500
62954+++ linux-2.6.32.48/include/linux/blkdev.h 2011-11-15 19:59:43.000000000 -0500
62955@@ -1278,7 +1278,7 @@ struct block_device_operations {
62956 int (*revalidate_disk) (struct gendisk *);
62957 int (*getgeo)(struct block_device *, struct hd_geometry *);
62958 struct module *owner;
62959-};
62960+} __do_const;
62961
62962 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
62963 unsigned long);
62964diff -urNp linux-2.6.32.48/include/linux/blktrace_api.h linux-2.6.32.48/include/linux/blktrace_api.h
62965--- linux-2.6.32.48/include/linux/blktrace_api.h 2011-11-08 19:02:43.000000000 -0500
62966+++ linux-2.6.32.48/include/linux/blktrace_api.h 2011-11-15 19:59:43.000000000 -0500
62967@@ -160,7 +160,7 @@ struct blk_trace {
62968 struct dentry *dir;
62969 struct dentry *dropped_file;
62970 struct dentry *msg_file;
62971- atomic_t dropped;
62972+ atomic_unchecked_t dropped;
62973 };
62974
62975 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
62976diff -urNp linux-2.6.32.48/include/linux/byteorder/little_endian.h linux-2.6.32.48/include/linux/byteorder/little_endian.h
62977--- linux-2.6.32.48/include/linux/byteorder/little_endian.h 2011-11-08 19:02:43.000000000 -0500
62978+++ linux-2.6.32.48/include/linux/byteorder/little_endian.h 2011-11-15 19:59:43.000000000 -0500
62979@@ -42,51 +42,51 @@
62980
62981 static inline __le64 __cpu_to_le64p(const __u64 *p)
62982 {
62983- return (__force __le64)*p;
62984+ return (__force const __le64)*p;
62985 }
62986 static inline __u64 __le64_to_cpup(const __le64 *p)
62987 {
62988- return (__force __u64)*p;
62989+ return (__force const __u64)*p;
62990 }
62991 static inline __le32 __cpu_to_le32p(const __u32 *p)
62992 {
62993- return (__force __le32)*p;
62994+ return (__force const __le32)*p;
62995 }
62996 static inline __u32 __le32_to_cpup(const __le32 *p)
62997 {
62998- return (__force __u32)*p;
62999+ return (__force const __u32)*p;
63000 }
63001 static inline __le16 __cpu_to_le16p(const __u16 *p)
63002 {
63003- return (__force __le16)*p;
63004+ return (__force const __le16)*p;
63005 }
63006 static inline __u16 __le16_to_cpup(const __le16 *p)
63007 {
63008- return (__force __u16)*p;
63009+ return (__force const __u16)*p;
63010 }
63011 static inline __be64 __cpu_to_be64p(const __u64 *p)
63012 {
63013- return (__force __be64)__swab64p(p);
63014+ return (__force const __be64)__swab64p(p);
63015 }
63016 static inline __u64 __be64_to_cpup(const __be64 *p)
63017 {
63018- return __swab64p((__u64 *)p);
63019+ return __swab64p((const __u64 *)p);
63020 }
63021 static inline __be32 __cpu_to_be32p(const __u32 *p)
63022 {
63023- return (__force __be32)__swab32p(p);
63024+ return (__force const __be32)__swab32p(p);
63025 }
63026 static inline __u32 __be32_to_cpup(const __be32 *p)
63027 {
63028- return __swab32p((__u32 *)p);
63029+ return __swab32p((const __u32 *)p);
63030 }
63031 static inline __be16 __cpu_to_be16p(const __u16 *p)
63032 {
63033- return (__force __be16)__swab16p(p);
63034+ return (__force const __be16)__swab16p(p);
63035 }
63036 static inline __u16 __be16_to_cpup(const __be16 *p)
63037 {
63038- return __swab16p((__u16 *)p);
63039+ return __swab16p((const __u16 *)p);
63040 }
63041 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
63042 #define __le64_to_cpus(x) do { (void)(x); } while (0)
63043diff -urNp linux-2.6.32.48/include/linux/cache.h linux-2.6.32.48/include/linux/cache.h
63044--- linux-2.6.32.48/include/linux/cache.h 2011-11-08 19:02:43.000000000 -0500
63045+++ linux-2.6.32.48/include/linux/cache.h 2011-11-15 19:59:43.000000000 -0500
63046@@ -16,6 +16,10 @@
63047 #define __read_mostly
63048 #endif
63049
63050+#ifndef __read_only
63051+#define __read_only __read_mostly
63052+#endif
63053+
63054 #ifndef ____cacheline_aligned
63055 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
63056 #endif
63057diff -urNp linux-2.6.32.48/include/linux/capability.h linux-2.6.32.48/include/linux/capability.h
63058--- linux-2.6.32.48/include/linux/capability.h 2011-11-08 19:02:43.000000000 -0500
63059+++ linux-2.6.32.48/include/linux/capability.h 2011-11-15 19:59:43.000000000 -0500
63060@@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
63061 (security_real_capable_noaudit((t), (cap)) == 0)
63062
63063 extern int capable(int cap);
63064+int capable_nolog(int cap);
63065
63066 /* audit system wants to get cap info from files as well */
63067 struct dentry;
63068diff -urNp linux-2.6.32.48/include/linux/compiler-gcc4.h linux-2.6.32.48/include/linux/compiler-gcc4.h
63069--- linux-2.6.32.48/include/linux/compiler-gcc4.h 2011-11-08 19:02:43.000000000 -0500
63070+++ linux-2.6.32.48/include/linux/compiler-gcc4.h 2011-11-15 19:59:43.000000000 -0500
63071@@ -36,4 +36,16 @@
63072 the kernel context */
63073 #define __cold __attribute__((__cold__))
63074
63075+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
63076+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
63077+#define __bos0(ptr) __bos((ptr), 0)
63078+#define __bos1(ptr) __bos((ptr), 1)
63079+
63080+#if __GNUC_MINOR__ >= 5
63081+#ifdef CONSTIFY_PLUGIN
63082+#define __no_const __attribute__((no_const))
63083+#define __do_const __attribute__((do_const))
63084+#endif
63085+#endif
63086+
63087 #endif
63088diff -urNp linux-2.6.32.48/include/linux/compiler.h linux-2.6.32.48/include/linux/compiler.h
63089--- linux-2.6.32.48/include/linux/compiler.h 2011-11-08 19:02:43.000000000 -0500
63090+++ linux-2.6.32.48/include/linux/compiler.h 2011-11-15 19:59:43.000000000 -0500
63091@@ -5,11 +5,14 @@
63092
63093 #ifdef __CHECKER__
63094 # define __user __attribute__((noderef, address_space(1)))
63095+# define __force_user __force __user
63096 # define __kernel /* default address space */
63097+# define __force_kernel __force __kernel
63098 # define __safe __attribute__((safe))
63099 # define __force __attribute__((force))
63100 # define __nocast __attribute__((nocast))
63101 # define __iomem __attribute__((noderef, address_space(2)))
63102+# define __force_iomem __force __iomem
63103 # define __acquires(x) __attribute__((context(x,0,1)))
63104 # define __releases(x) __attribute__((context(x,1,0)))
63105 # define __acquire(x) __context__(x,1)
63106@@ -17,13 +20,34 @@
63107 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
63108 extern void __chk_user_ptr(const volatile void __user *);
63109 extern void __chk_io_ptr(const volatile void __iomem *);
63110+#elif defined(CHECKER_PLUGIN)
63111+//# define __user
63112+//# define __force_user
63113+//# define __kernel
63114+//# define __force_kernel
63115+# define __safe
63116+# define __force
63117+# define __nocast
63118+# define __iomem
63119+# define __force_iomem
63120+# define __chk_user_ptr(x) (void)0
63121+# define __chk_io_ptr(x) (void)0
63122+# define __builtin_warning(x, y...) (1)
63123+# define __acquires(x)
63124+# define __releases(x)
63125+# define __acquire(x) (void)0
63126+# define __release(x) (void)0
63127+# define __cond_lock(x,c) (c)
63128 #else
63129 # define __user
63130+# define __force_user
63131 # define __kernel
63132+# define __force_kernel
63133 # define __safe
63134 # define __force
63135 # define __nocast
63136 # define __iomem
63137+# define __force_iomem
63138 # define __chk_user_ptr(x) (void)0
63139 # define __chk_io_ptr(x) (void)0
63140 # define __builtin_warning(x, y...) (1)
63141@@ -247,6 +271,14 @@ void ftrace_likely_update(struct ftrace_
63142 # define __attribute_const__ /* unimplemented */
63143 #endif
63144
63145+#ifndef __no_const
63146+# define __no_const
63147+#endif
63148+
63149+#ifndef __do_const
63150+# define __do_const
63151+#endif
63152+
63153 /*
63154 * Tell gcc if a function is cold. The compiler will assume any path
63155 * directly leading to the call is unlikely.
63156@@ -256,6 +288,22 @@ void ftrace_likely_update(struct ftrace_
63157 #define __cold
63158 #endif
63159
63160+#ifndef __alloc_size
63161+#define __alloc_size(...)
63162+#endif
63163+
63164+#ifndef __bos
63165+#define __bos(ptr, arg)
63166+#endif
63167+
63168+#ifndef __bos0
63169+#define __bos0(ptr)
63170+#endif
63171+
63172+#ifndef __bos1
63173+#define __bos1(ptr)
63174+#endif
63175+
63176 /* Simple shorthand for a section definition */
63177 #ifndef __section
63178 # define __section(S) __attribute__ ((__section__(#S)))
63179@@ -278,6 +326,7 @@ void ftrace_likely_update(struct ftrace_
63180 * use is to mediate communication between process-level code and irq/NMI
63181 * handlers, all running on the same CPU.
63182 */
63183-#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
63184+#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
63185+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
63186
63187 #endif /* __LINUX_COMPILER_H */
63188diff -urNp linux-2.6.32.48/include/linux/crypto.h linux-2.6.32.48/include/linux/crypto.h
63189--- linux-2.6.32.48/include/linux/crypto.h 2011-11-08 19:02:43.000000000 -0500
63190+++ linux-2.6.32.48/include/linux/crypto.h 2011-11-15 19:59:43.000000000 -0500
63191@@ -394,7 +394,7 @@ struct cipher_tfm {
63192 const u8 *key, unsigned int keylen);
63193 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
63194 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
63195-};
63196+} __no_const;
63197
63198 struct hash_tfm {
63199 int (*init)(struct hash_desc *desc);
63200@@ -415,13 +415,13 @@ struct compress_tfm {
63201 int (*cot_decompress)(struct crypto_tfm *tfm,
63202 const u8 *src, unsigned int slen,
63203 u8 *dst, unsigned int *dlen);
63204-};
63205+} __no_const;
63206
63207 struct rng_tfm {
63208 int (*rng_gen_random)(struct crypto_rng *tfm, u8 *rdata,
63209 unsigned int dlen);
63210 int (*rng_reset)(struct crypto_rng *tfm, u8 *seed, unsigned int slen);
63211-};
63212+} __no_const;
63213
63214 #define crt_ablkcipher crt_u.ablkcipher
63215 #define crt_aead crt_u.aead
63216diff -urNp linux-2.6.32.48/include/linux/dcache.h linux-2.6.32.48/include/linux/dcache.h
63217--- linux-2.6.32.48/include/linux/dcache.h 2011-11-08 19:02:43.000000000 -0500
63218+++ linux-2.6.32.48/include/linux/dcache.h 2011-11-15 19:59:43.000000000 -0500
63219@@ -119,6 +119,8 @@ struct dentry {
63220 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
63221 };
63222
63223+#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
63224+
63225 /*
63226 * dentry->d_lock spinlock nesting subclasses:
63227 *
63228diff -urNp linux-2.6.32.48/include/linux/decompress/mm.h linux-2.6.32.48/include/linux/decompress/mm.h
63229--- linux-2.6.32.48/include/linux/decompress/mm.h 2011-11-08 19:02:43.000000000 -0500
63230+++ linux-2.6.32.48/include/linux/decompress/mm.h 2011-11-15 19:59:43.000000000 -0500
63231@@ -78,7 +78,7 @@ static void free(void *where)
63232 * warnings when not needed (indeed large_malloc / large_free are not
63233 * needed by inflate */
63234
63235-#define malloc(a) kmalloc(a, GFP_KERNEL)
63236+#define malloc(a) kmalloc((a), GFP_KERNEL)
63237 #define free(a) kfree(a)
63238
63239 #define large_malloc(a) vmalloc(a)
63240diff -urNp linux-2.6.32.48/include/linux/dma-mapping.h linux-2.6.32.48/include/linux/dma-mapping.h
63241--- linux-2.6.32.48/include/linux/dma-mapping.h 2011-11-08 19:02:43.000000000 -0500
63242+++ linux-2.6.32.48/include/linux/dma-mapping.h 2011-11-15 19:59:43.000000000 -0500
63243@@ -16,51 +16,51 @@ enum dma_data_direction {
63244 };
63245
63246 struct dma_map_ops {
63247- void* (*alloc_coherent)(struct device *dev, size_t size,
63248+ void* (* const alloc_coherent)(struct device *dev, size_t size,
63249 dma_addr_t *dma_handle, gfp_t gfp);
63250- void (*free_coherent)(struct device *dev, size_t size,
63251+ void (* const free_coherent)(struct device *dev, size_t size,
63252 void *vaddr, dma_addr_t dma_handle);
63253- dma_addr_t (*map_page)(struct device *dev, struct page *page,
63254+ dma_addr_t (* const map_page)(struct device *dev, struct page *page,
63255 unsigned long offset, size_t size,
63256 enum dma_data_direction dir,
63257 struct dma_attrs *attrs);
63258- void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
63259+ void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
63260 size_t size, enum dma_data_direction dir,
63261 struct dma_attrs *attrs);
63262- int (*map_sg)(struct device *dev, struct scatterlist *sg,
63263+ int (* const map_sg)(struct device *dev, struct scatterlist *sg,
63264 int nents, enum dma_data_direction dir,
63265 struct dma_attrs *attrs);
63266- void (*unmap_sg)(struct device *dev,
63267+ void (* const unmap_sg)(struct device *dev,
63268 struct scatterlist *sg, int nents,
63269 enum dma_data_direction dir,
63270 struct dma_attrs *attrs);
63271- void (*sync_single_for_cpu)(struct device *dev,
63272+ void (* const sync_single_for_cpu)(struct device *dev,
63273 dma_addr_t dma_handle, size_t size,
63274 enum dma_data_direction dir);
63275- void (*sync_single_for_device)(struct device *dev,
63276+ void (* const sync_single_for_device)(struct device *dev,
63277 dma_addr_t dma_handle, size_t size,
63278 enum dma_data_direction dir);
63279- void (*sync_single_range_for_cpu)(struct device *dev,
63280+ void (* const sync_single_range_for_cpu)(struct device *dev,
63281 dma_addr_t dma_handle,
63282 unsigned long offset,
63283 size_t size,
63284 enum dma_data_direction dir);
63285- void (*sync_single_range_for_device)(struct device *dev,
63286+ void (* const sync_single_range_for_device)(struct device *dev,
63287 dma_addr_t dma_handle,
63288 unsigned long offset,
63289 size_t size,
63290 enum dma_data_direction dir);
63291- void (*sync_sg_for_cpu)(struct device *dev,
63292+ void (* const sync_sg_for_cpu)(struct device *dev,
63293 struct scatterlist *sg, int nents,
63294 enum dma_data_direction dir);
63295- void (*sync_sg_for_device)(struct device *dev,
63296+ void (* const sync_sg_for_device)(struct device *dev,
63297 struct scatterlist *sg, int nents,
63298 enum dma_data_direction dir);
63299- int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
63300- int (*dma_supported)(struct device *dev, u64 mask);
63301+ int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
63302+ int (* const dma_supported)(struct device *dev, u64 mask);
63303 int (*set_dma_mask)(struct device *dev, u64 mask);
63304 int is_phys;
63305-};
63306+} __do_const;
63307
63308 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
63309
63310diff -urNp linux-2.6.32.48/include/linux/dst.h linux-2.6.32.48/include/linux/dst.h
63311--- linux-2.6.32.48/include/linux/dst.h 2011-11-08 19:02:43.000000000 -0500
63312+++ linux-2.6.32.48/include/linux/dst.h 2011-11-15 19:59:43.000000000 -0500
63313@@ -380,7 +380,7 @@ struct dst_node
63314 struct thread_pool *pool;
63315
63316 /* Transaction IDs live here */
63317- atomic_long_t gen;
63318+ atomic_long_unchecked_t gen;
63319
63320 /*
63321 * How frequently and how many times transaction
63322diff -urNp linux-2.6.32.48/include/linux/elf.h linux-2.6.32.48/include/linux/elf.h
63323--- linux-2.6.32.48/include/linux/elf.h 2011-11-08 19:02:43.000000000 -0500
63324+++ linux-2.6.32.48/include/linux/elf.h 2011-11-15 19:59:43.000000000 -0500
63325@@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
63326 #define PT_GNU_EH_FRAME 0x6474e550
63327
63328 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
63329+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
63330+
63331+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
63332+
63333+/* Constants for the e_flags field */
63334+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
63335+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
63336+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
63337+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
63338+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
63339+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
63340
63341 /* These constants define the different elf file types */
63342 #define ET_NONE 0
63343@@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
63344 #define DT_DEBUG 21
63345 #define DT_TEXTREL 22
63346 #define DT_JMPREL 23
63347+#define DT_FLAGS 30
63348+ #define DF_TEXTREL 0x00000004
63349 #define DT_ENCODING 32
63350 #define OLD_DT_LOOS 0x60000000
63351 #define DT_LOOS 0x6000000d
63352@@ -230,6 +243,19 @@ typedef struct elf64_hdr {
63353 #define PF_W 0x2
63354 #define PF_X 0x1
63355
63356+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
63357+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
63358+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
63359+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
63360+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
63361+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
63362+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
63363+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
63364+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
63365+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
63366+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
63367+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
63368+
63369 typedef struct elf32_phdr{
63370 Elf32_Word p_type;
63371 Elf32_Off p_offset;
63372@@ -322,6 +348,8 @@ typedef struct elf64_shdr {
63373 #define EI_OSABI 7
63374 #define EI_PAD 8
63375
63376+#define EI_PAX 14
63377+
63378 #define ELFMAG0 0x7f /* EI_MAG */
63379 #define ELFMAG1 'E'
63380 #define ELFMAG2 'L'
63381@@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
63382 #define elf_phdr elf32_phdr
63383 #define elf_note elf32_note
63384 #define elf_addr_t Elf32_Off
63385+#define elf_dyn Elf32_Dyn
63386
63387 #else
63388
63389@@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
63390 #define elf_phdr elf64_phdr
63391 #define elf_note elf64_note
63392 #define elf_addr_t Elf64_Off
63393+#define elf_dyn Elf64_Dyn
63394
63395 #endif
63396
63397diff -urNp linux-2.6.32.48/include/linux/fscache-cache.h linux-2.6.32.48/include/linux/fscache-cache.h
63398--- linux-2.6.32.48/include/linux/fscache-cache.h 2011-11-08 19:02:43.000000000 -0500
63399+++ linux-2.6.32.48/include/linux/fscache-cache.h 2011-11-15 19:59:43.000000000 -0500
63400@@ -116,7 +116,7 @@ struct fscache_operation {
63401 #endif
63402 };
63403
63404-extern atomic_t fscache_op_debug_id;
63405+extern atomic_unchecked_t fscache_op_debug_id;
63406 extern const struct slow_work_ops fscache_op_slow_work_ops;
63407
63408 extern void fscache_enqueue_operation(struct fscache_operation *);
63409@@ -134,7 +134,7 @@ static inline void fscache_operation_ini
63410 fscache_operation_release_t release)
63411 {
63412 atomic_set(&op->usage, 1);
63413- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
63414+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
63415 op->release = release;
63416 INIT_LIST_HEAD(&op->pend_link);
63417 fscache_set_op_state(op, "Init");
63418diff -urNp linux-2.6.32.48/include/linux/fs.h linux-2.6.32.48/include/linux/fs.h
63419--- linux-2.6.32.48/include/linux/fs.h 2011-11-08 19:02:43.000000000 -0500
63420+++ linux-2.6.32.48/include/linux/fs.h 2011-11-15 19:59:43.000000000 -0500
63421@@ -90,6 +90,11 @@ struct inodes_stat_t {
63422 /* Expect random access pattern */
63423 #define FMODE_RANDOM ((__force fmode_t)4096)
63424
63425+/* Hack for grsec so as not to require read permission simply to execute
63426+ * a binary
63427+ */
63428+#define FMODE_GREXEC ((__force fmode_t)0x2000000)
63429+
63430 /*
63431 * The below are the various read and write types that we support. Some of
63432 * them include behavioral modifiers that send information down to the
63433@@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
63434 unsigned long, unsigned long);
63435
63436 struct address_space_operations {
63437- int (*writepage)(struct page *page, struct writeback_control *wbc);
63438- int (*readpage)(struct file *, struct page *);
63439- void (*sync_page)(struct page *);
63440+ int (* const writepage)(struct page *page, struct writeback_control *wbc);
63441+ int (* const readpage)(struct file *, struct page *);
63442+ void (* const sync_page)(struct page *);
63443
63444 /* Write back some dirty pages from this mapping. */
63445- int (*writepages)(struct address_space *, struct writeback_control *);
63446+ int (* const writepages)(struct address_space *, struct writeback_control *);
63447
63448 /* Set a page dirty. Return true if this dirtied it */
63449- int (*set_page_dirty)(struct page *page);
63450+ int (* const set_page_dirty)(struct page *page);
63451
63452- int (*readpages)(struct file *filp, struct address_space *mapping,
63453+ int (* const readpages)(struct file *filp, struct address_space *mapping,
63454 struct list_head *pages, unsigned nr_pages);
63455
63456- int (*write_begin)(struct file *, struct address_space *mapping,
63457+ int (* const write_begin)(struct file *, struct address_space *mapping,
63458 loff_t pos, unsigned len, unsigned flags,
63459 struct page **pagep, void **fsdata);
63460- int (*write_end)(struct file *, struct address_space *mapping,
63461+ int (* const write_end)(struct file *, struct address_space *mapping,
63462 loff_t pos, unsigned len, unsigned copied,
63463 struct page *page, void *fsdata);
63464
63465 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
63466- sector_t (*bmap)(struct address_space *, sector_t);
63467- void (*invalidatepage) (struct page *, unsigned long);
63468- int (*releasepage) (struct page *, gfp_t);
63469- ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
63470+ sector_t (* const bmap)(struct address_space *, sector_t);
63471+ void (* const invalidatepage) (struct page *, unsigned long);
63472+ int (* const releasepage) (struct page *, gfp_t);
63473+ ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
63474 loff_t offset, unsigned long nr_segs);
63475- int (*get_xip_mem)(struct address_space *, pgoff_t, int,
63476+ int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
63477 void **, unsigned long *);
63478 /* migrate the contents of a page to the specified target */
63479- int (*migratepage) (struct address_space *,
63480+ int (* const migratepage) (struct address_space *,
63481 struct page *, struct page *);
63482- int (*launder_page) (struct page *);
63483- int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
63484+ int (* const launder_page) (struct page *);
63485+ int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
63486 unsigned long);
63487- int (*error_remove_page)(struct address_space *, struct page *);
63488+ int (* const error_remove_page)(struct address_space *, struct page *);
63489 };
63490
63491 /*
63492@@ -1031,19 +1036,19 @@ static inline int file_check_writeable(s
63493 typedef struct files_struct *fl_owner_t;
63494
63495 struct file_lock_operations {
63496- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
63497- void (*fl_release_private)(struct file_lock *);
63498+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
63499+ void (* const fl_release_private)(struct file_lock *);
63500 };
63501
63502 struct lock_manager_operations {
63503- int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
63504- void (*fl_notify)(struct file_lock *); /* unblock callback */
63505- int (*fl_grant)(struct file_lock *, struct file_lock *, int);
63506- void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
63507- void (*fl_release_private)(struct file_lock *);
63508- void (*fl_break)(struct file_lock *);
63509- int (*fl_mylease)(struct file_lock *, struct file_lock *);
63510- int (*fl_change)(struct file_lock **, int);
63511+ int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
63512+ void (* const fl_notify)(struct file_lock *); /* unblock callback */
63513+ int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
63514+ void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
63515+ void (* const fl_release_private)(struct file_lock *);
63516+ void (* const fl_break)(struct file_lock *);
63517+ int (* const fl_mylease)(struct file_lock *, struct file_lock *);
63518+ int (* const fl_change)(struct file_lock **, int);
63519 };
63520
63521 struct lock_manager {
63522@@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
63523 unsigned int fi_flags; /* Flags as passed from user */
63524 unsigned int fi_extents_mapped; /* Number of mapped extents */
63525 unsigned int fi_extents_max; /* Size of fiemap_extent array */
63526- struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
63527+ struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
63528 * array */
63529 };
63530 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
63531@@ -1512,7 +1517,8 @@ struct file_operations {
63532 ssize_t (*splice_write)(struct pipe_inode_info *, struct file *, loff_t *, size_t, unsigned int);
63533 ssize_t (*splice_read)(struct file *, loff_t *, struct pipe_inode_info *, size_t, unsigned int);
63534 int (*setlease)(struct file *, long, struct file_lock **);
63535-};
63536+} __do_const;
63537+typedef struct file_operations __no_const file_operations_no_const;
63538
63539 struct inode_operations {
63540 int (*create) (struct inode *,struct dentry *,int, struct nameidata *);
63541@@ -1559,30 +1565,30 @@ extern ssize_t vfs_writev(struct file *,
63542 unsigned long, loff_t *);
63543
63544 struct super_operations {
63545- struct inode *(*alloc_inode)(struct super_block *sb);
63546- void (*destroy_inode)(struct inode *);
63547+ struct inode *(* const alloc_inode)(struct super_block *sb);
63548+ void (* const destroy_inode)(struct inode *);
63549
63550- void (*dirty_inode) (struct inode *);
63551- int (*write_inode) (struct inode *, int);
63552- void (*drop_inode) (struct inode *);
63553- void (*delete_inode) (struct inode *);
63554- void (*put_super) (struct super_block *);
63555- void (*write_super) (struct super_block *);
63556- int (*sync_fs)(struct super_block *sb, int wait);
63557- int (*freeze_fs) (struct super_block *);
63558- int (*unfreeze_fs) (struct super_block *);
63559- int (*statfs) (struct dentry *, struct kstatfs *);
63560- int (*remount_fs) (struct super_block *, int *, char *);
63561- void (*clear_inode) (struct inode *);
63562- void (*umount_begin) (struct super_block *);
63563+ void (* const dirty_inode) (struct inode *);
63564+ int (* const write_inode) (struct inode *, int);
63565+ void (* const drop_inode) (struct inode *);
63566+ void (* const delete_inode) (struct inode *);
63567+ void (* const put_super) (struct super_block *);
63568+ void (* const write_super) (struct super_block *);
63569+ int (* const sync_fs)(struct super_block *sb, int wait);
63570+ int (* const freeze_fs) (struct super_block *);
63571+ int (* const unfreeze_fs) (struct super_block *);
63572+ int (* const statfs) (struct dentry *, struct kstatfs *);
63573+ int (* const remount_fs) (struct super_block *, int *, char *);
63574+ void (* const clear_inode) (struct inode *);
63575+ void (* const umount_begin) (struct super_block *);
63576
63577- int (*show_options)(struct seq_file *, struct vfsmount *);
63578- int (*show_stats)(struct seq_file *, struct vfsmount *);
63579+ int (* const show_options)(struct seq_file *, struct vfsmount *);
63580+ int (* const show_stats)(struct seq_file *, struct vfsmount *);
63581 #ifdef CONFIG_QUOTA
63582- ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
63583- ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
63584+ ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
63585+ ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
63586 #endif
63587- int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
63588+ int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
63589 };
63590
63591 /*
63592diff -urNp linux-2.6.32.48/include/linux/fs_struct.h linux-2.6.32.48/include/linux/fs_struct.h
63593--- linux-2.6.32.48/include/linux/fs_struct.h 2011-11-08 19:02:43.000000000 -0500
63594+++ linux-2.6.32.48/include/linux/fs_struct.h 2011-11-15 19:59:43.000000000 -0500
63595@@ -4,7 +4,7 @@
63596 #include <linux/path.h>
63597
63598 struct fs_struct {
63599- int users;
63600+ atomic_t users;
63601 rwlock_t lock;
63602 int umask;
63603 int in_exec;
63604diff -urNp linux-2.6.32.48/include/linux/ftrace_event.h linux-2.6.32.48/include/linux/ftrace_event.h
63605--- linux-2.6.32.48/include/linux/ftrace_event.h 2011-11-08 19:02:43.000000000 -0500
63606+++ linux-2.6.32.48/include/linux/ftrace_event.h 2011-11-15 19:59:43.000000000 -0500
63607@@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
63608 int filter_type);
63609 extern int trace_define_common_fields(struct ftrace_event_call *call);
63610
63611-#define is_signed_type(type) (((type)(-1)) < 0)
63612+#define is_signed_type(type) (((type)(-1)) < (type)1)
63613
63614 int trace_set_clr_event(const char *system, const char *event, int set);
63615
63616diff -urNp linux-2.6.32.48/include/linux/genhd.h linux-2.6.32.48/include/linux/genhd.h
63617--- linux-2.6.32.48/include/linux/genhd.h 2011-11-08 19:02:43.000000000 -0500
63618+++ linux-2.6.32.48/include/linux/genhd.h 2011-11-15 19:59:43.000000000 -0500
63619@@ -161,7 +161,7 @@ struct gendisk {
63620
63621 struct timer_rand_state *random;
63622
63623- atomic_t sync_io; /* RAID */
63624+ atomic_unchecked_t sync_io; /* RAID */
63625 struct work_struct async_notify;
63626 #ifdef CONFIG_BLK_DEV_INTEGRITY
63627 struct blk_integrity *integrity;
63628diff -urNp linux-2.6.32.48/include/linux/gracl.h linux-2.6.32.48/include/linux/gracl.h
63629--- linux-2.6.32.48/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
63630+++ linux-2.6.32.48/include/linux/gracl.h 2011-11-15 19:59:43.000000000 -0500
63631@@ -0,0 +1,317 @@
63632+#ifndef GR_ACL_H
63633+#define GR_ACL_H
63634+
63635+#include <linux/grdefs.h>
63636+#include <linux/resource.h>
63637+#include <linux/capability.h>
63638+#include <linux/dcache.h>
63639+#include <asm/resource.h>
63640+
63641+/* Major status information */
63642+
63643+#define GR_VERSION "grsecurity 2.2.2"
63644+#define GRSECURITY_VERSION 0x2202
63645+
63646+enum {
63647+ GR_SHUTDOWN = 0,
63648+ GR_ENABLE = 1,
63649+ GR_SPROLE = 2,
63650+ GR_RELOAD = 3,
63651+ GR_SEGVMOD = 4,
63652+ GR_STATUS = 5,
63653+ GR_UNSPROLE = 6,
63654+ GR_PASSSET = 7,
63655+ GR_SPROLEPAM = 8,
63656+};
63657+
63658+/* Password setup definitions
63659+ * kernel/grhash.c */
63660+enum {
63661+ GR_PW_LEN = 128,
63662+ GR_SALT_LEN = 16,
63663+ GR_SHA_LEN = 32,
63664+};
63665+
63666+enum {
63667+ GR_SPROLE_LEN = 64,
63668+};
63669+
63670+enum {
63671+ GR_NO_GLOB = 0,
63672+ GR_REG_GLOB,
63673+ GR_CREATE_GLOB
63674+};
63675+
63676+#define GR_NLIMITS 32
63677+
63678+/* Begin Data Structures */
63679+
63680+struct sprole_pw {
63681+ unsigned char *rolename;
63682+ unsigned char salt[GR_SALT_LEN];
63683+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
63684+};
63685+
63686+struct name_entry {
63687+ __u32 key;
63688+ ino_t inode;
63689+ dev_t device;
63690+ char *name;
63691+ __u16 len;
63692+ __u8 deleted;
63693+ struct name_entry *prev;
63694+ struct name_entry *next;
63695+};
63696+
63697+struct inodev_entry {
63698+ struct name_entry *nentry;
63699+ struct inodev_entry *prev;
63700+ struct inodev_entry *next;
63701+};
63702+
63703+struct acl_role_db {
63704+ struct acl_role_label **r_hash;
63705+ __u32 r_size;
63706+};
63707+
63708+struct inodev_db {
63709+ struct inodev_entry **i_hash;
63710+ __u32 i_size;
63711+};
63712+
63713+struct name_db {
63714+ struct name_entry **n_hash;
63715+ __u32 n_size;
63716+};
63717+
63718+struct crash_uid {
63719+ uid_t uid;
63720+ unsigned long expires;
63721+};
63722+
63723+struct gr_hash_struct {
63724+ void **table;
63725+ void **nametable;
63726+ void *first;
63727+ __u32 table_size;
63728+ __u32 used_size;
63729+ int type;
63730+};
63731+
63732+/* Userspace Grsecurity ACL data structures */
63733+
63734+struct acl_subject_label {
63735+ char *filename;
63736+ ino_t inode;
63737+ dev_t device;
63738+ __u32 mode;
63739+ kernel_cap_t cap_mask;
63740+ kernel_cap_t cap_lower;
63741+ kernel_cap_t cap_invert_audit;
63742+
63743+ struct rlimit res[GR_NLIMITS];
63744+ __u32 resmask;
63745+
63746+ __u8 user_trans_type;
63747+ __u8 group_trans_type;
63748+ uid_t *user_transitions;
63749+ gid_t *group_transitions;
63750+ __u16 user_trans_num;
63751+ __u16 group_trans_num;
63752+
63753+ __u32 sock_families[2];
63754+ __u32 ip_proto[8];
63755+ __u32 ip_type;
63756+ struct acl_ip_label **ips;
63757+ __u32 ip_num;
63758+ __u32 inaddr_any_override;
63759+
63760+ __u32 crashes;
63761+ unsigned long expires;
63762+
63763+ struct acl_subject_label *parent_subject;
63764+ struct gr_hash_struct *hash;
63765+ struct acl_subject_label *prev;
63766+ struct acl_subject_label *next;
63767+
63768+ struct acl_object_label **obj_hash;
63769+ __u32 obj_hash_size;
63770+ __u16 pax_flags;
63771+};
63772+
63773+struct role_allowed_ip {
63774+ __u32 addr;
63775+ __u32 netmask;
63776+
63777+ struct role_allowed_ip *prev;
63778+ struct role_allowed_ip *next;
63779+};
63780+
63781+struct role_transition {
63782+ char *rolename;
63783+
63784+ struct role_transition *prev;
63785+ struct role_transition *next;
63786+};
63787+
63788+struct acl_role_label {
63789+ char *rolename;
63790+ uid_t uidgid;
63791+ __u16 roletype;
63792+
63793+ __u16 auth_attempts;
63794+ unsigned long expires;
63795+
63796+ struct acl_subject_label *root_label;
63797+ struct gr_hash_struct *hash;
63798+
63799+ struct acl_role_label *prev;
63800+ struct acl_role_label *next;
63801+
63802+ struct role_transition *transitions;
63803+ struct role_allowed_ip *allowed_ips;
63804+ uid_t *domain_children;
63805+ __u16 domain_child_num;
63806+
63807+ struct acl_subject_label **subj_hash;
63808+ __u32 subj_hash_size;
63809+};
63810+
63811+struct user_acl_role_db {
63812+ struct acl_role_label **r_table;
63813+ __u32 num_pointers; /* Number of allocations to track */
63814+ __u32 num_roles; /* Number of roles */
63815+ __u32 num_domain_children; /* Number of domain children */
63816+ __u32 num_subjects; /* Number of subjects */
63817+ __u32 num_objects; /* Number of objects */
63818+};
63819+
63820+struct acl_object_label {
63821+ char *filename;
63822+ ino_t inode;
63823+ dev_t device;
63824+ __u32 mode;
63825+
63826+ struct acl_subject_label *nested;
63827+ struct acl_object_label *globbed;
63828+
63829+ /* next two structures not used */
63830+
63831+ struct acl_object_label *prev;
63832+ struct acl_object_label *next;
63833+};
63834+
63835+struct acl_ip_label {
63836+ char *iface;
63837+ __u32 addr;
63838+ __u32 netmask;
63839+ __u16 low, high;
63840+ __u8 mode;
63841+ __u32 type;
63842+ __u32 proto[8];
63843+
63844+ /* next two structures not used */
63845+
63846+ struct acl_ip_label *prev;
63847+ struct acl_ip_label *next;
63848+};
63849+
63850+struct gr_arg {
63851+ struct user_acl_role_db role_db;
63852+ unsigned char pw[GR_PW_LEN];
63853+ unsigned char salt[GR_SALT_LEN];
63854+ unsigned char sum[GR_SHA_LEN];
63855+ unsigned char sp_role[GR_SPROLE_LEN];
63856+ struct sprole_pw *sprole_pws;
63857+ dev_t segv_device;
63858+ ino_t segv_inode;
63859+ uid_t segv_uid;
63860+ __u16 num_sprole_pws;
63861+ __u16 mode;
63862+};
63863+
63864+struct gr_arg_wrapper {
63865+ struct gr_arg *arg;
63866+ __u32 version;
63867+ __u32 size;
63868+};
63869+
63870+struct subject_map {
63871+ struct acl_subject_label *user;
63872+ struct acl_subject_label *kernel;
63873+ struct subject_map *prev;
63874+ struct subject_map *next;
63875+};
63876+
63877+struct acl_subj_map_db {
63878+ struct subject_map **s_hash;
63879+ __u32 s_size;
63880+};
63881+
63882+/* End Data Structures Section */
63883+
63884+/* Hash functions generated by empirical testing by Brad Spengler
63885+ Makes good use of the low bits of the inode. Generally 0-1 times
63886+ in loop for successful match. 0-3 for unsuccessful match.
63887+ Shift/add algorithm with modulus of table size and an XOR*/
63888+
63889+static __inline__ unsigned int
63890+rhash(const uid_t uid, const __u16 type, const unsigned int sz)
63891+{
63892+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
63893+}
63894+
63895+ static __inline__ unsigned int
63896+shash(const struct acl_subject_label *userp, const unsigned int sz)
63897+{
63898+ return ((const unsigned long)userp % sz);
63899+}
63900+
63901+static __inline__ unsigned int
63902+fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
63903+{
63904+ return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
63905+}
63906+
63907+static __inline__ unsigned int
63908+nhash(const char *name, const __u16 len, const unsigned int sz)
63909+{
63910+ return full_name_hash((const unsigned char *)name, len) % sz;
63911+}
63912+
63913+#define FOR_EACH_ROLE_START(role) \
63914+ role = role_list; \
63915+ while (role) {
63916+
63917+#define FOR_EACH_ROLE_END(role) \
63918+ role = role->prev; \
63919+ }
63920+
63921+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
63922+ subj = NULL; \
63923+ iter = 0; \
63924+ while (iter < role->subj_hash_size) { \
63925+ if (subj == NULL) \
63926+ subj = role->subj_hash[iter]; \
63927+ if (subj == NULL) { \
63928+ iter++; \
63929+ continue; \
63930+ }
63931+
63932+#define FOR_EACH_SUBJECT_END(subj,iter) \
63933+ subj = subj->next; \
63934+ if (subj == NULL) \
63935+ iter++; \
63936+ }
63937+
63938+
63939+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
63940+ subj = role->hash->first; \
63941+ while (subj != NULL) {
63942+
63943+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
63944+ subj = subj->next; \
63945+ }
63946+
63947+#endif
63948+
63949diff -urNp linux-2.6.32.48/include/linux/gralloc.h linux-2.6.32.48/include/linux/gralloc.h
63950--- linux-2.6.32.48/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
63951+++ linux-2.6.32.48/include/linux/gralloc.h 2011-11-15 19:59:43.000000000 -0500
63952@@ -0,0 +1,9 @@
63953+#ifndef __GRALLOC_H
63954+#define __GRALLOC_H
63955+
63956+void acl_free_all(void);
63957+int acl_alloc_stack_init(unsigned long size);
63958+void *acl_alloc(unsigned long len);
63959+void *acl_alloc_num(unsigned long num, unsigned long len);
63960+
63961+#endif
63962diff -urNp linux-2.6.32.48/include/linux/grdefs.h linux-2.6.32.48/include/linux/grdefs.h
63963--- linux-2.6.32.48/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
63964+++ linux-2.6.32.48/include/linux/grdefs.h 2011-11-15 19:59:43.000000000 -0500
63965@@ -0,0 +1,140 @@
63966+#ifndef GRDEFS_H
63967+#define GRDEFS_H
63968+
63969+/* Begin grsecurity status declarations */
63970+
63971+enum {
63972+ GR_READY = 0x01,
63973+ GR_STATUS_INIT = 0x00 // disabled state
63974+};
63975+
63976+/* Begin ACL declarations */
63977+
63978+/* Role flags */
63979+
63980+enum {
63981+ GR_ROLE_USER = 0x0001,
63982+ GR_ROLE_GROUP = 0x0002,
63983+ GR_ROLE_DEFAULT = 0x0004,
63984+ GR_ROLE_SPECIAL = 0x0008,
63985+ GR_ROLE_AUTH = 0x0010,
63986+ GR_ROLE_NOPW = 0x0020,
63987+ GR_ROLE_GOD = 0x0040,
63988+ GR_ROLE_LEARN = 0x0080,
63989+ GR_ROLE_TPE = 0x0100,
63990+ GR_ROLE_DOMAIN = 0x0200,
63991+ GR_ROLE_PAM = 0x0400,
63992+ GR_ROLE_PERSIST = 0x800
63993+};
63994+
63995+/* ACL Subject and Object mode flags */
63996+enum {
63997+ GR_DELETED = 0x80000000
63998+};
63999+
64000+/* ACL Object-only mode flags */
64001+enum {
64002+ GR_READ = 0x00000001,
64003+ GR_APPEND = 0x00000002,
64004+ GR_WRITE = 0x00000004,
64005+ GR_EXEC = 0x00000008,
64006+ GR_FIND = 0x00000010,
64007+ GR_INHERIT = 0x00000020,
64008+ GR_SETID = 0x00000040,
64009+ GR_CREATE = 0x00000080,
64010+ GR_DELETE = 0x00000100,
64011+ GR_LINK = 0x00000200,
64012+ GR_AUDIT_READ = 0x00000400,
64013+ GR_AUDIT_APPEND = 0x00000800,
64014+ GR_AUDIT_WRITE = 0x00001000,
64015+ GR_AUDIT_EXEC = 0x00002000,
64016+ GR_AUDIT_FIND = 0x00004000,
64017+ GR_AUDIT_INHERIT= 0x00008000,
64018+ GR_AUDIT_SETID = 0x00010000,
64019+ GR_AUDIT_CREATE = 0x00020000,
64020+ GR_AUDIT_DELETE = 0x00040000,
64021+ GR_AUDIT_LINK = 0x00080000,
64022+ GR_PTRACERD = 0x00100000,
64023+ GR_NOPTRACE = 0x00200000,
64024+ GR_SUPPRESS = 0x00400000,
64025+ GR_NOLEARN = 0x00800000,
64026+ GR_INIT_TRANSFER= 0x01000000
64027+};
64028+
64029+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
64030+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
64031+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
64032+
64033+/* ACL subject-only mode flags */
64034+enum {
64035+ GR_KILL = 0x00000001,
64036+ GR_VIEW = 0x00000002,
64037+ GR_PROTECTED = 0x00000004,
64038+ GR_LEARN = 0x00000008,
64039+ GR_OVERRIDE = 0x00000010,
64040+ /* just a placeholder, this mode is only used in userspace */
64041+ GR_DUMMY = 0x00000020,
64042+ GR_PROTSHM = 0x00000040,
64043+ GR_KILLPROC = 0x00000080,
64044+ GR_KILLIPPROC = 0x00000100,
64045+ /* just a placeholder, this mode is only used in userspace */
64046+ GR_NOTROJAN = 0x00000200,
64047+ GR_PROTPROCFD = 0x00000400,
64048+ GR_PROCACCT = 0x00000800,
64049+ GR_RELAXPTRACE = 0x00001000,
64050+ GR_NESTED = 0x00002000,
64051+ GR_INHERITLEARN = 0x00004000,
64052+ GR_PROCFIND = 0x00008000,
64053+ GR_POVERRIDE = 0x00010000,
64054+ GR_KERNELAUTH = 0x00020000,
64055+ GR_ATSECURE = 0x00040000,
64056+ GR_SHMEXEC = 0x00080000
64057+};
64058+
64059+enum {
64060+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
64061+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
64062+ GR_PAX_ENABLE_MPROTECT = 0x0004,
64063+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
64064+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
64065+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
64066+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
64067+ GR_PAX_DISABLE_MPROTECT = 0x0400,
64068+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
64069+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
64070+};
64071+
64072+enum {
64073+ GR_ID_USER = 0x01,
64074+ GR_ID_GROUP = 0x02,
64075+};
64076+
64077+enum {
64078+ GR_ID_ALLOW = 0x01,
64079+ GR_ID_DENY = 0x02,
64080+};
64081+
64082+#define GR_CRASH_RES 31
64083+#define GR_UIDTABLE_MAX 500
64084+
64085+/* begin resource learning section */
64086+enum {
64087+ GR_RLIM_CPU_BUMP = 60,
64088+ GR_RLIM_FSIZE_BUMP = 50000,
64089+ GR_RLIM_DATA_BUMP = 10000,
64090+ GR_RLIM_STACK_BUMP = 1000,
64091+ GR_RLIM_CORE_BUMP = 10000,
64092+ GR_RLIM_RSS_BUMP = 500000,
64093+ GR_RLIM_NPROC_BUMP = 1,
64094+ GR_RLIM_NOFILE_BUMP = 5,
64095+ GR_RLIM_MEMLOCK_BUMP = 50000,
64096+ GR_RLIM_AS_BUMP = 500000,
64097+ GR_RLIM_LOCKS_BUMP = 2,
64098+ GR_RLIM_SIGPENDING_BUMP = 5,
64099+ GR_RLIM_MSGQUEUE_BUMP = 10000,
64100+ GR_RLIM_NICE_BUMP = 1,
64101+ GR_RLIM_RTPRIO_BUMP = 1,
64102+ GR_RLIM_RTTIME_BUMP = 1000000
64103+};
64104+
64105+#endif
64106diff -urNp linux-2.6.32.48/include/linux/grinternal.h linux-2.6.32.48/include/linux/grinternal.h
64107--- linux-2.6.32.48/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
64108+++ linux-2.6.32.48/include/linux/grinternal.h 2011-11-15 19:59:43.000000000 -0500
64109@@ -0,0 +1,218 @@
64110+#ifndef __GRINTERNAL_H
64111+#define __GRINTERNAL_H
64112+
64113+#ifdef CONFIG_GRKERNSEC
64114+
64115+#include <linux/fs.h>
64116+#include <linux/mnt_namespace.h>
64117+#include <linux/nsproxy.h>
64118+#include <linux/gracl.h>
64119+#include <linux/grdefs.h>
64120+#include <linux/grmsg.h>
64121+
64122+void gr_add_learn_entry(const char *fmt, ...)
64123+ __attribute__ ((format (printf, 1, 2)));
64124+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
64125+ const struct vfsmount *mnt);
64126+__u32 gr_check_create(const struct dentry *new_dentry,
64127+ const struct dentry *parent,
64128+ const struct vfsmount *mnt, const __u32 mode);
64129+int gr_check_protected_task(const struct task_struct *task);
64130+__u32 to_gr_audit(const __u32 reqmode);
64131+int gr_set_acls(const int type);
64132+int gr_apply_subject_to_task(struct task_struct *task);
64133+int gr_acl_is_enabled(void);
64134+char gr_roletype_to_char(void);
64135+
64136+void gr_handle_alertkill(struct task_struct *task);
64137+char *gr_to_filename(const struct dentry *dentry,
64138+ const struct vfsmount *mnt);
64139+char *gr_to_filename1(const struct dentry *dentry,
64140+ const struct vfsmount *mnt);
64141+char *gr_to_filename2(const struct dentry *dentry,
64142+ const struct vfsmount *mnt);
64143+char *gr_to_filename3(const struct dentry *dentry,
64144+ const struct vfsmount *mnt);
64145+
64146+extern int grsec_enable_harden_ptrace;
64147+extern int grsec_enable_link;
64148+extern int grsec_enable_fifo;
64149+extern int grsec_enable_shm;
64150+extern int grsec_enable_execlog;
64151+extern int grsec_enable_signal;
64152+extern int grsec_enable_audit_ptrace;
64153+extern int grsec_enable_forkfail;
64154+extern int grsec_enable_time;
64155+extern int grsec_enable_rofs;
64156+extern int grsec_enable_chroot_shmat;
64157+extern int grsec_enable_chroot_mount;
64158+extern int grsec_enable_chroot_double;
64159+extern int grsec_enable_chroot_pivot;
64160+extern int grsec_enable_chroot_chdir;
64161+extern int grsec_enable_chroot_chmod;
64162+extern int grsec_enable_chroot_mknod;
64163+extern int grsec_enable_chroot_fchdir;
64164+extern int grsec_enable_chroot_nice;
64165+extern int grsec_enable_chroot_execlog;
64166+extern int grsec_enable_chroot_caps;
64167+extern int grsec_enable_chroot_sysctl;
64168+extern int grsec_enable_chroot_unix;
64169+extern int grsec_enable_tpe;
64170+extern int grsec_tpe_gid;
64171+extern int grsec_enable_tpe_all;
64172+extern int grsec_enable_tpe_invert;
64173+extern int grsec_enable_socket_all;
64174+extern int grsec_socket_all_gid;
64175+extern int grsec_enable_socket_client;
64176+extern int grsec_socket_client_gid;
64177+extern int grsec_enable_socket_server;
64178+extern int grsec_socket_server_gid;
64179+extern int grsec_audit_gid;
64180+extern int grsec_enable_group;
64181+extern int grsec_enable_audit_textrel;
64182+extern int grsec_enable_log_rwxmaps;
64183+extern int grsec_enable_mount;
64184+extern int grsec_enable_chdir;
64185+extern int grsec_resource_logging;
64186+extern int grsec_enable_blackhole;
64187+extern int grsec_lastack_retries;
64188+extern int grsec_enable_brute;
64189+extern int grsec_lock;
64190+
64191+extern spinlock_t grsec_alert_lock;
64192+extern unsigned long grsec_alert_wtime;
64193+extern unsigned long grsec_alert_fyet;
64194+
64195+extern spinlock_t grsec_audit_lock;
64196+
64197+extern rwlock_t grsec_exec_file_lock;
64198+
64199+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
64200+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
64201+ (tsk)->exec_file->f_vfsmnt) : "/")
64202+
64203+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
64204+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
64205+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
64206+
64207+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
64208+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
64209+ (tsk)->exec_file->f_vfsmnt) : "/")
64210+
64211+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
64212+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
64213+ (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
64214+
64215+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
64216+
64217+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
64218+
64219+#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
64220+ (task)->pid, (cred)->uid, \
64221+ (cred)->euid, (cred)->gid, (cred)->egid, \
64222+ gr_parent_task_fullpath(task), \
64223+ (task)->real_parent->comm, (task)->real_parent->pid, \
64224+ (pcred)->uid, (pcred)->euid, \
64225+ (pcred)->gid, (pcred)->egid
64226+
64227+#define GR_CHROOT_CAPS {{ \
64228+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
64229+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
64230+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
64231+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
64232+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
64233+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
64234+ CAP_TO_MASK(CAP_MAC_ADMIN) }}
64235+
64236+#define security_learn(normal_msg,args...) \
64237+({ \
64238+ read_lock(&grsec_exec_file_lock); \
64239+ gr_add_learn_entry(normal_msg "\n", ## args); \
64240+ read_unlock(&grsec_exec_file_lock); \
64241+})
64242+
64243+enum {
64244+ GR_DO_AUDIT,
64245+ GR_DONT_AUDIT,
64246+ GR_DONT_AUDIT_GOOD
64247+};
64248+
64249+enum {
64250+ GR_TTYSNIFF,
64251+ GR_RBAC,
64252+ GR_RBAC_STR,
64253+ GR_STR_RBAC,
64254+ GR_RBAC_MODE2,
64255+ GR_RBAC_MODE3,
64256+ GR_FILENAME,
64257+ GR_SYSCTL_HIDDEN,
64258+ GR_NOARGS,
64259+ GR_ONE_INT,
64260+ GR_ONE_INT_TWO_STR,
64261+ GR_ONE_STR,
64262+ GR_STR_INT,
64263+ GR_TWO_STR_INT,
64264+ GR_TWO_INT,
64265+ GR_TWO_U64,
64266+ GR_THREE_INT,
64267+ GR_FIVE_INT_TWO_STR,
64268+ GR_TWO_STR,
64269+ GR_THREE_STR,
64270+ GR_FOUR_STR,
64271+ GR_STR_FILENAME,
64272+ GR_FILENAME_STR,
64273+ GR_FILENAME_TWO_INT,
64274+ GR_FILENAME_TWO_INT_STR,
64275+ GR_TEXTREL,
64276+ GR_PTRACE,
64277+ GR_RESOURCE,
64278+ GR_CAP,
64279+ GR_SIG,
64280+ GR_SIG2,
64281+ GR_CRASH1,
64282+ GR_CRASH2,
64283+ GR_PSACCT,
64284+ GR_RWXMAP
64285+};
64286+
64287+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
64288+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
64289+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
64290+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
64291+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
64292+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
64293+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
64294+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
64295+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
64296+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
64297+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
64298+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
64299+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
64300+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
64301+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
64302+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
64303+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
64304+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
64305+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
64306+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
64307+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
64308+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
64309+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
64310+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
64311+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
64312+#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
64313+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
64314+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
64315+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
64316+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
64317+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
64318+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
64319+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
64320+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
64321+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
64322+
64323+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
64324+
64325+#endif
64326+
64327+#endif
64328diff -urNp linux-2.6.32.48/include/linux/grmsg.h linux-2.6.32.48/include/linux/grmsg.h
64329--- linux-2.6.32.48/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
64330+++ linux-2.6.32.48/include/linux/grmsg.h 2011-11-15 19:59:43.000000000 -0500
64331@@ -0,0 +1,108 @@
64332+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
64333+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
64334+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
64335+#define GR_STOPMOD_MSG "denied modification of module state by "
64336+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
64337+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
64338+#define GR_IOPERM_MSG "denied use of ioperm() by "
64339+#define GR_IOPL_MSG "denied use of iopl() by "
64340+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
64341+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
64342+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
64343+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
64344+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
64345+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
64346+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
64347+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
64348+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
64349+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
64350+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
64351+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
64352+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
64353+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
64354+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
64355+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
64356+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
64357+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
64358+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
64359+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
64360+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
64361+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
64362+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
64363+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
64364+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
64365+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
64366+#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
64367+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
64368+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
64369+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
64370+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
64371+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
64372+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
64373+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
64374+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
64375+#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
64376+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
64377+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
64378+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
64379+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
64380+#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
64381+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
64382+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
64383+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
64384+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
64385+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
64386+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
64387+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
64388+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
64389+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
64390+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
64391+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
64392+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
64393+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
64394+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
64395+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
64396+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
64397+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
64398+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
64399+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
64400+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
64401+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
64402+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
64403+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
64404+#define GR_FAILFORK_MSG "failed fork with errno %s by "
64405+#define GR_NICE_CHROOT_MSG "denied priority change by "
64406+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
64407+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
64408+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
64409+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
64410+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
64411+#define GR_TIME_MSG "time set by "
64412+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
64413+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
64414+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
64415+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
64416+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
64417+#define GR_BIND_MSG "denied bind() by "
64418+#define GR_CONNECT_MSG "denied connect() by "
64419+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
64420+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
64421+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
64422+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
64423+#define GR_CAP_ACL_MSG "use of %s denied for "
64424+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
64425+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
64426+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
64427+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
64428+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
64429+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
64430+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
64431+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
64432+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
64433+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
64434+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
64435+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
64436+#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
64437+#define GR_VM86_MSG "denied use of vm86 by "
64438+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
64439+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
64440diff -urNp linux-2.6.32.48/include/linux/grsecurity.h linux-2.6.32.48/include/linux/grsecurity.h
64441--- linux-2.6.32.48/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
64442+++ linux-2.6.32.48/include/linux/grsecurity.h 2011-11-15 19:59:43.000000000 -0500
64443@@ -0,0 +1,218 @@
64444+#ifndef GR_SECURITY_H
64445+#define GR_SECURITY_H
64446+#include <linux/fs.h>
64447+#include <linux/fs_struct.h>
64448+#include <linux/binfmts.h>
64449+#include <linux/gracl.h>
64450+#include <linux/compat.h>
64451+
64452+/* notify of brain-dead configs */
64453+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
64454+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
64455+#endif
64456+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
64457+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
64458+#endif
64459+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
64460+#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
64461+#endif
64462+#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
64463+#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
64464+#endif
64465+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
64466+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
64467+#endif
64468+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
64469+#error "CONFIG_PAX enabled, but no PaX options are enabled."
64470+#endif
64471+
64472+void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
64473+void gr_handle_brute_check(void);
64474+void gr_handle_kernel_exploit(void);
64475+int gr_process_user_ban(void);
64476+
64477+char gr_roletype_to_char(void);
64478+
64479+int gr_acl_enable_at_secure(void);
64480+
64481+int gr_check_user_change(int real, int effective, int fs);
64482+int gr_check_group_change(int real, int effective, int fs);
64483+
64484+void gr_del_task_from_ip_table(struct task_struct *p);
64485+
64486+int gr_pid_is_chrooted(struct task_struct *p);
64487+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
64488+int gr_handle_chroot_nice(void);
64489+int gr_handle_chroot_sysctl(const int op);
64490+int gr_handle_chroot_setpriority(struct task_struct *p,
64491+ const int niceval);
64492+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
64493+int gr_handle_chroot_chroot(const struct dentry *dentry,
64494+ const struct vfsmount *mnt);
64495+void gr_handle_chroot_chdir(struct path *path);
64496+int gr_handle_chroot_chmod(const struct dentry *dentry,
64497+ const struct vfsmount *mnt, const int mode);
64498+int gr_handle_chroot_mknod(const struct dentry *dentry,
64499+ const struct vfsmount *mnt, const int mode);
64500+int gr_handle_chroot_mount(const struct dentry *dentry,
64501+ const struct vfsmount *mnt,
64502+ const char *dev_name);
64503+int gr_handle_chroot_pivot(void);
64504+int gr_handle_chroot_unix(const pid_t pid);
64505+
64506+int gr_handle_rawio(const struct inode *inode);
64507+
64508+void gr_handle_ioperm(void);
64509+void gr_handle_iopl(void);
64510+
64511+int gr_tpe_allow(const struct file *file);
64512+
64513+void gr_set_chroot_entries(struct task_struct *task, struct path *path);
64514+void gr_clear_chroot_entries(struct task_struct *task);
64515+
64516+void gr_log_forkfail(const int retval);
64517+void gr_log_timechange(void);
64518+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
64519+void gr_log_chdir(const struct dentry *dentry,
64520+ const struct vfsmount *mnt);
64521+void gr_log_chroot_exec(const struct dentry *dentry,
64522+ const struct vfsmount *mnt);
64523+void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
64524+#ifdef CONFIG_COMPAT
64525+void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
64526+#endif
64527+void gr_log_remount(const char *devname, const int retval);
64528+void gr_log_unmount(const char *devname, const int retval);
64529+void gr_log_mount(const char *from, const char *to, const int retval);
64530+void gr_log_textrel(struct vm_area_struct *vma);
64531+void gr_log_rwxmmap(struct file *file);
64532+void gr_log_rwxmprotect(struct file *file);
64533+
64534+int gr_handle_follow_link(const struct inode *parent,
64535+ const struct inode *inode,
64536+ const struct dentry *dentry,
64537+ const struct vfsmount *mnt);
64538+int gr_handle_fifo(const struct dentry *dentry,
64539+ const struct vfsmount *mnt,
64540+ const struct dentry *dir, const int flag,
64541+ const int acc_mode);
64542+int gr_handle_hardlink(const struct dentry *dentry,
64543+ const struct vfsmount *mnt,
64544+ struct inode *inode,
64545+ const int mode, const char *to);
64546+
64547+int gr_is_capable(const int cap);
64548+int gr_is_capable_nolog(const int cap);
64549+void gr_learn_resource(const struct task_struct *task, const int limit,
64550+ const unsigned long wanted, const int gt);
64551+void gr_copy_label(struct task_struct *tsk);
64552+void gr_handle_crash(struct task_struct *task, const int sig);
64553+int gr_handle_signal(const struct task_struct *p, const int sig);
64554+int gr_check_crash_uid(const uid_t uid);
64555+int gr_check_protected_task(const struct task_struct *task);
64556+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
64557+int gr_acl_handle_mmap(const struct file *file,
64558+ const unsigned long prot);
64559+int gr_acl_handle_mprotect(const struct file *file,
64560+ const unsigned long prot);
64561+int gr_check_hidden_task(const struct task_struct *tsk);
64562+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
64563+ const struct vfsmount *mnt);
64564+__u32 gr_acl_handle_utime(const struct dentry *dentry,
64565+ const struct vfsmount *mnt);
64566+__u32 gr_acl_handle_access(const struct dentry *dentry,
64567+ const struct vfsmount *mnt, const int fmode);
64568+__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
64569+ const struct vfsmount *mnt, mode_t mode);
64570+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
64571+ const struct vfsmount *mnt, mode_t mode);
64572+__u32 gr_acl_handle_chown(const struct dentry *dentry,
64573+ const struct vfsmount *mnt);
64574+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
64575+ const struct vfsmount *mnt);
64576+int gr_handle_ptrace(struct task_struct *task, const long request);
64577+int gr_handle_proc_ptrace(struct task_struct *task);
64578+__u32 gr_acl_handle_execve(const struct dentry *dentry,
64579+ const struct vfsmount *mnt);
64580+int gr_check_crash_exec(const struct file *filp);
64581+int gr_acl_is_enabled(void);
64582+void gr_set_kernel_label(struct task_struct *task);
64583+void gr_set_role_label(struct task_struct *task, const uid_t uid,
64584+ const gid_t gid);
64585+int gr_set_proc_label(const struct dentry *dentry,
64586+ const struct vfsmount *mnt,
64587+ const int unsafe_share);
64588+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
64589+ const struct vfsmount *mnt);
64590+__u32 gr_acl_handle_open(const struct dentry *dentry,
64591+ const struct vfsmount *mnt, const int fmode);
64592+__u32 gr_acl_handle_creat(const struct dentry *dentry,
64593+ const struct dentry *p_dentry,
64594+ const struct vfsmount *p_mnt, const int fmode,
64595+ const int imode);
64596+void gr_handle_create(const struct dentry *dentry,
64597+ const struct vfsmount *mnt);
64598+void gr_handle_proc_create(const struct dentry *dentry,
64599+ const struct inode *inode);
64600+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
64601+ const struct dentry *parent_dentry,
64602+ const struct vfsmount *parent_mnt,
64603+ const int mode);
64604+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
64605+ const struct dentry *parent_dentry,
64606+ const struct vfsmount *parent_mnt);
64607+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
64608+ const struct vfsmount *mnt);
64609+void gr_handle_delete(const ino_t ino, const dev_t dev);
64610+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
64611+ const struct vfsmount *mnt);
64612+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
64613+ const struct dentry *parent_dentry,
64614+ const struct vfsmount *parent_mnt,
64615+ const char *from);
64616+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
64617+ const struct dentry *parent_dentry,
64618+ const struct vfsmount *parent_mnt,
64619+ const struct dentry *old_dentry,
64620+ const struct vfsmount *old_mnt, const char *to);
64621+int gr_acl_handle_rename(struct dentry *new_dentry,
64622+ struct dentry *parent_dentry,
64623+ const struct vfsmount *parent_mnt,
64624+ struct dentry *old_dentry,
64625+ struct inode *old_parent_inode,
64626+ struct vfsmount *old_mnt, const char *newname);
64627+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
64628+ struct dentry *old_dentry,
64629+ struct dentry *new_dentry,
64630+ struct vfsmount *mnt, const __u8 replace);
64631+__u32 gr_check_link(const struct dentry *new_dentry,
64632+ const struct dentry *parent_dentry,
64633+ const struct vfsmount *parent_mnt,
64634+ const struct dentry *old_dentry,
64635+ const struct vfsmount *old_mnt);
64636+int gr_acl_handle_filldir(const struct file *file, const char *name,
64637+ const unsigned int namelen, const ino_t ino);
64638+
64639+__u32 gr_acl_handle_unix(const struct dentry *dentry,
64640+ const struct vfsmount *mnt);
64641+void gr_acl_handle_exit(void);
64642+void gr_acl_handle_psacct(struct task_struct *task, const long code);
64643+int gr_acl_handle_procpidmem(const struct task_struct *task);
64644+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
64645+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
64646+void gr_audit_ptrace(struct task_struct *task);
64647+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
64648+
64649+#ifdef CONFIG_GRKERNSEC
64650+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
64651+void gr_handle_vm86(void);
64652+void gr_handle_mem_readwrite(u64 from, u64 to);
64653+
64654+extern int grsec_enable_dmesg;
64655+extern int grsec_disable_privio;
64656+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
64657+extern int grsec_enable_chroot_findtask;
64658+#endif
64659+#endif
64660+
64661+#endif
64662diff -urNp linux-2.6.32.48/include/linux/hdpu_features.h linux-2.6.32.48/include/linux/hdpu_features.h
64663--- linux-2.6.32.48/include/linux/hdpu_features.h 2011-11-08 19:02:43.000000000 -0500
64664+++ linux-2.6.32.48/include/linux/hdpu_features.h 2011-11-15 19:59:43.000000000 -0500
64665@@ -3,7 +3,7 @@
64666 struct cpustate_t {
64667 spinlock_t lock;
64668 int excl;
64669- int open_count;
64670+ atomic_t open_count;
64671 unsigned char cached_val;
64672 int inited;
64673 unsigned long *set_addr;
64674diff -urNp linux-2.6.32.48/include/linux/highmem.h linux-2.6.32.48/include/linux/highmem.h
64675--- linux-2.6.32.48/include/linux/highmem.h 2011-11-08 19:02:43.000000000 -0500
64676+++ linux-2.6.32.48/include/linux/highmem.h 2011-11-15 19:59:43.000000000 -0500
64677@@ -137,6 +137,18 @@ static inline void clear_highpage(struct
64678 kunmap_atomic(kaddr, KM_USER0);
64679 }
64680
64681+static inline void sanitize_highpage(struct page *page)
64682+{
64683+ void *kaddr;
64684+ unsigned long flags;
64685+
64686+ local_irq_save(flags);
64687+ kaddr = kmap_atomic(page, KM_CLEARPAGE);
64688+ clear_page(kaddr);
64689+ kunmap_atomic(kaddr, KM_CLEARPAGE);
64690+ local_irq_restore(flags);
64691+}
64692+
64693 static inline void zero_user_segments(struct page *page,
64694 unsigned start1, unsigned end1,
64695 unsigned start2, unsigned end2)
64696diff -urNp linux-2.6.32.48/include/linux/i2c.h linux-2.6.32.48/include/linux/i2c.h
64697--- linux-2.6.32.48/include/linux/i2c.h 2011-11-08 19:02:43.000000000 -0500
64698+++ linux-2.6.32.48/include/linux/i2c.h 2011-11-15 19:59:43.000000000 -0500
64699@@ -325,6 +325,7 @@ struct i2c_algorithm {
64700 /* To determine what the adapter supports */
64701 u32 (*functionality) (struct i2c_adapter *);
64702 };
64703+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
64704
64705 /*
64706 * i2c_adapter is the structure used to identify a physical i2c bus along
64707diff -urNp linux-2.6.32.48/include/linux/i2o.h linux-2.6.32.48/include/linux/i2o.h
64708--- linux-2.6.32.48/include/linux/i2o.h 2011-11-08 19:02:43.000000000 -0500
64709+++ linux-2.6.32.48/include/linux/i2o.h 2011-11-15 19:59:43.000000000 -0500
64710@@ -564,7 +564,7 @@ struct i2o_controller {
64711 struct i2o_device *exec; /* Executive */
64712 #if BITS_PER_LONG == 64
64713 spinlock_t context_list_lock; /* lock for context_list */
64714- atomic_t context_list_counter; /* needed for unique contexts */
64715+ atomic_unchecked_t context_list_counter; /* needed for unique contexts */
64716 struct list_head context_list; /* list of context id's
64717 and pointers */
64718 #endif
64719diff -urNp linux-2.6.32.48/include/linux/init_task.h linux-2.6.32.48/include/linux/init_task.h
64720--- linux-2.6.32.48/include/linux/init_task.h 2011-11-08 19:02:43.000000000 -0500
64721+++ linux-2.6.32.48/include/linux/init_task.h 2011-11-15 19:59:43.000000000 -0500
64722@@ -83,6 +83,12 @@ extern struct group_info init_groups;
64723 #define INIT_IDS
64724 #endif
64725
64726+#ifdef CONFIG_X86
64727+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
64728+#else
64729+#define INIT_TASK_THREAD_INFO
64730+#endif
64731+
64732 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
64733 /*
64734 * Because of the reduced scope of CAP_SETPCAP when filesystem
64735@@ -156,6 +162,7 @@ extern struct cred init_cred;
64736 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
64737 .comm = "swapper", \
64738 .thread = INIT_THREAD, \
64739+ INIT_TASK_THREAD_INFO \
64740 .fs = &init_fs, \
64741 .files = &init_files, \
64742 .signal = &init_signals, \
64743diff -urNp linux-2.6.32.48/include/linux/intel-iommu.h linux-2.6.32.48/include/linux/intel-iommu.h
64744--- linux-2.6.32.48/include/linux/intel-iommu.h 2011-11-08 19:02:43.000000000 -0500
64745+++ linux-2.6.32.48/include/linux/intel-iommu.h 2011-11-15 19:59:43.000000000 -0500
64746@@ -296,7 +296,7 @@ struct iommu_flush {
64747 u8 fm, u64 type);
64748 void (*flush_iotlb)(struct intel_iommu *iommu, u16 did, u64 addr,
64749 unsigned int size_order, u64 type);
64750-};
64751+} __no_const;
64752
64753 enum {
64754 SR_DMAR_FECTL_REG,
64755diff -urNp linux-2.6.32.48/include/linux/interrupt.h linux-2.6.32.48/include/linux/interrupt.h
64756--- linux-2.6.32.48/include/linux/interrupt.h 2011-11-08 19:02:43.000000000 -0500
64757+++ linux-2.6.32.48/include/linux/interrupt.h 2011-11-15 19:59:43.000000000 -0500
64758@@ -363,7 +363,7 @@ enum
64759 /* map softirq index to softirq name. update 'softirq_to_name' in
64760 * kernel/softirq.c when adding a new softirq.
64761 */
64762-extern char *softirq_to_name[NR_SOFTIRQS];
64763+extern const char * const softirq_to_name[NR_SOFTIRQS];
64764
64765 /* softirq mask and active fields moved to irq_cpustat_t in
64766 * asm/hardirq.h to get better cache usage. KAO
64767@@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
64768
64769 struct softirq_action
64770 {
64771- void (*action)(struct softirq_action *);
64772+ void (*action)(void);
64773 };
64774
64775 asmlinkage void do_softirq(void);
64776 asmlinkage void __do_softirq(void);
64777-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
64778+extern void open_softirq(int nr, void (*action)(void));
64779 extern void softirq_init(void);
64780 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
64781 extern void raise_softirq_irqoff(unsigned int nr);
64782diff -urNp linux-2.6.32.48/include/linux/irq.h linux-2.6.32.48/include/linux/irq.h
64783--- linux-2.6.32.48/include/linux/irq.h 2011-11-08 19:02:43.000000000 -0500
64784+++ linux-2.6.32.48/include/linux/irq.h 2011-11-15 19:59:43.000000000 -0500
64785@@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
64786 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
64787 bool boot)
64788 {
64789+#ifdef CONFIG_CPUMASK_OFFSTACK
64790 gfp_t gfp = GFP_ATOMIC;
64791
64792 if (boot)
64793 gfp = GFP_NOWAIT;
64794
64795-#ifdef CONFIG_CPUMASK_OFFSTACK
64796 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
64797 return false;
64798
64799diff -urNp linux-2.6.32.48/include/linux/kallsyms.h linux-2.6.32.48/include/linux/kallsyms.h
64800--- linux-2.6.32.48/include/linux/kallsyms.h 2011-11-08 19:02:43.000000000 -0500
64801+++ linux-2.6.32.48/include/linux/kallsyms.h 2011-11-15 19:59:43.000000000 -0500
64802@@ -15,7 +15,8 @@
64803
64804 struct module;
64805
64806-#ifdef CONFIG_KALLSYMS
64807+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
64808+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
64809 /* Lookup the address for a symbol. Returns 0 if not found. */
64810 unsigned long kallsyms_lookup_name(const char *name);
64811
64812@@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
64813 /* Stupid that this does nothing, but I didn't create this mess. */
64814 #define __print_symbol(fmt, addr)
64815 #endif /*CONFIG_KALLSYMS*/
64816+#else /* when included by kallsyms.c, vsnprintf.c, or
64817+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
64818+extern void __print_symbol(const char *fmt, unsigned long address);
64819+extern int sprint_symbol(char *buffer, unsigned long address);
64820+const char *kallsyms_lookup(unsigned long addr,
64821+ unsigned long *symbolsize,
64822+ unsigned long *offset,
64823+ char **modname, char *namebuf);
64824+#endif
64825
64826 /* This macro allows us to keep printk typechecking */
64827 static void __check_printsym_format(const char *fmt, ...)
64828diff -urNp linux-2.6.32.48/include/linux/kgdb.h linux-2.6.32.48/include/linux/kgdb.h
64829--- linux-2.6.32.48/include/linux/kgdb.h 2011-11-08 19:02:43.000000000 -0500
64830+++ linux-2.6.32.48/include/linux/kgdb.h 2011-11-15 19:59:43.000000000 -0500
64831@@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
64832
64833 extern int kgdb_connected;
64834
64835-extern atomic_t kgdb_setting_breakpoint;
64836-extern atomic_t kgdb_cpu_doing_single_step;
64837+extern atomic_unchecked_t kgdb_setting_breakpoint;
64838+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
64839
64840 extern struct task_struct *kgdb_usethread;
64841 extern struct task_struct *kgdb_contthread;
64842@@ -235,7 +235,7 @@ struct kgdb_arch {
64843 int (*remove_hw_breakpoint)(unsigned long, int, enum kgdb_bptype);
64844 void (*remove_all_hw_break)(void);
64845 void (*correct_hw_break)(void);
64846-};
64847+} __do_const;
64848
64849 /**
64850 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
64851@@ -257,14 +257,14 @@ struct kgdb_io {
64852 int (*init) (void);
64853 void (*pre_exception) (void);
64854 void (*post_exception) (void);
64855-};
64856+} __do_const;
64857
64858-extern struct kgdb_arch arch_kgdb_ops;
64859+extern const struct kgdb_arch arch_kgdb_ops;
64860
64861 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
64862
64863-extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
64864-extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
64865+extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
64866+extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
64867
64868 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
64869 extern int kgdb_mem2hex(char *mem, char *buf, int count);
64870diff -urNp linux-2.6.32.48/include/linux/kmod.h linux-2.6.32.48/include/linux/kmod.h
64871--- linux-2.6.32.48/include/linux/kmod.h 2011-11-08 19:02:43.000000000 -0500
64872+++ linux-2.6.32.48/include/linux/kmod.h 2011-11-15 19:59:43.000000000 -0500
64873@@ -31,6 +31,8 @@
64874 * usually useless though. */
64875 extern int __request_module(bool wait, const char *name, ...) \
64876 __attribute__((format(printf, 2, 3)));
64877+extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
64878+ __attribute__((format(printf, 3, 4)));
64879 #define request_module(mod...) __request_module(true, mod)
64880 #define request_module_nowait(mod...) __request_module(false, mod)
64881 #define try_then_request_module(x, mod...) \
64882diff -urNp linux-2.6.32.48/include/linux/kobject.h linux-2.6.32.48/include/linux/kobject.h
64883--- linux-2.6.32.48/include/linux/kobject.h 2011-11-08 19:02:43.000000000 -0500
64884+++ linux-2.6.32.48/include/linux/kobject.h 2011-11-15 19:59:43.000000000 -0500
64885@@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
64886
64887 struct kobj_type {
64888 void (*release)(struct kobject *kobj);
64889- struct sysfs_ops *sysfs_ops;
64890+ const struct sysfs_ops *sysfs_ops;
64891 struct attribute **default_attrs;
64892 };
64893
64894@@ -118,9 +118,9 @@ struct kobj_uevent_env {
64895 };
64896
64897 struct kset_uevent_ops {
64898- int (*filter)(struct kset *kset, struct kobject *kobj);
64899- const char *(*name)(struct kset *kset, struct kobject *kobj);
64900- int (*uevent)(struct kset *kset, struct kobject *kobj,
64901+ int (* const filter)(struct kset *kset, struct kobject *kobj);
64902+ const char *(* const name)(struct kset *kset, struct kobject *kobj);
64903+ int (* const uevent)(struct kset *kset, struct kobject *kobj,
64904 struct kobj_uevent_env *env);
64905 };
64906
64907@@ -132,7 +132,7 @@ struct kobj_attribute {
64908 const char *buf, size_t count);
64909 };
64910
64911-extern struct sysfs_ops kobj_sysfs_ops;
64912+extern const struct sysfs_ops kobj_sysfs_ops;
64913
64914 /**
64915 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
64916@@ -155,14 +155,14 @@ struct kset {
64917 struct list_head list;
64918 spinlock_t list_lock;
64919 struct kobject kobj;
64920- struct kset_uevent_ops *uevent_ops;
64921+ const struct kset_uevent_ops *uevent_ops;
64922 };
64923
64924 extern void kset_init(struct kset *kset);
64925 extern int __must_check kset_register(struct kset *kset);
64926 extern void kset_unregister(struct kset *kset);
64927 extern struct kset * __must_check kset_create_and_add(const char *name,
64928- struct kset_uevent_ops *u,
64929+ const struct kset_uevent_ops *u,
64930 struct kobject *parent_kobj);
64931
64932 static inline struct kset *to_kset(struct kobject *kobj)
64933diff -urNp linux-2.6.32.48/include/linux/kvm_host.h linux-2.6.32.48/include/linux/kvm_host.h
64934--- linux-2.6.32.48/include/linux/kvm_host.h 2011-11-08 19:02:43.000000000 -0500
64935+++ linux-2.6.32.48/include/linux/kvm_host.h 2011-11-15 19:59:43.000000000 -0500
64936@@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
64937 void vcpu_load(struct kvm_vcpu *vcpu);
64938 void vcpu_put(struct kvm_vcpu *vcpu);
64939
64940-int kvm_init(void *opaque, unsigned int vcpu_size,
64941+int kvm_init(const void *opaque, unsigned int vcpu_size,
64942 struct module *module);
64943 void kvm_exit(void);
64944
64945@@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
64946 struct kvm_guest_debug *dbg);
64947 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
64948
64949-int kvm_arch_init(void *opaque);
64950+int kvm_arch_init(const void *opaque);
64951 void kvm_arch_exit(void);
64952
64953 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
64954diff -urNp linux-2.6.32.48/include/linux/libata.h linux-2.6.32.48/include/linux/libata.h
64955--- linux-2.6.32.48/include/linux/libata.h 2011-11-08 19:02:43.000000000 -0500
64956+++ linux-2.6.32.48/include/linux/libata.h 2011-11-15 19:59:43.000000000 -0500
64957@@ -525,11 +525,11 @@ struct ata_ioports {
64958
64959 struct ata_host {
64960 spinlock_t lock;
64961- struct device *dev;
64962+ struct device *dev;
64963 void __iomem * const *iomap;
64964 unsigned int n_ports;
64965 void *private_data;
64966- struct ata_port_operations *ops;
64967+ const struct ata_port_operations *ops;
64968 unsigned long flags;
64969 #ifdef CONFIG_ATA_ACPI
64970 acpi_handle acpi_handle;
64971@@ -710,7 +710,7 @@ struct ata_link {
64972
64973 struct ata_port {
64974 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
64975- struct ata_port_operations *ops;
64976+ const struct ata_port_operations *ops;
64977 spinlock_t *lock;
64978 /* Flags owned by the EH context. Only EH should touch these once the
64979 port is active */
64980@@ -884,7 +884,7 @@ struct ata_port_operations {
64981 * fields must be pointers.
64982 */
64983 const struct ata_port_operations *inherits;
64984-};
64985+} __do_const;
64986
64987 struct ata_port_info {
64988 unsigned long flags;
64989@@ -892,7 +892,7 @@ struct ata_port_info {
64990 unsigned long pio_mask;
64991 unsigned long mwdma_mask;
64992 unsigned long udma_mask;
64993- struct ata_port_operations *port_ops;
64994+ const struct ata_port_operations *port_ops;
64995 void *private_data;
64996 };
64997
64998@@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
64999 extern const unsigned long sata_deb_timing_hotplug[];
65000 extern const unsigned long sata_deb_timing_long[];
65001
65002-extern struct ata_port_operations ata_dummy_port_ops;
65003+extern const struct ata_port_operations ata_dummy_port_ops;
65004 extern const struct ata_port_info ata_dummy_port_info;
65005
65006 static inline const unsigned long *
65007@@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
65008 struct scsi_host_template *sht);
65009 extern void ata_host_detach(struct ata_host *host);
65010 extern void ata_host_init(struct ata_host *, struct device *,
65011- unsigned long, struct ata_port_operations *);
65012+ unsigned long, const struct ata_port_operations *);
65013 extern int ata_scsi_detect(struct scsi_host_template *sht);
65014 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
65015 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
65016diff -urNp linux-2.6.32.48/include/linux/lockd/bind.h linux-2.6.32.48/include/linux/lockd/bind.h
65017--- linux-2.6.32.48/include/linux/lockd/bind.h 2011-11-08 19:02:43.000000000 -0500
65018+++ linux-2.6.32.48/include/linux/lockd/bind.h 2011-11-15 19:59:43.000000000 -0500
65019@@ -23,13 +23,13 @@ struct svc_rqst;
65020 * This is the set of functions for lockd->nfsd communication
65021 */
65022 struct nlmsvc_binding {
65023- __be32 (*fopen)(struct svc_rqst *,
65024+ __be32 (* const fopen)(struct svc_rqst *,
65025 struct nfs_fh *,
65026 struct file **);
65027- void (*fclose)(struct file *);
65028+ void (* const fclose)(struct file *);
65029 };
65030
65031-extern struct nlmsvc_binding * nlmsvc_ops;
65032+extern const struct nlmsvc_binding * nlmsvc_ops;
65033
65034 /*
65035 * Similar to nfs_client_initdata, but without the NFS-specific
65036diff -urNp linux-2.6.32.48/include/linux/mca.h linux-2.6.32.48/include/linux/mca.h
65037--- linux-2.6.32.48/include/linux/mca.h 2011-11-08 19:02:43.000000000 -0500
65038+++ linux-2.6.32.48/include/linux/mca.h 2011-11-15 19:59:43.000000000 -0500
65039@@ -80,7 +80,7 @@ struct mca_bus_accessor_functions {
65040 int region);
65041 void * (*mca_transform_memory)(struct mca_device *,
65042 void *memory);
65043-};
65044+} __no_const;
65045
65046 struct mca_bus {
65047 u64 default_dma_mask;
65048diff -urNp linux-2.6.32.48/include/linux/memory.h linux-2.6.32.48/include/linux/memory.h
65049--- linux-2.6.32.48/include/linux/memory.h 2011-11-08 19:02:43.000000000 -0500
65050+++ linux-2.6.32.48/include/linux/memory.h 2011-11-15 19:59:43.000000000 -0500
65051@@ -108,7 +108,7 @@ struct memory_accessor {
65052 size_t count);
65053 ssize_t (*write)(struct memory_accessor *, const char *buf,
65054 off_t offset, size_t count);
65055-};
65056+} __no_const;
65057
65058 /*
65059 * Kernel text modification mutex, used for code patching. Users of this lock
65060diff -urNp linux-2.6.32.48/include/linux/mm.h linux-2.6.32.48/include/linux/mm.h
65061--- linux-2.6.32.48/include/linux/mm.h 2011-11-08 19:02:43.000000000 -0500
65062+++ linux-2.6.32.48/include/linux/mm.h 2011-11-15 19:59:43.000000000 -0500
65063@@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
65064
65065 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
65066 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
65067+
65068+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
65069+#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
65070+#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
65071+#else
65072 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
65073+#endif
65074+
65075 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
65076 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
65077
65078@@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
65079 int set_page_dirty_lock(struct page *page);
65080 int clear_page_dirty_for_io(struct page *page);
65081
65082-/* Is the vma a continuation of the stack vma above it? */
65083-static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
65084-{
65085- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
65086-}
65087-
65088 extern unsigned long move_page_tables(struct vm_area_struct *vma,
65089 unsigned long old_addr, struct vm_area_struct *new_vma,
65090 unsigned long new_addr, unsigned long len);
65091@@ -890,6 +891,8 @@ struct shrinker {
65092 extern void register_shrinker(struct shrinker *);
65093 extern void unregister_shrinker(struct shrinker *);
65094
65095+pgprot_t vm_get_page_prot(unsigned long vm_flags);
65096+
65097 int vma_wants_writenotify(struct vm_area_struct *vma);
65098
65099 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
65100@@ -1162,6 +1165,7 @@ out:
65101 }
65102
65103 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
65104+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
65105
65106 extern unsigned long do_brk(unsigned long, unsigned long);
65107
65108@@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
65109 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
65110 struct vm_area_struct **pprev);
65111
65112+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
65113+extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
65114+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
65115+
65116 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
65117 NULL if none. Assume start_addr < end_addr. */
65118 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
65119@@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
65120 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
65121 }
65122
65123-pgprot_t vm_get_page_prot(unsigned long vm_flags);
65124 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
65125 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
65126 unsigned long pfn, unsigned long size, pgprot_t);
65127@@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
65128 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
65129 extern int sysctl_memory_failure_early_kill;
65130 extern int sysctl_memory_failure_recovery;
65131-extern atomic_long_t mce_bad_pages;
65132+extern atomic_long_unchecked_t mce_bad_pages;
65133+
65134+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65135+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
65136+#else
65137+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
65138+#endif
65139
65140 #endif /* __KERNEL__ */
65141 #endif /* _LINUX_MM_H */
65142diff -urNp linux-2.6.32.48/include/linux/mm_types.h linux-2.6.32.48/include/linux/mm_types.h
65143--- linux-2.6.32.48/include/linux/mm_types.h 2011-11-08 19:02:43.000000000 -0500
65144+++ linux-2.6.32.48/include/linux/mm_types.h 2011-11-15 19:59:43.000000000 -0500
65145@@ -186,6 +186,8 @@ struct vm_area_struct {
65146 #ifdef CONFIG_NUMA
65147 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
65148 #endif
65149+
65150+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
65151 };
65152
65153 struct core_thread {
65154@@ -287,6 +289,24 @@ struct mm_struct {
65155 #ifdef CONFIG_MMU_NOTIFIER
65156 struct mmu_notifier_mm *mmu_notifier_mm;
65157 #endif
65158+
65159+#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65160+ unsigned long pax_flags;
65161+#endif
65162+
65163+#ifdef CONFIG_PAX_DLRESOLVE
65164+ unsigned long call_dl_resolve;
65165+#endif
65166+
65167+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
65168+ unsigned long call_syscall;
65169+#endif
65170+
65171+#ifdef CONFIG_PAX_ASLR
65172+ unsigned long delta_mmap; /* randomized offset */
65173+ unsigned long delta_stack; /* randomized offset */
65174+#endif
65175+
65176 };
65177
65178 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
65179diff -urNp linux-2.6.32.48/include/linux/mmu_notifier.h linux-2.6.32.48/include/linux/mmu_notifier.h
65180--- linux-2.6.32.48/include/linux/mmu_notifier.h 2011-11-08 19:02:43.000000000 -0500
65181+++ linux-2.6.32.48/include/linux/mmu_notifier.h 2011-11-15 19:59:43.000000000 -0500
65182@@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
65183 */
65184 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
65185 ({ \
65186- pte_t __pte; \
65187+ pte_t ___pte; \
65188 struct vm_area_struct *___vma = __vma; \
65189 unsigned long ___address = __address; \
65190- __pte = ptep_clear_flush(___vma, ___address, __ptep); \
65191+ ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
65192 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
65193- __pte; \
65194+ ___pte; \
65195 })
65196
65197 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
65198diff -urNp linux-2.6.32.48/include/linux/mmzone.h linux-2.6.32.48/include/linux/mmzone.h
65199--- linux-2.6.32.48/include/linux/mmzone.h 2011-11-08 19:02:43.000000000 -0500
65200+++ linux-2.6.32.48/include/linux/mmzone.h 2011-11-15 19:59:43.000000000 -0500
65201@@ -350,7 +350,7 @@ struct zone {
65202 unsigned long flags; /* zone flags, see below */
65203
65204 /* Zone statistics */
65205- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65206+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
65207
65208 /*
65209 * prev_priority holds the scanning priority for this zone. It is
65210diff -urNp linux-2.6.32.48/include/linux/mod_devicetable.h linux-2.6.32.48/include/linux/mod_devicetable.h
65211--- linux-2.6.32.48/include/linux/mod_devicetable.h 2011-11-08 19:02:43.000000000 -0500
65212+++ linux-2.6.32.48/include/linux/mod_devicetable.h 2011-11-15 19:59:43.000000000 -0500
65213@@ -12,7 +12,7 @@
65214 typedef unsigned long kernel_ulong_t;
65215 #endif
65216
65217-#define PCI_ANY_ID (~0)
65218+#define PCI_ANY_ID ((__u16)~0)
65219
65220 struct pci_device_id {
65221 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
65222@@ -131,7 +131,7 @@ struct usb_device_id {
65223 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
65224 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
65225
65226-#define HID_ANY_ID (~0)
65227+#define HID_ANY_ID (~0U)
65228
65229 struct hid_device_id {
65230 __u16 bus;
65231diff -urNp linux-2.6.32.48/include/linux/module.h linux-2.6.32.48/include/linux/module.h
65232--- linux-2.6.32.48/include/linux/module.h 2011-11-08 19:02:43.000000000 -0500
65233+++ linux-2.6.32.48/include/linux/module.h 2011-11-15 19:59:43.000000000 -0500
65234@@ -16,6 +16,7 @@
65235 #include <linux/kobject.h>
65236 #include <linux/moduleparam.h>
65237 #include <linux/tracepoint.h>
65238+#include <linux/fs.h>
65239
65240 #include <asm/local.h>
65241 #include <asm/module.h>
65242@@ -287,16 +288,16 @@ struct module
65243 int (*init)(void);
65244
65245 /* If this is non-NULL, vfree after init() returns */
65246- void *module_init;
65247+ void *module_init_rx, *module_init_rw;
65248
65249 /* Here is the actual code + data, vfree'd on unload. */
65250- void *module_core;
65251+ void *module_core_rx, *module_core_rw;
65252
65253 /* Here are the sizes of the init and core sections */
65254- unsigned int init_size, core_size;
65255+ unsigned int init_size_rw, core_size_rw;
65256
65257 /* The size of the executable code in each section. */
65258- unsigned int init_text_size, core_text_size;
65259+ unsigned int init_size_rx, core_size_rx;
65260
65261 /* Arch-specific module values */
65262 struct mod_arch_specific arch;
65263@@ -345,6 +346,10 @@ struct module
65264 #ifdef CONFIG_EVENT_TRACING
65265 struct ftrace_event_call *trace_events;
65266 unsigned int num_trace_events;
65267+ struct file_operations trace_id;
65268+ struct file_operations trace_enable;
65269+ struct file_operations trace_format;
65270+ struct file_operations trace_filter;
65271 #endif
65272 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
65273 unsigned long *ftrace_callsites;
65274@@ -393,16 +398,46 @@ struct module *__module_address(unsigned
65275 bool is_module_address(unsigned long addr);
65276 bool is_module_text_address(unsigned long addr);
65277
65278+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
65279+{
65280+
65281+#ifdef CONFIG_PAX_KERNEXEC
65282+ if (ktla_ktva(addr) >= (unsigned long)start &&
65283+ ktla_ktva(addr) < (unsigned long)start + size)
65284+ return 1;
65285+#endif
65286+
65287+ return ((void *)addr >= start && (void *)addr < start + size);
65288+}
65289+
65290+static inline int within_module_core_rx(unsigned long addr, struct module *mod)
65291+{
65292+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
65293+}
65294+
65295+static inline int within_module_core_rw(unsigned long addr, struct module *mod)
65296+{
65297+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
65298+}
65299+
65300+static inline int within_module_init_rx(unsigned long addr, struct module *mod)
65301+{
65302+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
65303+}
65304+
65305+static inline int within_module_init_rw(unsigned long addr, struct module *mod)
65306+{
65307+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
65308+}
65309+
65310 static inline int within_module_core(unsigned long addr, struct module *mod)
65311 {
65312- return (unsigned long)mod->module_core <= addr &&
65313- addr < (unsigned long)mod->module_core + mod->core_size;
65314+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
65315 }
65316
65317 static inline int within_module_init(unsigned long addr, struct module *mod)
65318 {
65319- return (unsigned long)mod->module_init <= addr &&
65320- addr < (unsigned long)mod->module_init + mod->init_size;
65321+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
65322 }
65323
65324 /* Search for module by name: must hold module_mutex. */
65325diff -urNp linux-2.6.32.48/include/linux/moduleloader.h linux-2.6.32.48/include/linux/moduleloader.h
65326--- linux-2.6.32.48/include/linux/moduleloader.h 2011-11-08 19:02:43.000000000 -0500
65327+++ linux-2.6.32.48/include/linux/moduleloader.h 2011-11-15 19:59:43.000000000 -0500
65328@@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
65329 sections. Returns NULL on failure. */
65330 void *module_alloc(unsigned long size);
65331
65332+#ifdef CONFIG_PAX_KERNEXEC
65333+void *module_alloc_exec(unsigned long size);
65334+#else
65335+#define module_alloc_exec(x) module_alloc(x)
65336+#endif
65337+
65338 /* Free memory returned from module_alloc. */
65339 void module_free(struct module *mod, void *module_region);
65340
65341+#ifdef CONFIG_PAX_KERNEXEC
65342+void module_free_exec(struct module *mod, void *module_region);
65343+#else
65344+#define module_free_exec(x, y) module_free((x), (y))
65345+#endif
65346+
65347 /* Apply the given relocation to the (simplified) ELF. Return -error
65348 or 0. */
65349 int apply_relocate(Elf_Shdr *sechdrs,
65350diff -urNp linux-2.6.32.48/include/linux/moduleparam.h linux-2.6.32.48/include/linux/moduleparam.h
65351--- linux-2.6.32.48/include/linux/moduleparam.h 2011-11-08 19:02:43.000000000 -0500
65352+++ linux-2.6.32.48/include/linux/moduleparam.h 2011-11-15 19:59:43.000000000 -0500
65353@@ -132,7 +132,7 @@ struct kparam_array
65354
65355 /* Actually copy string: maxlen param is usually sizeof(string). */
65356 #define module_param_string(name, string, len, perm) \
65357- static const struct kparam_string __param_string_##name \
65358+ static const struct kparam_string __param_string_##name __used \
65359 = { len, string }; \
65360 __module_param_call(MODULE_PARAM_PREFIX, name, \
65361 param_set_copystring, param_get_string, \
65362@@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
65363
65364 /* Comma-separated array: *nump is set to number they actually specified. */
65365 #define module_param_array_named(name, array, type, nump, perm) \
65366- static const struct kparam_array __param_arr_##name \
65367+ static const struct kparam_array __param_arr_##name __used \
65368 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
65369 sizeof(array[0]), array }; \
65370 __module_param_call(MODULE_PARAM_PREFIX, name, \
65371diff -urNp linux-2.6.32.48/include/linux/mutex.h linux-2.6.32.48/include/linux/mutex.h
65372--- linux-2.6.32.48/include/linux/mutex.h 2011-11-08 19:02:43.000000000 -0500
65373+++ linux-2.6.32.48/include/linux/mutex.h 2011-11-15 19:59:43.000000000 -0500
65374@@ -51,7 +51,7 @@ struct mutex {
65375 spinlock_t wait_lock;
65376 struct list_head wait_list;
65377 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
65378- struct thread_info *owner;
65379+ struct task_struct *owner;
65380 #endif
65381 #ifdef CONFIG_DEBUG_MUTEXES
65382 const char *name;
65383diff -urNp linux-2.6.32.48/include/linux/namei.h linux-2.6.32.48/include/linux/namei.h
65384--- linux-2.6.32.48/include/linux/namei.h 2011-11-08 19:02:43.000000000 -0500
65385+++ linux-2.6.32.48/include/linux/namei.h 2011-11-15 19:59:43.000000000 -0500
65386@@ -22,7 +22,7 @@ struct nameidata {
65387 unsigned int flags;
65388 int last_type;
65389 unsigned depth;
65390- char *saved_names[MAX_NESTED_LINKS + 1];
65391+ const char *saved_names[MAX_NESTED_LINKS + 1];
65392
65393 /* Intent data */
65394 union {
65395@@ -84,12 +84,12 @@ extern int follow_up(struct path *);
65396 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
65397 extern void unlock_rename(struct dentry *, struct dentry *);
65398
65399-static inline void nd_set_link(struct nameidata *nd, char *path)
65400+static inline void nd_set_link(struct nameidata *nd, const char *path)
65401 {
65402 nd->saved_names[nd->depth] = path;
65403 }
65404
65405-static inline char *nd_get_link(struct nameidata *nd)
65406+static inline const char *nd_get_link(const struct nameidata *nd)
65407 {
65408 return nd->saved_names[nd->depth];
65409 }
65410diff -urNp linux-2.6.32.48/include/linux/netdevice.h linux-2.6.32.48/include/linux/netdevice.h
65411--- linux-2.6.32.48/include/linux/netdevice.h 2011-11-08 19:02:43.000000000 -0500
65412+++ linux-2.6.32.48/include/linux/netdevice.h 2011-11-15 19:59:43.000000000 -0500
65413@@ -637,6 +637,7 @@ struct net_device_ops {
65414 u16 xid);
65415 #endif
65416 };
65417+typedef struct net_device_ops __no_const net_device_ops_no_const;
65418
65419 /*
65420 * The DEVICE structure.
65421diff -urNp linux-2.6.32.48/include/linux/netfilter/xt_gradm.h linux-2.6.32.48/include/linux/netfilter/xt_gradm.h
65422--- linux-2.6.32.48/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
65423+++ linux-2.6.32.48/include/linux/netfilter/xt_gradm.h 2011-11-15 19:59:43.000000000 -0500
65424@@ -0,0 +1,9 @@
65425+#ifndef _LINUX_NETFILTER_XT_GRADM_H
65426+#define _LINUX_NETFILTER_XT_GRADM_H 1
65427+
65428+struct xt_gradm_mtinfo {
65429+ __u16 flags;
65430+ __u16 invflags;
65431+};
65432+
65433+#endif
65434diff -urNp linux-2.6.32.48/include/linux/nodemask.h linux-2.6.32.48/include/linux/nodemask.h
65435--- linux-2.6.32.48/include/linux/nodemask.h 2011-11-08 19:02:43.000000000 -0500
65436+++ linux-2.6.32.48/include/linux/nodemask.h 2011-11-15 19:59:43.000000000 -0500
65437@@ -464,11 +464,11 @@ static inline int num_node_state(enum no
65438
65439 #define any_online_node(mask) \
65440 ({ \
65441- int node; \
65442- for_each_node_mask(node, (mask)) \
65443- if (node_online(node)) \
65444+ int __node; \
65445+ for_each_node_mask(__node, (mask)) \
65446+ if (node_online(__node)) \
65447 break; \
65448- node; \
65449+ __node; \
65450 })
65451
65452 #define num_online_nodes() num_node_state(N_ONLINE)
65453diff -urNp linux-2.6.32.48/include/linux/oprofile.h linux-2.6.32.48/include/linux/oprofile.h
65454--- linux-2.6.32.48/include/linux/oprofile.h 2011-11-08 19:02:43.000000000 -0500
65455+++ linux-2.6.32.48/include/linux/oprofile.h 2011-11-15 19:59:43.000000000 -0500
65456@@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
65457 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
65458 char const * name, ulong * val);
65459
65460-/** Create a file for read-only access to an atomic_t. */
65461+/** Create a file for read-only access to an atomic_unchecked_t. */
65462 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
65463- char const * name, atomic_t * val);
65464+ char const * name, atomic_unchecked_t * val);
65465
65466 /** create a directory */
65467 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
65468diff -urNp linux-2.6.32.48/include/linux/pagemap.h linux-2.6.32.48/include/linux/pagemap.h
65469--- linux-2.6.32.48/include/linux/pagemap.h 2011-11-08 19:02:43.000000000 -0500
65470+++ linux-2.6.32.48/include/linux/pagemap.h 2011-11-18 18:01:55.000000000 -0500
65471@@ -425,7 +425,9 @@ static inline int fault_in_pages_readabl
65472 if (((unsigned long)uaddr & PAGE_MASK) !=
65473 ((unsigned long)end & PAGE_MASK))
65474 ret = __get_user(c, end);
65475+ (void)c;
65476 }
65477+ (void)c;
65478 return ret;
65479 }
65480
65481diff -urNp linux-2.6.32.48/include/linux/perf_event.h linux-2.6.32.48/include/linux/perf_event.h
65482--- linux-2.6.32.48/include/linux/perf_event.h 2011-11-08 19:02:43.000000000 -0500
65483+++ linux-2.6.32.48/include/linux/perf_event.h 2011-11-15 19:59:43.000000000 -0500
65484@@ -476,7 +476,7 @@ struct hw_perf_event {
65485 struct hrtimer hrtimer;
65486 };
65487 };
65488- atomic64_t prev_count;
65489+ atomic64_unchecked_t prev_count;
65490 u64 sample_period;
65491 u64 last_period;
65492 atomic64_t period_left;
65493@@ -557,7 +557,7 @@ struct perf_event {
65494 const struct pmu *pmu;
65495
65496 enum perf_event_active_state state;
65497- atomic64_t count;
65498+ atomic64_unchecked_t count;
65499
65500 /*
65501 * These are the total time in nanoseconds that the event
65502@@ -595,8 +595,8 @@ struct perf_event {
65503 * These accumulate total time (in nanoseconds) that children
65504 * events have been enabled and running, respectively.
65505 */
65506- atomic64_t child_total_time_enabled;
65507- atomic64_t child_total_time_running;
65508+ atomic64_unchecked_t child_total_time_enabled;
65509+ atomic64_unchecked_t child_total_time_running;
65510
65511 /*
65512 * Protect attach/detach and child_list:
65513diff -urNp linux-2.6.32.48/include/linux/pipe_fs_i.h linux-2.6.32.48/include/linux/pipe_fs_i.h
65514--- linux-2.6.32.48/include/linux/pipe_fs_i.h 2011-11-08 19:02:43.000000000 -0500
65515+++ linux-2.6.32.48/include/linux/pipe_fs_i.h 2011-11-15 19:59:43.000000000 -0500
65516@@ -46,9 +46,9 @@ struct pipe_inode_info {
65517 wait_queue_head_t wait;
65518 unsigned int nrbufs, curbuf;
65519 struct page *tmp_page;
65520- unsigned int readers;
65521- unsigned int writers;
65522- unsigned int waiting_writers;
65523+ atomic_t readers;
65524+ atomic_t writers;
65525+ atomic_t waiting_writers;
65526 unsigned int r_counter;
65527 unsigned int w_counter;
65528 struct fasync_struct *fasync_readers;
65529diff -urNp linux-2.6.32.48/include/linux/poison.h linux-2.6.32.48/include/linux/poison.h
65530--- linux-2.6.32.48/include/linux/poison.h 2011-11-08 19:02:43.000000000 -0500
65531+++ linux-2.6.32.48/include/linux/poison.h 2011-11-15 19:59:43.000000000 -0500
65532@@ -19,8 +19,8 @@
65533 * under normal circumstances, used to verify that nobody uses
65534 * non-initialized list entries.
65535 */
65536-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
65537-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
65538+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
65539+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
65540
65541 /********** include/linux/timer.h **********/
65542 /*
65543diff -urNp linux-2.6.32.48/include/linux/posix-timers.h linux-2.6.32.48/include/linux/posix-timers.h
65544--- linux-2.6.32.48/include/linux/posix-timers.h 2011-11-08 19:02:43.000000000 -0500
65545+++ linux-2.6.32.48/include/linux/posix-timers.h 2011-11-15 19:59:43.000000000 -0500
65546@@ -67,7 +67,7 @@ struct k_itimer {
65547 };
65548
65549 struct k_clock {
65550- int res; /* in nanoseconds */
65551+ const int res; /* in nanoseconds */
65552 int (*clock_getres) (const clockid_t which_clock, struct timespec *tp);
65553 int (*clock_set) (const clockid_t which_clock, struct timespec * tp);
65554 int (*clock_get) (const clockid_t which_clock, struct timespec * tp);
65555diff -urNp linux-2.6.32.48/include/linux/preempt.h linux-2.6.32.48/include/linux/preempt.h
65556--- linux-2.6.32.48/include/linux/preempt.h 2011-11-08 19:02:43.000000000 -0500
65557+++ linux-2.6.32.48/include/linux/preempt.h 2011-11-15 19:59:43.000000000 -0500
65558@@ -110,7 +110,7 @@ struct preempt_ops {
65559 void (*sched_in)(struct preempt_notifier *notifier, int cpu);
65560 void (*sched_out)(struct preempt_notifier *notifier,
65561 struct task_struct *next);
65562-};
65563+} __no_const;
65564
65565 /**
65566 * preempt_notifier - key for installing preemption notifiers
65567diff -urNp linux-2.6.32.48/include/linux/proc_fs.h linux-2.6.32.48/include/linux/proc_fs.h
65568--- linux-2.6.32.48/include/linux/proc_fs.h 2011-11-08 19:02:43.000000000 -0500
65569+++ linux-2.6.32.48/include/linux/proc_fs.h 2011-11-15 19:59:43.000000000 -0500
65570@@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
65571 return proc_create_data(name, mode, parent, proc_fops, NULL);
65572 }
65573
65574+static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
65575+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
65576+{
65577+#ifdef CONFIG_GRKERNSEC_PROC_USER
65578+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
65579+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
65580+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
65581+#else
65582+ return proc_create_data(name, mode, parent, proc_fops, NULL);
65583+#endif
65584+}
65585+
65586+
65587 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
65588 mode_t mode, struct proc_dir_entry *base,
65589 read_proc_t *read_proc, void * data)
65590@@ -256,7 +269,7 @@ union proc_op {
65591 int (*proc_show)(struct seq_file *m,
65592 struct pid_namespace *ns, struct pid *pid,
65593 struct task_struct *task);
65594-};
65595+} __no_const;
65596
65597 struct ctl_table_header;
65598 struct ctl_table;
65599diff -urNp linux-2.6.32.48/include/linux/ptrace.h linux-2.6.32.48/include/linux/ptrace.h
65600--- linux-2.6.32.48/include/linux/ptrace.h 2011-11-08 19:02:43.000000000 -0500
65601+++ linux-2.6.32.48/include/linux/ptrace.h 2011-11-15 19:59:43.000000000 -0500
65602@@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
65603 extern void exit_ptrace(struct task_struct *tracer);
65604 #define PTRACE_MODE_READ 1
65605 #define PTRACE_MODE_ATTACH 2
65606-/* Returns 0 on success, -errno on denial. */
65607-extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
65608 /* Returns true on success, false on denial. */
65609 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
65610+/* Returns true on success, false on denial. */
65611+extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
65612
65613 static inline int ptrace_reparented(struct task_struct *child)
65614 {
65615diff -urNp linux-2.6.32.48/include/linux/random.h linux-2.6.32.48/include/linux/random.h
65616--- linux-2.6.32.48/include/linux/random.h 2011-11-08 19:02:43.000000000 -0500
65617+++ linux-2.6.32.48/include/linux/random.h 2011-11-15 19:59:43.000000000 -0500
65618@@ -63,6 +63,11 @@ unsigned long randomize_range(unsigned l
65619 u32 random32(void);
65620 void srandom32(u32 seed);
65621
65622+static inline unsigned long pax_get_random_long(void)
65623+{
65624+ return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
65625+}
65626+
65627 #endif /* __KERNEL___ */
65628
65629 #endif /* _LINUX_RANDOM_H */
65630diff -urNp linux-2.6.32.48/include/linux/reboot.h linux-2.6.32.48/include/linux/reboot.h
65631--- linux-2.6.32.48/include/linux/reboot.h 2011-11-08 19:02:43.000000000 -0500
65632+++ linux-2.6.32.48/include/linux/reboot.h 2011-11-15 19:59:43.000000000 -0500
65633@@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
65634 * Architecture-specific implementations of sys_reboot commands.
65635 */
65636
65637-extern void machine_restart(char *cmd);
65638-extern void machine_halt(void);
65639-extern void machine_power_off(void);
65640+extern void machine_restart(char *cmd) __noreturn;
65641+extern void machine_halt(void) __noreturn;
65642+extern void machine_power_off(void) __noreturn;
65643
65644 extern void machine_shutdown(void);
65645 struct pt_regs;
65646@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
65647 */
65648
65649 extern void kernel_restart_prepare(char *cmd);
65650-extern void kernel_restart(char *cmd);
65651-extern void kernel_halt(void);
65652-extern void kernel_power_off(void);
65653+extern void kernel_restart(char *cmd) __noreturn;
65654+extern void kernel_halt(void) __noreturn;
65655+extern void kernel_power_off(void) __noreturn;
65656
65657 void ctrl_alt_del(void);
65658
65659@@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
65660 * Emergency restart, callable from an interrupt handler.
65661 */
65662
65663-extern void emergency_restart(void);
65664+extern void emergency_restart(void) __noreturn;
65665 #include <asm/emergency-restart.h>
65666
65667 #endif
65668diff -urNp linux-2.6.32.48/include/linux/reiserfs_fs.h linux-2.6.32.48/include/linux/reiserfs_fs.h
65669--- linux-2.6.32.48/include/linux/reiserfs_fs.h 2011-11-08 19:02:43.000000000 -0500
65670+++ linux-2.6.32.48/include/linux/reiserfs_fs.h 2011-11-15 19:59:43.000000000 -0500
65671@@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
65672 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
65673
65674 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
65675-#define get_generation(s) atomic_read (&fs_generation(s))
65676+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
65677 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
65678 #define __fs_changed(gen,s) (gen != get_generation (s))
65679 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
65680@@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
65681 */
65682
65683 struct item_operations {
65684- int (*bytes_number) (struct item_head * ih, int block_size);
65685- void (*decrement_key) (struct cpu_key *);
65686- int (*is_left_mergeable) (struct reiserfs_key * ih,
65687+ int (* const bytes_number) (struct item_head * ih, int block_size);
65688+ void (* const decrement_key) (struct cpu_key *);
65689+ int (* const is_left_mergeable) (struct reiserfs_key * ih,
65690 unsigned long bsize);
65691- void (*print_item) (struct item_head *, char *item);
65692- void (*check_item) (struct item_head *, char *item);
65693+ void (* const print_item) (struct item_head *, char *item);
65694+ void (* const check_item) (struct item_head *, char *item);
65695
65696- int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
65697+ int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
65698 int is_affected, int insert_size);
65699- int (*check_left) (struct virtual_item * vi, int free,
65700+ int (* const check_left) (struct virtual_item * vi, int free,
65701 int start_skip, int end_skip);
65702- int (*check_right) (struct virtual_item * vi, int free);
65703- int (*part_size) (struct virtual_item * vi, int from, int to);
65704- int (*unit_num) (struct virtual_item * vi);
65705- void (*print_vi) (struct virtual_item * vi);
65706+ int (* const check_right) (struct virtual_item * vi, int free);
65707+ int (* const part_size) (struct virtual_item * vi, int from, int to);
65708+ int (* const unit_num) (struct virtual_item * vi);
65709+ void (* const print_vi) (struct virtual_item * vi);
65710 };
65711
65712-extern struct item_operations *item_ops[TYPE_ANY + 1];
65713+extern const struct item_operations * const item_ops[TYPE_ANY + 1];
65714
65715 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
65716 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
65717diff -urNp linux-2.6.32.48/include/linux/reiserfs_fs_sb.h linux-2.6.32.48/include/linux/reiserfs_fs_sb.h
65718--- linux-2.6.32.48/include/linux/reiserfs_fs_sb.h 2011-11-08 19:02:43.000000000 -0500
65719+++ linux-2.6.32.48/include/linux/reiserfs_fs_sb.h 2011-11-15 19:59:43.000000000 -0500
65720@@ -377,7 +377,7 @@ struct reiserfs_sb_info {
65721 /* Comment? -Hans */
65722 wait_queue_head_t s_wait;
65723 /* To be obsoleted soon by per buffer seals.. -Hans */
65724- atomic_t s_generation_counter; // increased by one every time the
65725+ atomic_unchecked_t s_generation_counter; // increased by one every time the
65726 // tree gets re-balanced
65727 unsigned long s_properties; /* File system properties. Currently holds
65728 on-disk FS format */
65729diff -urNp linux-2.6.32.48/include/linux/relay.h linux-2.6.32.48/include/linux/relay.h
65730--- linux-2.6.32.48/include/linux/relay.h 2011-11-08 19:02:43.000000000 -0500
65731+++ linux-2.6.32.48/include/linux/relay.h 2011-11-15 19:59:43.000000000 -0500
65732@@ -159,7 +159,7 @@ struct rchan_callbacks
65733 * The callback should return 0 if successful, negative if not.
65734 */
65735 int (*remove_buf_file)(struct dentry *dentry);
65736-};
65737+} __no_const;
65738
65739 /*
65740 * CONFIG_RELAY kernel API, kernel/relay.c
65741diff -urNp linux-2.6.32.48/include/linux/rfkill.h linux-2.6.32.48/include/linux/rfkill.h
65742--- linux-2.6.32.48/include/linux/rfkill.h 2011-11-08 19:02:43.000000000 -0500
65743+++ linux-2.6.32.48/include/linux/rfkill.h 2011-11-15 19:59:43.000000000 -0500
65744@@ -144,6 +144,7 @@ struct rfkill_ops {
65745 void (*query)(struct rfkill *rfkill, void *data);
65746 int (*set_block)(void *data, bool blocked);
65747 };
65748+typedef struct rfkill_ops __no_const rfkill_ops_no_const;
65749
65750 #if defined(CONFIG_RFKILL) || defined(CONFIG_RFKILL_MODULE)
65751 /**
65752diff -urNp linux-2.6.32.48/include/linux/sched.h linux-2.6.32.48/include/linux/sched.h
65753--- linux-2.6.32.48/include/linux/sched.h 2011-11-08 19:02:43.000000000 -0500
65754+++ linux-2.6.32.48/include/linux/sched.h 2011-11-18 18:01:52.000000000 -0500
65755@@ -101,6 +101,7 @@ struct bio;
65756 struct fs_struct;
65757 struct bts_context;
65758 struct perf_event_context;
65759+struct linux_binprm;
65760
65761 /*
65762 * List of flags we want to share for kernel threads,
65763@@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
65764 extern signed long schedule_timeout_uninterruptible(signed long timeout);
65765 asmlinkage void __schedule(void);
65766 asmlinkage void schedule(void);
65767-extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
65768+extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
65769
65770 struct nsproxy;
65771 struct user_namespace;
65772@@ -371,9 +372,12 @@ struct user_namespace;
65773 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
65774
65775 extern int sysctl_max_map_count;
65776+extern unsigned long sysctl_heap_stack_gap;
65777
65778 #include <linux/aio.h>
65779
65780+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
65781+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
65782 extern unsigned long
65783 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
65784 unsigned long, unsigned long);
65785@@ -666,6 +670,16 @@ struct signal_struct {
65786 struct tty_audit_buf *tty_audit_buf;
65787 #endif
65788
65789+#ifdef CONFIG_GRKERNSEC
65790+ u32 curr_ip;
65791+ u32 saved_ip;
65792+ u32 gr_saddr;
65793+ u32 gr_daddr;
65794+ u16 gr_sport;
65795+ u16 gr_dport;
65796+ u8 used_accept:1;
65797+#endif
65798+
65799 int oom_adj; /* OOM kill score adjustment (bit shift) */
65800 };
65801
65802@@ -723,6 +737,11 @@ struct user_struct {
65803 struct key *session_keyring; /* UID's default session keyring */
65804 #endif
65805
65806+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
65807+ unsigned int banned;
65808+ unsigned long ban_expires;
65809+#endif
65810+
65811 /* Hash table maintenance information */
65812 struct hlist_node uidhash_node;
65813 uid_t uid;
65814@@ -1328,8 +1347,8 @@ struct task_struct {
65815 struct list_head thread_group;
65816
65817 struct completion *vfork_done; /* for vfork() */
65818- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
65819- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65820+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
65821+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
65822
65823 cputime_t utime, stime, utimescaled, stimescaled;
65824 cputime_t gtime;
65825@@ -1343,16 +1362,6 @@ struct task_struct {
65826 struct task_cputime cputime_expires;
65827 struct list_head cpu_timers[3];
65828
65829-/* process credentials */
65830- const struct cred *real_cred; /* objective and real subjective task
65831- * credentials (COW) */
65832- const struct cred *cred; /* effective (overridable) subjective task
65833- * credentials (COW) */
65834- struct mutex cred_guard_mutex; /* guard against foreign influences on
65835- * credential calculations
65836- * (notably. ptrace) */
65837- struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65838-
65839 char comm[TASK_COMM_LEN]; /* executable name excluding path
65840 - access with [gs]et_task_comm (which lock
65841 it with task_lock())
65842@@ -1369,6 +1378,10 @@ struct task_struct {
65843 #endif
65844 /* CPU-specific state of this task */
65845 struct thread_struct thread;
65846+/* thread_info moved to task_struct */
65847+#ifdef CONFIG_X86
65848+ struct thread_info tinfo;
65849+#endif
65850 /* filesystem information */
65851 struct fs_struct *fs;
65852 /* open file information */
65853@@ -1436,6 +1449,15 @@ struct task_struct {
65854 int hardirq_context;
65855 int softirq_context;
65856 #endif
65857+
65858+/* process credentials */
65859+ const struct cred *real_cred; /* objective and real subjective task
65860+ * credentials (COW) */
65861+ struct mutex cred_guard_mutex; /* guard against foreign influences on
65862+ * credential calculations
65863+ * (notably. ptrace) */
65864+ struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
65865+
65866 #ifdef CONFIG_LOCKDEP
65867 # define MAX_LOCK_DEPTH 48UL
65868 u64 curr_chain_key;
65869@@ -1456,6 +1478,9 @@ struct task_struct {
65870
65871 struct backing_dev_info *backing_dev_info;
65872
65873+ const struct cred *cred; /* effective (overridable) subjective task
65874+ * credentials (COW) */
65875+
65876 struct io_context *io_context;
65877
65878 unsigned long ptrace_message;
65879@@ -1519,6 +1544,21 @@ struct task_struct {
65880 unsigned long default_timer_slack_ns;
65881
65882 struct list_head *scm_work_list;
65883+
65884+#ifdef CONFIG_GRKERNSEC
65885+ /* grsecurity */
65886+ struct dentry *gr_chroot_dentry;
65887+ struct acl_subject_label *acl;
65888+ struct acl_role_label *role;
65889+ struct file *exec_file;
65890+ u16 acl_role_id;
65891+ /* is this the task that authenticated to the special role */
65892+ u8 acl_sp_role;
65893+ u8 is_writable;
65894+ u8 brute;
65895+ u8 gr_is_chrooted;
65896+#endif
65897+
65898 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
65899 /* Index of current stored adress in ret_stack */
65900 int curr_ret_stack;
65901@@ -1542,6 +1582,57 @@ struct task_struct {
65902 #endif /* CONFIG_TRACING */
65903 };
65904
65905+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
65906+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
65907+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
65908+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
65909+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
65910+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
65911+
65912+#ifdef CONFIG_PAX_SOFTMODE
65913+extern int pax_softmode;
65914+#endif
65915+
65916+extern int pax_check_flags(unsigned long *);
65917+
65918+/* if tsk != current then task_lock must be held on it */
65919+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
65920+static inline unsigned long pax_get_flags(struct task_struct *tsk)
65921+{
65922+ if (likely(tsk->mm))
65923+ return tsk->mm->pax_flags;
65924+ else
65925+ return 0UL;
65926+}
65927+
65928+/* if tsk != current then task_lock must be held on it */
65929+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
65930+{
65931+ if (likely(tsk->mm)) {
65932+ tsk->mm->pax_flags = flags;
65933+ return 0;
65934+ }
65935+ return -EINVAL;
65936+}
65937+#endif
65938+
65939+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
65940+extern void pax_set_initial_flags(struct linux_binprm *bprm);
65941+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
65942+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
65943+#endif
65944+
65945+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
65946+extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
65947+extern void pax_report_refcount_overflow(struct pt_regs *regs);
65948+extern NORET_TYPE void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type) ATTRIB_NORET;
65949+
65950+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
65951+extern void pax_track_stack(void);
65952+#else
65953+static inline void pax_track_stack(void) {}
65954+#endif
65955+
65956 /* Future-safe accessor for struct task_struct's cpus_allowed. */
65957 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
65958
65959@@ -1740,7 +1831,7 @@ extern void thread_group_times(struct ta
65960 #define PF_DUMPCORE 0x00000200 /* dumped core */
65961 #define PF_SIGNALED 0x00000400 /* killed by a signal */
65962 #define PF_MEMALLOC 0x00000800 /* Allocating memory */
65963-#define PF_FLUSHER 0x00001000 /* responsible for disk writeback */
65964+#define PF_NPROC_EXCEEDED 0x00001000 /* set_user noticed that RLIMIT_NPROC was exceeded */
65965 #define PF_USED_MATH 0x00002000 /* if unset the fpu must be initialized before use */
65966 #define PF_FREEZING 0x00004000 /* freeze in progress. do not account to load */
65967 #define PF_NOFREEZE 0x00008000 /* this thread should not be frozen */
65968@@ -1978,7 +2069,9 @@ void yield(void);
65969 extern struct exec_domain default_exec_domain;
65970
65971 union thread_union {
65972+#ifndef CONFIG_X86
65973 struct thread_info thread_info;
65974+#endif
65975 unsigned long stack[THREAD_SIZE/sizeof(long)];
65976 };
65977
65978@@ -2011,6 +2104,7 @@ extern struct pid_namespace init_pid_ns;
65979 */
65980
65981 extern struct task_struct *find_task_by_vpid(pid_t nr);
65982+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
65983 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
65984 struct pid_namespace *ns);
65985
65986@@ -2155,7 +2249,7 @@ extern void __cleanup_sighand(struct sig
65987 extern void exit_itimers(struct signal_struct *);
65988 extern void flush_itimer_signals(void);
65989
65990-extern NORET_TYPE void do_group_exit(int);
65991+extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
65992
65993 extern void daemonize(const char *, ...);
65994 extern int allow_signal(int);
65995@@ -2284,13 +2378,17 @@ static inline unsigned long *end_of_stac
65996
65997 #endif
65998
65999-static inline int object_is_on_stack(void *obj)
66000+static inline int object_starts_on_stack(void *obj)
66001 {
66002- void *stack = task_stack_page(current);
66003+ const void *stack = task_stack_page(current);
66004
66005 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
66006 }
66007
66008+#ifdef CONFIG_PAX_USERCOPY
66009+extern int object_is_on_stack(const void *obj, unsigned long len);
66010+#endif
66011+
66012 extern void thread_info_cache_init(void);
66013
66014 #ifdef CONFIG_DEBUG_STACK_USAGE
66015diff -urNp linux-2.6.32.48/include/linux/screen_info.h linux-2.6.32.48/include/linux/screen_info.h
66016--- linux-2.6.32.48/include/linux/screen_info.h 2011-11-08 19:02:43.000000000 -0500
66017+++ linux-2.6.32.48/include/linux/screen_info.h 2011-11-15 19:59:43.000000000 -0500
66018@@ -42,7 +42,8 @@ struct screen_info {
66019 __u16 pages; /* 0x32 */
66020 __u16 vesa_attributes; /* 0x34 */
66021 __u32 capabilities; /* 0x36 */
66022- __u8 _reserved[6]; /* 0x3a */
66023+ __u16 vesapm_size; /* 0x3a */
66024+ __u8 _reserved[4]; /* 0x3c */
66025 } __attribute__((packed));
66026
66027 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
66028diff -urNp linux-2.6.32.48/include/linux/security.h linux-2.6.32.48/include/linux/security.h
66029--- linux-2.6.32.48/include/linux/security.h 2011-11-08 19:02:43.000000000 -0500
66030+++ linux-2.6.32.48/include/linux/security.h 2011-11-15 19:59:43.000000000 -0500
66031@@ -34,6 +34,7 @@
66032 #include <linux/key.h>
66033 #include <linux/xfrm.h>
66034 #include <linux/gfp.h>
66035+#include <linux/grsecurity.h>
66036 #include <net/flow.h>
66037
66038 /* Maximum number of letters for an LSM name string */
66039diff -urNp linux-2.6.32.48/include/linux/seq_file.h linux-2.6.32.48/include/linux/seq_file.h
66040--- linux-2.6.32.48/include/linux/seq_file.h 2011-11-08 19:02:43.000000000 -0500
66041+++ linux-2.6.32.48/include/linux/seq_file.h 2011-11-15 19:59:43.000000000 -0500
66042@@ -32,6 +32,7 @@ struct seq_operations {
66043 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
66044 int (*show) (struct seq_file *m, void *v);
66045 };
66046+typedef struct seq_operations __no_const seq_operations_no_const;
66047
66048 #define SEQ_SKIP 1
66049
66050diff -urNp linux-2.6.32.48/include/linux/shm.h linux-2.6.32.48/include/linux/shm.h
66051--- linux-2.6.32.48/include/linux/shm.h 2011-11-08 19:02:43.000000000 -0500
66052+++ linux-2.6.32.48/include/linux/shm.h 2011-11-15 19:59:43.000000000 -0500
66053@@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
66054 pid_t shm_cprid;
66055 pid_t shm_lprid;
66056 struct user_struct *mlock_user;
66057+#ifdef CONFIG_GRKERNSEC
66058+ time_t shm_createtime;
66059+ pid_t shm_lapid;
66060+#endif
66061 };
66062
66063 /* shm_mode upper byte flags */
66064diff -urNp linux-2.6.32.48/include/linux/skbuff.h linux-2.6.32.48/include/linux/skbuff.h
66065--- linux-2.6.32.48/include/linux/skbuff.h 2011-11-08 19:02:43.000000000 -0500
66066+++ linux-2.6.32.48/include/linux/skbuff.h 2011-11-15 19:59:43.000000000 -0500
66067@@ -14,6 +14,7 @@
66068 #ifndef _LINUX_SKBUFF_H
66069 #define _LINUX_SKBUFF_H
66070
66071+#include <linux/const.h>
66072 #include <linux/kernel.h>
66073 #include <linux/kmemcheck.h>
66074 #include <linux/compiler.h>
66075@@ -544,7 +545,7 @@ static inline union skb_shared_tx *skb_t
66076 */
66077 static inline int skb_queue_empty(const struct sk_buff_head *list)
66078 {
66079- return list->next == (struct sk_buff *)list;
66080+ return list->next == (const struct sk_buff *)list;
66081 }
66082
66083 /**
66084@@ -557,7 +558,7 @@ static inline int skb_queue_empty(const
66085 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
66086 const struct sk_buff *skb)
66087 {
66088- return (skb->next == (struct sk_buff *) list);
66089+ return (skb->next == (const struct sk_buff *) list);
66090 }
66091
66092 /**
66093@@ -570,7 +571,7 @@ static inline bool skb_queue_is_last(con
66094 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
66095 const struct sk_buff *skb)
66096 {
66097- return (skb->prev == (struct sk_buff *) list);
66098+ return (skb->prev == (const struct sk_buff *) list);
66099 }
66100
66101 /**
66102@@ -1367,7 +1368,7 @@ static inline int skb_network_offset(con
66103 * headroom, you should not reduce this.
66104 */
66105 #ifndef NET_SKB_PAD
66106-#define NET_SKB_PAD 32
66107+#define NET_SKB_PAD (_AC(32,UL))
66108 #endif
66109
66110 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
66111diff -urNp linux-2.6.32.48/include/linux/slab_def.h linux-2.6.32.48/include/linux/slab_def.h
66112--- linux-2.6.32.48/include/linux/slab_def.h 2011-11-08 19:02:43.000000000 -0500
66113+++ linux-2.6.32.48/include/linux/slab_def.h 2011-11-15 19:59:43.000000000 -0500
66114@@ -69,10 +69,10 @@ struct kmem_cache {
66115 unsigned long node_allocs;
66116 unsigned long node_frees;
66117 unsigned long node_overflow;
66118- atomic_t allochit;
66119- atomic_t allocmiss;
66120- atomic_t freehit;
66121- atomic_t freemiss;
66122+ atomic_unchecked_t allochit;
66123+ atomic_unchecked_t allocmiss;
66124+ atomic_unchecked_t freehit;
66125+ atomic_unchecked_t freemiss;
66126
66127 /*
66128 * If debugging is enabled, then the allocator can add additional
66129diff -urNp linux-2.6.32.48/include/linux/slab.h linux-2.6.32.48/include/linux/slab.h
66130--- linux-2.6.32.48/include/linux/slab.h 2011-11-08 19:02:43.000000000 -0500
66131+++ linux-2.6.32.48/include/linux/slab.h 2011-11-15 19:59:43.000000000 -0500
66132@@ -11,12 +11,20 @@
66133
66134 #include <linux/gfp.h>
66135 #include <linux/types.h>
66136+#include <linux/err.h>
66137
66138 /*
66139 * Flags to pass to kmem_cache_create().
66140 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
66141 */
66142 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
66143+
66144+#ifdef CONFIG_PAX_USERCOPY
66145+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
66146+#else
66147+#define SLAB_USERCOPY 0x00000000UL
66148+#endif
66149+
66150 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
66151 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
66152 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
66153@@ -82,10 +90,13 @@
66154 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
66155 * Both make kfree a no-op.
66156 */
66157-#define ZERO_SIZE_PTR ((void *)16)
66158+#define ZERO_SIZE_PTR \
66159+({ \
66160+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
66161+ (void *)(-MAX_ERRNO-1L); \
66162+})
66163
66164-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
66165- (unsigned long)ZERO_SIZE_PTR)
66166+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
66167
66168 /*
66169 * struct kmem_cache related prototypes
66170@@ -138,6 +149,7 @@ void * __must_check krealloc(const void
66171 void kfree(const void *);
66172 void kzfree(const void *);
66173 size_t ksize(const void *);
66174+void check_object_size(const void *ptr, unsigned long n, bool to);
66175
66176 /*
66177 * Allocator specific definitions. These are mainly used to establish optimized
66178@@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
66179
66180 void __init kmem_cache_init_late(void);
66181
66182+#define kmalloc(x, y) \
66183+({ \
66184+ void *___retval; \
66185+ intoverflow_t ___x = (intoverflow_t)x; \
66186+ if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
66187+ ___retval = NULL; \
66188+ else \
66189+ ___retval = kmalloc((size_t)___x, (y)); \
66190+ ___retval; \
66191+})
66192+
66193+#define kmalloc_node(x, y, z) \
66194+({ \
66195+ void *___retval; \
66196+ intoverflow_t ___x = (intoverflow_t)x; \
66197+ if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
66198+ ___retval = NULL; \
66199+ else \
66200+ ___retval = kmalloc_node((size_t)___x, (y), (z));\
66201+ ___retval; \
66202+})
66203+
66204+#define kzalloc(x, y) \
66205+({ \
66206+ void *___retval; \
66207+ intoverflow_t ___x = (intoverflow_t)x; \
66208+ if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
66209+ ___retval = NULL; \
66210+ else \
66211+ ___retval = kzalloc((size_t)___x, (y)); \
66212+ ___retval; \
66213+})
66214+
66215 #endif /* _LINUX_SLAB_H */
66216diff -urNp linux-2.6.32.48/include/linux/slub_def.h linux-2.6.32.48/include/linux/slub_def.h
66217--- linux-2.6.32.48/include/linux/slub_def.h 2011-11-08 19:02:43.000000000 -0500
66218+++ linux-2.6.32.48/include/linux/slub_def.h 2011-11-15 19:59:43.000000000 -0500
66219@@ -86,7 +86,7 @@ struct kmem_cache {
66220 struct kmem_cache_order_objects max;
66221 struct kmem_cache_order_objects min;
66222 gfp_t allocflags; /* gfp flags to use on each alloc */
66223- int refcount; /* Refcount for slab cache destroy */
66224+ atomic_t refcount; /* Refcount for slab cache destroy */
66225 void (*ctor)(void *);
66226 int inuse; /* Offset to metadata */
66227 int align; /* Alignment */
66228@@ -215,7 +215,7 @@ static __always_inline struct kmem_cache
66229 #endif
66230
66231 void *kmem_cache_alloc(struct kmem_cache *, gfp_t);
66232-void *__kmalloc(size_t size, gfp_t flags);
66233+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1);
66234
66235 #ifdef CONFIG_KMEMTRACE
66236 extern void *kmem_cache_alloc_notrace(struct kmem_cache *s, gfp_t gfpflags);
66237diff -urNp linux-2.6.32.48/include/linux/sonet.h linux-2.6.32.48/include/linux/sonet.h
66238--- linux-2.6.32.48/include/linux/sonet.h 2011-11-08 19:02:43.000000000 -0500
66239+++ linux-2.6.32.48/include/linux/sonet.h 2011-11-15 19:59:43.000000000 -0500
66240@@ -61,7 +61,7 @@ struct sonet_stats {
66241 #include <asm/atomic.h>
66242
66243 struct k_sonet_stats {
66244-#define __HANDLE_ITEM(i) atomic_t i
66245+#define __HANDLE_ITEM(i) atomic_unchecked_t i
66246 __SONET_ITEMS
66247 #undef __HANDLE_ITEM
66248 };
66249diff -urNp linux-2.6.32.48/include/linux/sunrpc/cache.h linux-2.6.32.48/include/linux/sunrpc/cache.h
66250--- linux-2.6.32.48/include/linux/sunrpc/cache.h 2011-11-08 19:02:43.000000000 -0500
66251+++ linux-2.6.32.48/include/linux/sunrpc/cache.h 2011-11-15 19:59:43.000000000 -0500
66252@@ -125,7 +125,7 @@ struct cache_detail {
66253 */
66254 struct cache_req {
66255 struct cache_deferred_req *(*defer)(struct cache_req *req);
66256-};
66257+} __no_const;
66258 /* this must be embedded in a deferred_request that is being
66259 * delayed awaiting cache-fill
66260 */
66261diff -urNp linux-2.6.32.48/include/linux/sunrpc/clnt.h linux-2.6.32.48/include/linux/sunrpc/clnt.h
66262--- linux-2.6.32.48/include/linux/sunrpc/clnt.h 2011-11-08 19:02:43.000000000 -0500
66263+++ linux-2.6.32.48/include/linux/sunrpc/clnt.h 2011-11-15 19:59:43.000000000 -0500
66264@@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
66265 {
66266 switch (sap->sa_family) {
66267 case AF_INET:
66268- return ntohs(((struct sockaddr_in *)sap)->sin_port);
66269+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
66270 case AF_INET6:
66271- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
66272+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
66273 }
66274 return 0;
66275 }
66276@@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
66277 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
66278 const struct sockaddr *src)
66279 {
66280- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
66281+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
66282 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
66283
66284 dsin->sin_family = ssin->sin_family;
66285@@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
66286 if (sa->sa_family != AF_INET6)
66287 return 0;
66288
66289- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
66290+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
66291 }
66292
66293 #endif /* __KERNEL__ */
66294diff -urNp linux-2.6.32.48/include/linux/sunrpc/svc_rdma.h linux-2.6.32.48/include/linux/sunrpc/svc_rdma.h
66295--- linux-2.6.32.48/include/linux/sunrpc/svc_rdma.h 2011-11-08 19:02:43.000000000 -0500
66296+++ linux-2.6.32.48/include/linux/sunrpc/svc_rdma.h 2011-11-15 19:59:43.000000000 -0500
66297@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
66298 extern unsigned int svcrdma_max_requests;
66299 extern unsigned int svcrdma_max_req_size;
66300
66301-extern atomic_t rdma_stat_recv;
66302-extern atomic_t rdma_stat_read;
66303-extern atomic_t rdma_stat_write;
66304-extern atomic_t rdma_stat_sq_starve;
66305-extern atomic_t rdma_stat_rq_starve;
66306-extern atomic_t rdma_stat_rq_poll;
66307-extern atomic_t rdma_stat_rq_prod;
66308-extern atomic_t rdma_stat_sq_poll;
66309-extern atomic_t rdma_stat_sq_prod;
66310+extern atomic_unchecked_t rdma_stat_recv;
66311+extern atomic_unchecked_t rdma_stat_read;
66312+extern atomic_unchecked_t rdma_stat_write;
66313+extern atomic_unchecked_t rdma_stat_sq_starve;
66314+extern atomic_unchecked_t rdma_stat_rq_starve;
66315+extern atomic_unchecked_t rdma_stat_rq_poll;
66316+extern atomic_unchecked_t rdma_stat_rq_prod;
66317+extern atomic_unchecked_t rdma_stat_sq_poll;
66318+extern atomic_unchecked_t rdma_stat_sq_prod;
66319
66320 #define RPCRDMA_VERSION 1
66321
66322diff -urNp linux-2.6.32.48/include/linux/suspend.h linux-2.6.32.48/include/linux/suspend.h
66323--- linux-2.6.32.48/include/linux/suspend.h 2011-11-08 19:02:43.000000000 -0500
66324+++ linux-2.6.32.48/include/linux/suspend.h 2011-11-15 19:59:43.000000000 -0500
66325@@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
66326 * which require special recovery actions in that situation.
66327 */
66328 struct platform_suspend_ops {
66329- int (*valid)(suspend_state_t state);
66330- int (*begin)(suspend_state_t state);
66331- int (*prepare)(void);
66332- int (*prepare_late)(void);
66333- int (*enter)(suspend_state_t state);
66334- void (*wake)(void);
66335- void (*finish)(void);
66336- void (*end)(void);
66337- void (*recover)(void);
66338+ int (* const valid)(suspend_state_t state);
66339+ int (* const begin)(suspend_state_t state);
66340+ int (* const prepare)(void);
66341+ int (* const prepare_late)(void);
66342+ int (* const enter)(suspend_state_t state);
66343+ void (* const wake)(void);
66344+ void (* const finish)(void);
66345+ void (* const end)(void);
66346+ void (* const recover)(void);
66347 };
66348
66349 #ifdef CONFIG_SUSPEND
66350@@ -120,7 +120,7 @@ struct platform_suspend_ops {
66351 * suspend_set_ops - set platform dependent suspend operations
66352 * @ops: The new suspend operations to set.
66353 */
66354-extern void suspend_set_ops(struct platform_suspend_ops *ops);
66355+extern void suspend_set_ops(const struct platform_suspend_ops *ops);
66356 extern int suspend_valid_only_mem(suspend_state_t state);
66357
66358 /**
66359@@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
66360 #else /* !CONFIG_SUSPEND */
66361 #define suspend_valid_only_mem NULL
66362
66363-static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
66364+static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
66365 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
66366 #endif /* !CONFIG_SUSPEND */
66367
66368@@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
66369 * platforms which require special recovery actions in that situation.
66370 */
66371 struct platform_hibernation_ops {
66372- int (*begin)(void);
66373- void (*end)(void);
66374- int (*pre_snapshot)(void);
66375- void (*finish)(void);
66376- int (*prepare)(void);
66377- int (*enter)(void);
66378- void (*leave)(void);
66379- int (*pre_restore)(void);
66380- void (*restore_cleanup)(void);
66381- void (*recover)(void);
66382+ int (* const begin)(void);
66383+ void (* const end)(void);
66384+ int (* const pre_snapshot)(void);
66385+ void (* const finish)(void);
66386+ int (* const prepare)(void);
66387+ int (* const enter)(void);
66388+ void (* const leave)(void);
66389+ int (* const pre_restore)(void);
66390+ void (* const restore_cleanup)(void);
66391+ void (* const recover)(void);
66392 };
66393
66394 #ifdef CONFIG_HIBERNATION
66395@@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
66396 extern void swsusp_unset_page_free(struct page *);
66397 extern unsigned long get_safe_page(gfp_t gfp_mask);
66398
66399-extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
66400+extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
66401 extern int hibernate(void);
66402 extern bool system_entering_hibernation(void);
66403 #else /* CONFIG_HIBERNATION */
66404@@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
66405 static inline void swsusp_set_page_free(struct page *p) {}
66406 static inline void swsusp_unset_page_free(struct page *p) {}
66407
66408-static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
66409+static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
66410 static inline int hibernate(void) { return -ENOSYS; }
66411 static inline bool system_entering_hibernation(void) { return false; }
66412 #endif /* CONFIG_HIBERNATION */
66413diff -urNp linux-2.6.32.48/include/linux/sysctl.h linux-2.6.32.48/include/linux/sysctl.h
66414--- linux-2.6.32.48/include/linux/sysctl.h 2011-11-08 19:02:43.000000000 -0500
66415+++ linux-2.6.32.48/include/linux/sysctl.h 2011-11-15 19:59:43.000000000 -0500
66416@@ -164,7 +164,11 @@ enum
66417 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
66418 };
66419
66420-
66421+#ifdef CONFIG_PAX_SOFTMODE
66422+enum {
66423+ PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
66424+};
66425+#endif
66426
66427 /* CTL_VM names: */
66428 enum
66429@@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
66430
66431 extern int proc_dostring(struct ctl_table *, int,
66432 void __user *, size_t *, loff_t *);
66433+extern int proc_dostring_modpriv(struct ctl_table *, int,
66434+ void __user *, size_t *, loff_t *);
66435 extern int proc_dointvec(struct ctl_table *, int,
66436 void __user *, size_t *, loff_t *);
66437 extern int proc_dointvec_minmax(struct ctl_table *, int,
66438@@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
66439
66440 extern ctl_handler sysctl_data;
66441 extern ctl_handler sysctl_string;
66442+extern ctl_handler sysctl_string_modpriv;
66443 extern ctl_handler sysctl_intvec;
66444 extern ctl_handler sysctl_jiffies;
66445 extern ctl_handler sysctl_ms_jiffies;
66446diff -urNp linux-2.6.32.48/include/linux/sysfs.h linux-2.6.32.48/include/linux/sysfs.h
66447--- linux-2.6.32.48/include/linux/sysfs.h 2011-11-08 19:02:43.000000000 -0500
66448+++ linux-2.6.32.48/include/linux/sysfs.h 2011-11-15 19:59:43.000000000 -0500
66449@@ -75,8 +75,8 @@ struct bin_attribute {
66450 };
66451
66452 struct sysfs_ops {
66453- ssize_t (*show)(struct kobject *, struct attribute *,char *);
66454- ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
66455+ ssize_t (* const show)(struct kobject *, struct attribute *,char *);
66456+ ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
66457 };
66458
66459 struct sysfs_dirent;
66460diff -urNp linux-2.6.32.48/include/linux/thread_info.h linux-2.6.32.48/include/linux/thread_info.h
66461--- linux-2.6.32.48/include/linux/thread_info.h 2011-11-08 19:02:43.000000000 -0500
66462+++ linux-2.6.32.48/include/linux/thread_info.h 2011-11-15 19:59:43.000000000 -0500
66463@@ -23,7 +23,7 @@ struct restart_block {
66464 };
66465 /* For futex_wait and futex_wait_requeue_pi */
66466 struct {
66467- u32 *uaddr;
66468+ u32 __user *uaddr;
66469 u32 val;
66470 u32 flags;
66471 u32 bitset;
66472diff -urNp linux-2.6.32.48/include/linux/tty.h linux-2.6.32.48/include/linux/tty.h
66473--- linux-2.6.32.48/include/linux/tty.h 2011-11-08 19:02:43.000000000 -0500
66474+++ linux-2.6.32.48/include/linux/tty.h 2011-11-15 19:59:43.000000000 -0500
66475@@ -493,7 +493,6 @@ extern void tty_ldisc_begin(void);
66476 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
66477 extern void tty_ldisc_enable(struct tty_struct *tty);
66478
66479-
66480 /* n_tty.c */
66481 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
66482
66483diff -urNp linux-2.6.32.48/include/linux/tty_ldisc.h linux-2.6.32.48/include/linux/tty_ldisc.h
66484--- linux-2.6.32.48/include/linux/tty_ldisc.h 2011-11-08 19:02:43.000000000 -0500
66485+++ linux-2.6.32.48/include/linux/tty_ldisc.h 2011-11-15 19:59:43.000000000 -0500
66486@@ -139,7 +139,7 @@ struct tty_ldisc_ops {
66487
66488 struct module *owner;
66489
66490- int refcount;
66491+ atomic_t refcount;
66492 };
66493
66494 struct tty_ldisc {
66495diff -urNp linux-2.6.32.48/include/linux/types.h linux-2.6.32.48/include/linux/types.h
66496--- linux-2.6.32.48/include/linux/types.h 2011-11-08 19:02:43.000000000 -0500
66497+++ linux-2.6.32.48/include/linux/types.h 2011-11-15 19:59:43.000000000 -0500
66498@@ -191,10 +191,26 @@ typedef struct {
66499 volatile int counter;
66500 } atomic_t;
66501
66502+#ifdef CONFIG_PAX_REFCOUNT
66503+typedef struct {
66504+ volatile int counter;
66505+} atomic_unchecked_t;
66506+#else
66507+typedef atomic_t atomic_unchecked_t;
66508+#endif
66509+
66510 #ifdef CONFIG_64BIT
66511 typedef struct {
66512 volatile long counter;
66513 } atomic64_t;
66514+
66515+#ifdef CONFIG_PAX_REFCOUNT
66516+typedef struct {
66517+ volatile long counter;
66518+} atomic64_unchecked_t;
66519+#else
66520+typedef atomic64_t atomic64_unchecked_t;
66521+#endif
66522 #endif
66523
66524 struct ustat {
66525diff -urNp linux-2.6.32.48/include/linux/uaccess.h linux-2.6.32.48/include/linux/uaccess.h
66526--- linux-2.6.32.48/include/linux/uaccess.h 2011-11-08 19:02:43.000000000 -0500
66527+++ linux-2.6.32.48/include/linux/uaccess.h 2011-11-15 19:59:43.000000000 -0500
66528@@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
66529 long ret; \
66530 mm_segment_t old_fs = get_fs(); \
66531 \
66532- set_fs(KERNEL_DS); \
66533 pagefault_disable(); \
66534- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
66535- pagefault_enable(); \
66536+ set_fs(KERNEL_DS); \
66537+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
66538 set_fs(old_fs); \
66539+ pagefault_enable(); \
66540 ret; \
66541 })
66542
66543@@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
66544 * Safely read from address @src to the buffer at @dst. If a kernel fault
66545 * happens, handle that and return -EFAULT.
66546 */
66547-extern long probe_kernel_read(void *dst, void *src, size_t size);
66548+extern long probe_kernel_read(void *dst, const void *src, size_t size);
66549
66550 /*
66551 * probe_kernel_write(): safely attempt to write to a location
66552@@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
66553 * Safely write to address @dst from the buffer at @src. If a kernel fault
66554 * happens, handle that and return -EFAULT.
66555 */
66556-extern long probe_kernel_write(void *dst, void *src, size_t size);
66557+extern long probe_kernel_write(void *dst, const void *src, size_t size);
66558
66559 #endif /* __LINUX_UACCESS_H__ */
66560diff -urNp linux-2.6.32.48/include/linux/unaligned/access_ok.h linux-2.6.32.48/include/linux/unaligned/access_ok.h
66561--- linux-2.6.32.48/include/linux/unaligned/access_ok.h 2011-11-08 19:02:43.000000000 -0500
66562+++ linux-2.6.32.48/include/linux/unaligned/access_ok.h 2011-11-15 19:59:43.000000000 -0500
66563@@ -6,32 +6,32 @@
66564
66565 static inline u16 get_unaligned_le16(const void *p)
66566 {
66567- return le16_to_cpup((__le16 *)p);
66568+ return le16_to_cpup((const __le16 *)p);
66569 }
66570
66571 static inline u32 get_unaligned_le32(const void *p)
66572 {
66573- return le32_to_cpup((__le32 *)p);
66574+ return le32_to_cpup((const __le32 *)p);
66575 }
66576
66577 static inline u64 get_unaligned_le64(const void *p)
66578 {
66579- return le64_to_cpup((__le64 *)p);
66580+ return le64_to_cpup((const __le64 *)p);
66581 }
66582
66583 static inline u16 get_unaligned_be16(const void *p)
66584 {
66585- return be16_to_cpup((__be16 *)p);
66586+ return be16_to_cpup((const __be16 *)p);
66587 }
66588
66589 static inline u32 get_unaligned_be32(const void *p)
66590 {
66591- return be32_to_cpup((__be32 *)p);
66592+ return be32_to_cpup((const __be32 *)p);
66593 }
66594
66595 static inline u64 get_unaligned_be64(const void *p)
66596 {
66597- return be64_to_cpup((__be64 *)p);
66598+ return be64_to_cpup((const __be64 *)p);
66599 }
66600
66601 static inline void put_unaligned_le16(u16 val, void *p)
66602diff -urNp linux-2.6.32.48/include/linux/vermagic.h linux-2.6.32.48/include/linux/vermagic.h
66603--- linux-2.6.32.48/include/linux/vermagic.h 2011-11-08 19:02:43.000000000 -0500
66604+++ linux-2.6.32.48/include/linux/vermagic.h 2011-11-18 18:09:44.000000000 -0500
66605@@ -26,9 +26,35 @@
66606 #define MODULE_ARCH_VERMAGIC ""
66607 #endif
66608
66609+#ifdef CONFIG_PAX_REFCOUNT
66610+#define MODULE_PAX_REFCOUNT "REFCOUNT "
66611+#else
66612+#define MODULE_PAX_REFCOUNT ""
66613+#endif
66614+
66615+#ifdef CONSTIFY_PLUGIN
66616+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
66617+#else
66618+#define MODULE_CONSTIFY_PLUGIN ""
66619+#endif
66620+
66621+#ifdef STACKLEAK_PLUGIN
66622+#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
66623+#else
66624+#define MODULE_STACKLEAK_PLUGIN ""
66625+#endif
66626+
66627+#ifdef CONFIG_GRKERNSEC
66628+#define MODULE_GRSEC "GRSEC "
66629+#else
66630+#define MODULE_GRSEC ""
66631+#endif
66632+
66633 #define VERMAGIC_STRING \
66634 UTS_RELEASE " " \
66635 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
66636 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
66637- MODULE_ARCH_VERMAGIC
66638+ MODULE_ARCH_VERMAGIC \
66639+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
66640+ MODULE_GRSEC
66641
66642diff -urNp linux-2.6.32.48/include/linux/vmalloc.h linux-2.6.32.48/include/linux/vmalloc.h
66643--- linux-2.6.32.48/include/linux/vmalloc.h 2011-11-08 19:02:43.000000000 -0500
66644+++ linux-2.6.32.48/include/linux/vmalloc.h 2011-11-15 19:59:43.000000000 -0500
66645@@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
66646 #define VM_MAP 0x00000004 /* vmap()ed pages */
66647 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
66648 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
66649+
66650+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
66651+#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
66652+#endif
66653+
66654 /* bits [20..32] reserved for arch specific ioremap internals */
66655
66656 /*
66657@@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
66658
66659 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
66660
66661+#define vmalloc(x) \
66662+({ \
66663+ void *___retval; \
66664+ intoverflow_t ___x = (intoverflow_t)x; \
66665+ if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
66666+ ___retval = NULL; \
66667+ else \
66668+ ___retval = vmalloc((unsigned long)___x); \
66669+ ___retval; \
66670+})
66671+
66672+#define __vmalloc(x, y, z) \
66673+({ \
66674+ void *___retval; \
66675+ intoverflow_t ___x = (intoverflow_t)x; \
66676+ if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
66677+ ___retval = NULL; \
66678+ else \
66679+ ___retval = __vmalloc((unsigned long)___x, (y), (z));\
66680+ ___retval; \
66681+})
66682+
66683+#define vmalloc_user(x) \
66684+({ \
66685+ void *___retval; \
66686+ intoverflow_t ___x = (intoverflow_t)x; \
66687+ if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
66688+ ___retval = NULL; \
66689+ else \
66690+ ___retval = vmalloc_user((unsigned long)___x); \
66691+ ___retval; \
66692+})
66693+
66694+#define vmalloc_exec(x) \
66695+({ \
66696+ void *___retval; \
66697+ intoverflow_t ___x = (intoverflow_t)x; \
66698+ if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
66699+ ___retval = NULL; \
66700+ else \
66701+ ___retval = vmalloc_exec((unsigned long)___x); \
66702+ ___retval; \
66703+})
66704+
66705+#define vmalloc_node(x, y) \
66706+({ \
66707+ void *___retval; \
66708+ intoverflow_t ___x = (intoverflow_t)x; \
66709+ if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
66710+ ___retval = NULL; \
66711+ else \
66712+ ___retval = vmalloc_node((unsigned long)___x, (y));\
66713+ ___retval; \
66714+})
66715+
66716+#define vmalloc_32(x) \
66717+({ \
66718+ void *___retval; \
66719+ intoverflow_t ___x = (intoverflow_t)x; \
66720+ if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
66721+ ___retval = NULL; \
66722+ else \
66723+ ___retval = vmalloc_32((unsigned long)___x); \
66724+ ___retval; \
66725+})
66726+
66727+#define vmalloc_32_user(x) \
66728+({ \
66729+ void *___retval; \
66730+ intoverflow_t ___x = (intoverflow_t)x; \
66731+ if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
66732+ ___retval = NULL; \
66733+ else \
66734+ ___retval = vmalloc_32_user((unsigned long)___x);\
66735+ ___retval; \
66736+})
66737+
66738 #endif /* _LINUX_VMALLOC_H */
66739diff -urNp linux-2.6.32.48/include/linux/vmstat.h linux-2.6.32.48/include/linux/vmstat.h
66740--- linux-2.6.32.48/include/linux/vmstat.h 2011-11-08 19:02:43.000000000 -0500
66741+++ linux-2.6.32.48/include/linux/vmstat.h 2011-11-15 19:59:43.000000000 -0500
66742@@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
66743 /*
66744 * Zone based page accounting with per cpu differentials.
66745 */
66746-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66747+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66748
66749 static inline void zone_page_state_add(long x, struct zone *zone,
66750 enum zone_stat_item item)
66751 {
66752- atomic_long_add(x, &zone->vm_stat[item]);
66753- atomic_long_add(x, &vm_stat[item]);
66754+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
66755+ atomic_long_add_unchecked(x, &vm_stat[item]);
66756 }
66757
66758 static inline unsigned long global_page_state(enum zone_stat_item item)
66759 {
66760- long x = atomic_long_read(&vm_stat[item]);
66761+ long x = atomic_long_read_unchecked(&vm_stat[item]);
66762 #ifdef CONFIG_SMP
66763 if (x < 0)
66764 x = 0;
66765@@ -158,7 +158,7 @@ static inline unsigned long global_page_
66766 static inline unsigned long zone_page_state(struct zone *zone,
66767 enum zone_stat_item item)
66768 {
66769- long x = atomic_long_read(&zone->vm_stat[item]);
66770+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66771 #ifdef CONFIG_SMP
66772 if (x < 0)
66773 x = 0;
66774@@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
66775 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
66776 enum zone_stat_item item)
66777 {
66778- long x = atomic_long_read(&zone->vm_stat[item]);
66779+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
66780
66781 #ifdef CONFIG_SMP
66782 int cpu;
66783@@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
66784
66785 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
66786 {
66787- atomic_long_inc(&zone->vm_stat[item]);
66788- atomic_long_inc(&vm_stat[item]);
66789+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
66790+ atomic_long_inc_unchecked(&vm_stat[item]);
66791 }
66792
66793 static inline void __inc_zone_page_state(struct page *page,
66794@@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
66795
66796 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
66797 {
66798- atomic_long_dec(&zone->vm_stat[item]);
66799- atomic_long_dec(&vm_stat[item]);
66800+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
66801+ atomic_long_dec_unchecked(&vm_stat[item]);
66802 }
66803
66804 static inline void __dec_zone_page_state(struct page *page,
66805diff -urNp linux-2.6.32.48/include/media/saa7146_vv.h linux-2.6.32.48/include/media/saa7146_vv.h
66806--- linux-2.6.32.48/include/media/saa7146_vv.h 2011-11-08 19:02:43.000000000 -0500
66807+++ linux-2.6.32.48/include/media/saa7146_vv.h 2011-11-15 19:59:43.000000000 -0500
66808@@ -167,7 +167,7 @@ struct saa7146_ext_vv
66809 int (*std_callback)(struct saa7146_dev*, struct saa7146_standard *);
66810
66811 /* the extension can override this */
66812- struct v4l2_ioctl_ops ops;
66813+ v4l2_ioctl_ops_no_const ops;
66814 /* pointer to the saa7146 core ops */
66815 const struct v4l2_ioctl_ops *core_ops;
66816
66817diff -urNp linux-2.6.32.48/include/media/v4l2-dev.h linux-2.6.32.48/include/media/v4l2-dev.h
66818--- linux-2.6.32.48/include/media/v4l2-dev.h 2011-11-08 19:02:43.000000000 -0500
66819+++ linux-2.6.32.48/include/media/v4l2-dev.h 2011-11-15 19:59:43.000000000 -0500
66820@@ -34,7 +34,7 @@ struct v4l2_device;
66821 #define V4L2_FL_UNREGISTERED (0)
66822
66823 struct v4l2_file_operations {
66824- struct module *owner;
66825+ struct module * const owner;
66826 ssize_t (*read) (struct file *, char __user *, size_t, loff_t *);
66827 ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *);
66828 unsigned int (*poll) (struct file *, struct poll_table_struct *);
66829@@ -46,6 +46,7 @@ struct v4l2_file_operations {
66830 int (*open) (struct file *);
66831 int (*release) (struct file *);
66832 };
66833+typedef struct v4l2_file_operations __no_const v4l2_file_operations_no_const;
66834
66835 /*
66836 * Newer version of video_device, handled by videodev2.c
66837diff -urNp linux-2.6.32.48/include/media/v4l2-device.h linux-2.6.32.48/include/media/v4l2-device.h
66838--- linux-2.6.32.48/include/media/v4l2-device.h 2011-11-08 19:02:43.000000000 -0500
66839+++ linux-2.6.32.48/include/media/v4l2-device.h 2011-11-15 19:59:43.000000000 -0500
66840@@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
66841 this function returns 0. If the name ends with a digit (e.g. cx18),
66842 then the name will be set to cx18-0 since cx180 looks really odd. */
66843 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
66844- atomic_t *instance);
66845+ atomic_unchecked_t *instance);
66846
66847 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
66848 Since the parent disappears this ensures that v4l2_dev doesn't have an
66849diff -urNp linux-2.6.32.48/include/media/v4l2-ioctl.h linux-2.6.32.48/include/media/v4l2-ioctl.h
66850--- linux-2.6.32.48/include/media/v4l2-ioctl.h 2011-11-08 19:02:43.000000000 -0500
66851+++ linux-2.6.32.48/include/media/v4l2-ioctl.h 2011-11-15 19:59:43.000000000 -0500
66852@@ -243,6 +243,7 @@ struct v4l2_ioctl_ops {
66853 long (*vidioc_default) (struct file *file, void *fh,
66854 int cmd, void *arg);
66855 };
66856+typedef struct v4l2_ioctl_ops __no_const v4l2_ioctl_ops_no_const;
66857
66858
66859 /* v4l debugging and diagnostics */
66860diff -urNp linux-2.6.32.48/include/net/flow.h linux-2.6.32.48/include/net/flow.h
66861--- linux-2.6.32.48/include/net/flow.h 2011-11-08 19:02:43.000000000 -0500
66862+++ linux-2.6.32.48/include/net/flow.h 2011-11-15 19:59:43.000000000 -0500
66863@@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
66864 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
66865 u8 dir, flow_resolve_t resolver);
66866 extern void flow_cache_flush(void);
66867-extern atomic_t flow_cache_genid;
66868+extern atomic_unchecked_t flow_cache_genid;
66869
66870 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
66871 {
66872diff -urNp linux-2.6.32.48/include/net/inetpeer.h linux-2.6.32.48/include/net/inetpeer.h
66873--- linux-2.6.32.48/include/net/inetpeer.h 2011-11-08 19:02:43.000000000 -0500
66874+++ linux-2.6.32.48/include/net/inetpeer.h 2011-11-15 19:59:43.000000000 -0500
66875@@ -24,7 +24,7 @@ struct inet_peer
66876 __u32 dtime; /* the time of last use of not
66877 * referenced entries */
66878 atomic_t refcnt;
66879- atomic_t rid; /* Frag reception counter */
66880+ atomic_unchecked_t rid; /* Frag reception counter */
66881 __u32 tcp_ts;
66882 unsigned long tcp_ts_stamp;
66883 };
66884diff -urNp linux-2.6.32.48/include/net/ip_vs.h linux-2.6.32.48/include/net/ip_vs.h
66885--- linux-2.6.32.48/include/net/ip_vs.h 2011-11-08 19:02:43.000000000 -0500
66886+++ linux-2.6.32.48/include/net/ip_vs.h 2011-11-15 19:59:43.000000000 -0500
66887@@ -365,7 +365,7 @@ struct ip_vs_conn {
66888 struct ip_vs_conn *control; /* Master control connection */
66889 atomic_t n_control; /* Number of controlled ones */
66890 struct ip_vs_dest *dest; /* real server */
66891- atomic_t in_pkts; /* incoming packet counter */
66892+ atomic_unchecked_t in_pkts; /* incoming packet counter */
66893
66894 /* packet transmitter for different forwarding methods. If it
66895 mangles the packet, it must return NF_DROP or better NF_STOLEN,
66896@@ -466,7 +466,7 @@ struct ip_vs_dest {
66897 union nf_inet_addr addr; /* IP address of the server */
66898 __be16 port; /* port number of the server */
66899 volatile unsigned flags; /* dest status flags */
66900- atomic_t conn_flags; /* flags to copy to conn */
66901+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
66902 atomic_t weight; /* server weight */
66903
66904 atomic_t refcnt; /* reference counter */
66905diff -urNp linux-2.6.32.48/include/net/irda/ircomm_core.h linux-2.6.32.48/include/net/irda/ircomm_core.h
66906--- linux-2.6.32.48/include/net/irda/ircomm_core.h 2011-11-08 19:02:43.000000000 -0500
66907+++ linux-2.6.32.48/include/net/irda/ircomm_core.h 2011-11-15 19:59:43.000000000 -0500
66908@@ -51,7 +51,7 @@ typedef struct {
66909 int (*connect_response)(struct ircomm_cb *, struct sk_buff *);
66910 int (*disconnect_request)(struct ircomm_cb *, struct sk_buff *,
66911 struct ircomm_info *);
66912-} call_t;
66913+} __no_const call_t;
66914
66915 struct ircomm_cb {
66916 irda_queue_t queue;
66917diff -urNp linux-2.6.32.48/include/net/irda/ircomm_tty.h linux-2.6.32.48/include/net/irda/ircomm_tty.h
66918--- linux-2.6.32.48/include/net/irda/ircomm_tty.h 2011-11-08 19:02:43.000000000 -0500
66919+++ linux-2.6.32.48/include/net/irda/ircomm_tty.h 2011-11-15 19:59:43.000000000 -0500
66920@@ -35,6 +35,7 @@
66921 #include <linux/termios.h>
66922 #include <linux/timer.h>
66923 #include <linux/tty.h> /* struct tty_struct */
66924+#include <asm/local.h>
66925
66926 #include <net/irda/irias_object.h>
66927 #include <net/irda/ircomm_core.h>
66928@@ -105,8 +106,8 @@ struct ircomm_tty_cb {
66929 unsigned short close_delay;
66930 unsigned short closing_wait; /* time to wait before closing */
66931
66932- int open_count;
66933- int blocked_open; /* # of blocked opens */
66934+ local_t open_count;
66935+ local_t blocked_open; /* # of blocked opens */
66936
66937 /* Protect concurent access to :
66938 * o self->open_count
66939diff -urNp linux-2.6.32.48/include/net/iucv/af_iucv.h linux-2.6.32.48/include/net/iucv/af_iucv.h
66940--- linux-2.6.32.48/include/net/iucv/af_iucv.h 2011-11-08 19:02:43.000000000 -0500
66941+++ linux-2.6.32.48/include/net/iucv/af_iucv.h 2011-11-15 19:59:43.000000000 -0500
66942@@ -87,7 +87,7 @@ struct iucv_sock {
66943 struct iucv_sock_list {
66944 struct hlist_head head;
66945 rwlock_t lock;
66946- atomic_t autobind_name;
66947+ atomic_unchecked_t autobind_name;
66948 };
66949
66950 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
66951diff -urNp linux-2.6.32.48/include/net/lapb.h linux-2.6.32.48/include/net/lapb.h
66952--- linux-2.6.32.48/include/net/lapb.h 2011-11-08 19:02:43.000000000 -0500
66953+++ linux-2.6.32.48/include/net/lapb.h 2011-11-15 19:59:43.000000000 -0500
66954@@ -95,7 +95,7 @@ struct lapb_cb {
66955 struct sk_buff_head write_queue;
66956 struct sk_buff_head ack_queue;
66957 unsigned char window;
66958- struct lapb_register_struct callbacks;
66959+ struct lapb_register_struct *callbacks;
66960
66961 /* FRMR control information */
66962 struct lapb_frame frmr_data;
66963diff -urNp linux-2.6.32.48/include/net/neighbour.h linux-2.6.32.48/include/net/neighbour.h
66964--- linux-2.6.32.48/include/net/neighbour.h 2011-11-08 19:02:43.000000000 -0500
66965+++ linux-2.6.32.48/include/net/neighbour.h 2011-11-15 19:59:43.000000000 -0500
66966@@ -131,7 +131,7 @@ struct neigh_ops
66967 int (*connected_output)(struct sk_buff*);
66968 int (*hh_output)(struct sk_buff*);
66969 int (*queue_xmit)(struct sk_buff*);
66970-};
66971+} __do_const;
66972
66973 struct pneigh_entry
66974 {
66975diff -urNp linux-2.6.32.48/include/net/netlink.h linux-2.6.32.48/include/net/netlink.h
66976--- linux-2.6.32.48/include/net/netlink.h 2011-11-08 19:02:43.000000000 -0500
66977+++ linux-2.6.32.48/include/net/netlink.h 2011-11-15 19:59:43.000000000 -0500
66978@@ -335,7 +335,7 @@ static inline int nlmsg_ok(const struct
66979 {
66980 return (remaining >= (int) sizeof(struct nlmsghdr) &&
66981 nlh->nlmsg_len >= sizeof(struct nlmsghdr) &&
66982- nlh->nlmsg_len <= remaining);
66983+ nlh->nlmsg_len <= (unsigned int)remaining);
66984 }
66985
66986 /**
66987@@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
66988 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
66989 {
66990 if (mark)
66991- skb_trim(skb, (unsigned char *) mark - skb->data);
66992+ skb_trim(skb, (const unsigned char *) mark - skb->data);
66993 }
66994
66995 /**
66996diff -urNp linux-2.6.32.48/include/net/netns/ipv4.h linux-2.6.32.48/include/net/netns/ipv4.h
66997--- linux-2.6.32.48/include/net/netns/ipv4.h 2011-11-08 19:02:43.000000000 -0500
66998+++ linux-2.6.32.48/include/net/netns/ipv4.h 2011-11-15 19:59:43.000000000 -0500
66999@@ -54,7 +54,7 @@ struct netns_ipv4 {
67000 int current_rt_cache_rebuild_count;
67001
67002 struct timer_list rt_secret_timer;
67003- atomic_t rt_genid;
67004+ atomic_unchecked_t rt_genid;
67005
67006 #ifdef CONFIG_IP_MROUTE
67007 struct sock *mroute_sk;
67008diff -urNp linux-2.6.32.48/include/net/sctp/sctp.h linux-2.6.32.48/include/net/sctp/sctp.h
67009--- linux-2.6.32.48/include/net/sctp/sctp.h 2011-11-08 19:02:43.000000000 -0500
67010+++ linux-2.6.32.48/include/net/sctp/sctp.h 2011-11-15 19:59:43.000000000 -0500
67011@@ -305,8 +305,8 @@ extern int sctp_debug_flag;
67012
67013 #else /* SCTP_DEBUG */
67014
67015-#define SCTP_DEBUG_PRINTK(whatever...)
67016-#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
67017+#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
67018+#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
67019 #define SCTP_ENABLE_DEBUG
67020 #define SCTP_DISABLE_DEBUG
67021 #define SCTP_ASSERT(expr, str, func)
67022diff -urNp linux-2.6.32.48/include/net/secure_seq.h linux-2.6.32.48/include/net/secure_seq.h
67023--- linux-2.6.32.48/include/net/secure_seq.h 2011-11-08 19:02:43.000000000 -0500
67024+++ linux-2.6.32.48/include/net/secure_seq.h 2011-11-15 19:59:43.000000000 -0500
67025@@ -7,14 +7,14 @@ extern __u32 secure_ip_id(__be32 daddr);
67026 extern __u32 secure_ipv6_id(const __be32 daddr[4]);
67027 extern u32 secure_ipv4_port_ephemeral(__be32 saddr, __be32 daddr, __be16 dport);
67028 extern u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
67029- __be16 dport);
67030+ __be16 dport);
67031 extern __u32 secure_tcp_sequence_number(__be32 saddr, __be32 daddr,
67032 __be16 sport, __be16 dport);
67033 extern __u32 secure_tcpv6_sequence_number(__be32 *saddr, __be32 *daddr,
67034- __be16 sport, __be16 dport);
67035+ __be16 sport, __be16 dport);
67036 extern u64 secure_dccp_sequence_number(__be32 saddr, __be32 daddr,
67037- __be16 sport, __be16 dport);
67038+ __be16 sport, __be16 dport);
67039 extern u64 secure_dccpv6_sequence_number(__be32 *saddr, __be32 *daddr,
67040- __be16 sport, __be16 dport);
67041+ __be16 sport, __be16 dport);
67042
67043 #endif /* _NET_SECURE_SEQ */
67044diff -urNp linux-2.6.32.48/include/net/sock.h linux-2.6.32.48/include/net/sock.h
67045--- linux-2.6.32.48/include/net/sock.h 2011-11-08 19:02:43.000000000 -0500
67046+++ linux-2.6.32.48/include/net/sock.h 2011-11-15 19:59:43.000000000 -0500
67047@@ -272,7 +272,7 @@ struct sock {
67048 rwlock_t sk_callback_lock;
67049 int sk_err,
67050 sk_err_soft;
67051- atomic_t sk_drops;
67052+ atomic_unchecked_t sk_drops;
67053 unsigned short sk_ack_backlog;
67054 unsigned short sk_max_ack_backlog;
67055 __u32 sk_priority;
67056@@ -737,7 +737,7 @@ static inline void sk_refcnt_debug_relea
67057 extern void sock_prot_inuse_add(struct net *net, struct proto *prot, int inc);
67058 extern int sock_prot_inuse_get(struct net *net, struct proto *proto);
67059 #else
67060-static void inline sock_prot_inuse_add(struct net *net, struct proto *prot,
67061+static inline void sock_prot_inuse_add(struct net *net, struct proto *prot,
67062 int inc)
67063 {
67064 }
67065diff -urNp linux-2.6.32.48/include/net/tcp.h linux-2.6.32.48/include/net/tcp.h
67066--- linux-2.6.32.48/include/net/tcp.h 2011-11-08 19:02:43.000000000 -0500
67067+++ linux-2.6.32.48/include/net/tcp.h 2011-11-15 19:59:43.000000000 -0500
67068@@ -1444,8 +1444,8 @@ enum tcp_seq_states {
67069 struct tcp_seq_afinfo {
67070 char *name;
67071 sa_family_t family;
67072- struct file_operations seq_fops;
67073- struct seq_operations seq_ops;
67074+ file_operations_no_const seq_fops;
67075+ seq_operations_no_const seq_ops;
67076 };
67077
67078 struct tcp_iter_state {
67079diff -urNp linux-2.6.32.48/include/net/udp.h linux-2.6.32.48/include/net/udp.h
67080--- linux-2.6.32.48/include/net/udp.h 2011-11-08 19:02:43.000000000 -0500
67081+++ linux-2.6.32.48/include/net/udp.h 2011-11-15 19:59:43.000000000 -0500
67082@@ -187,8 +187,8 @@ struct udp_seq_afinfo {
67083 char *name;
67084 sa_family_t family;
67085 struct udp_table *udp_table;
67086- struct file_operations seq_fops;
67087- struct seq_operations seq_ops;
67088+ file_operations_no_const seq_fops;
67089+ seq_operations_no_const seq_ops;
67090 };
67091
67092 struct udp_iter_state {
67093diff -urNp linux-2.6.32.48/include/rdma/iw_cm.h linux-2.6.32.48/include/rdma/iw_cm.h
67094--- linux-2.6.32.48/include/rdma/iw_cm.h 2011-11-08 19:02:43.000000000 -0500
67095+++ linux-2.6.32.48/include/rdma/iw_cm.h 2011-11-15 19:59:43.000000000 -0500
67096@@ -129,7 +129,7 @@ struct iw_cm_verbs {
67097 int backlog);
67098
67099 int (*destroy_listen)(struct iw_cm_id *cm_id);
67100-};
67101+} __no_const;
67102
67103 /**
67104 * iw_create_cm_id - Create an IW CM identifier.
67105diff -urNp linux-2.6.32.48/include/scsi/libfc.h linux-2.6.32.48/include/scsi/libfc.h
67106--- linux-2.6.32.48/include/scsi/libfc.h 2011-11-08 19:02:43.000000000 -0500
67107+++ linux-2.6.32.48/include/scsi/libfc.h 2011-11-15 19:59:43.000000000 -0500
67108@@ -675,6 +675,7 @@ struct libfc_function_template {
67109 */
67110 void (*disc_stop_final) (struct fc_lport *);
67111 };
67112+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
67113
67114 /* information used by the discovery layer */
67115 struct fc_disc {
67116@@ -707,7 +708,7 @@ struct fc_lport {
67117 struct fc_disc disc;
67118
67119 /* Operational Information */
67120- struct libfc_function_template tt;
67121+ libfc_function_template_no_const tt;
67122 u8 link_up;
67123 u8 qfull;
67124 enum fc_lport_state state;
67125diff -urNp linux-2.6.32.48/include/scsi/scsi_device.h linux-2.6.32.48/include/scsi/scsi_device.h
67126--- linux-2.6.32.48/include/scsi/scsi_device.h 2011-11-08 19:02:43.000000000 -0500
67127+++ linux-2.6.32.48/include/scsi/scsi_device.h 2011-11-15 19:59:43.000000000 -0500
67128@@ -156,9 +156,9 @@ struct scsi_device {
67129 unsigned int max_device_blocked; /* what device_blocked counts down from */
67130 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
67131
67132- atomic_t iorequest_cnt;
67133- atomic_t iodone_cnt;
67134- atomic_t ioerr_cnt;
67135+ atomic_unchecked_t iorequest_cnt;
67136+ atomic_unchecked_t iodone_cnt;
67137+ atomic_unchecked_t ioerr_cnt;
67138
67139 struct device sdev_gendev,
67140 sdev_dev;
67141diff -urNp linux-2.6.32.48/include/scsi/scsi_transport_fc.h linux-2.6.32.48/include/scsi/scsi_transport_fc.h
67142--- linux-2.6.32.48/include/scsi/scsi_transport_fc.h 2011-11-08 19:02:43.000000000 -0500
67143+++ linux-2.6.32.48/include/scsi/scsi_transport_fc.h 2011-11-15 19:59:43.000000000 -0500
67144@@ -708,7 +708,7 @@ struct fc_function_template {
67145 unsigned long show_host_system_hostname:1;
67146
67147 unsigned long disable_target_scan:1;
67148-};
67149+} __do_const;
67150
67151
67152 /**
67153diff -urNp linux-2.6.32.48/include/sound/ac97_codec.h linux-2.6.32.48/include/sound/ac97_codec.h
67154--- linux-2.6.32.48/include/sound/ac97_codec.h 2011-11-08 19:02:43.000000000 -0500
67155+++ linux-2.6.32.48/include/sound/ac97_codec.h 2011-11-15 19:59:43.000000000 -0500
67156@@ -419,15 +419,15 @@
67157 struct snd_ac97;
67158
67159 struct snd_ac97_build_ops {
67160- int (*build_3d) (struct snd_ac97 *ac97);
67161- int (*build_specific) (struct snd_ac97 *ac97);
67162- int (*build_spdif) (struct snd_ac97 *ac97);
67163- int (*build_post_spdif) (struct snd_ac97 *ac97);
67164+ int (* const build_3d) (struct snd_ac97 *ac97);
67165+ int (* const build_specific) (struct snd_ac97 *ac97);
67166+ int (* const build_spdif) (struct snd_ac97 *ac97);
67167+ int (* const build_post_spdif) (struct snd_ac97 *ac97);
67168 #ifdef CONFIG_PM
67169- void (*suspend) (struct snd_ac97 *ac97);
67170- void (*resume) (struct snd_ac97 *ac97);
67171+ void (* const suspend) (struct snd_ac97 *ac97);
67172+ void (* const resume) (struct snd_ac97 *ac97);
67173 #endif
67174- void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
67175+ void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
67176 };
67177
67178 struct snd_ac97_bus_ops {
67179@@ -477,7 +477,7 @@ struct snd_ac97_template {
67180
67181 struct snd_ac97 {
67182 /* -- lowlevel (hardware) driver specific -- */
67183- struct snd_ac97_build_ops * build_ops;
67184+ const struct snd_ac97_build_ops * build_ops;
67185 void *private_data;
67186 void (*private_free) (struct snd_ac97 *ac97);
67187 /* --- */
67188diff -urNp linux-2.6.32.48/include/sound/ak4xxx-adda.h linux-2.6.32.48/include/sound/ak4xxx-adda.h
67189--- linux-2.6.32.48/include/sound/ak4xxx-adda.h 2011-11-08 19:02:43.000000000 -0500
67190+++ linux-2.6.32.48/include/sound/ak4xxx-adda.h 2011-11-15 19:59:43.000000000 -0500
67191@@ -35,7 +35,7 @@ struct snd_ak4xxx_ops {
67192 void (*write)(struct snd_akm4xxx *ak, int chip, unsigned char reg,
67193 unsigned char val);
67194 void (*set_rate_val)(struct snd_akm4xxx *ak, unsigned int rate);
67195-};
67196+} __no_const;
67197
67198 #define AK4XXX_IMAGE_SIZE (AK4XXX_MAX_CHIPS * 16) /* 64 bytes */
67199
67200diff -urNp linux-2.6.32.48/include/sound/hwdep.h linux-2.6.32.48/include/sound/hwdep.h
67201--- linux-2.6.32.48/include/sound/hwdep.h 2011-11-08 19:02:43.000000000 -0500
67202+++ linux-2.6.32.48/include/sound/hwdep.h 2011-11-15 19:59:43.000000000 -0500
67203@@ -49,7 +49,7 @@ struct snd_hwdep_ops {
67204 struct snd_hwdep_dsp_status *status);
67205 int (*dsp_load)(struct snd_hwdep *hw,
67206 struct snd_hwdep_dsp_image *image);
67207-};
67208+} __no_const;
67209
67210 struct snd_hwdep {
67211 struct snd_card *card;
67212diff -urNp linux-2.6.32.48/include/sound/info.h linux-2.6.32.48/include/sound/info.h
67213--- linux-2.6.32.48/include/sound/info.h 2011-11-08 19:02:43.000000000 -0500
67214+++ linux-2.6.32.48/include/sound/info.h 2011-11-15 19:59:43.000000000 -0500
67215@@ -44,7 +44,7 @@ struct snd_info_entry_text {
67216 struct snd_info_buffer *buffer);
67217 void (*write)(struct snd_info_entry *entry,
67218 struct snd_info_buffer *buffer);
67219-};
67220+} __no_const;
67221
67222 struct snd_info_entry_ops {
67223 int (*open)(struct snd_info_entry *entry,
67224diff -urNp linux-2.6.32.48/include/sound/pcm.h linux-2.6.32.48/include/sound/pcm.h
67225--- linux-2.6.32.48/include/sound/pcm.h 2011-11-08 19:02:43.000000000 -0500
67226+++ linux-2.6.32.48/include/sound/pcm.h 2011-11-15 19:59:43.000000000 -0500
67227@@ -80,6 +80,7 @@ struct snd_pcm_ops {
67228 int (*mmap)(struct snd_pcm_substream *substream, struct vm_area_struct *vma);
67229 int (*ack)(struct snd_pcm_substream *substream);
67230 };
67231+typedef struct snd_pcm_ops __no_const snd_pcm_ops_no_const;
67232
67233 /*
67234 *
67235diff -urNp linux-2.6.32.48/include/sound/sb16_csp.h linux-2.6.32.48/include/sound/sb16_csp.h
67236--- linux-2.6.32.48/include/sound/sb16_csp.h 2011-11-08 19:02:43.000000000 -0500
67237+++ linux-2.6.32.48/include/sound/sb16_csp.h 2011-11-15 19:59:43.000000000 -0500
67238@@ -139,7 +139,7 @@ struct snd_sb_csp_ops {
67239 int (*csp_start) (struct snd_sb_csp * p, int sample_width, int channels);
67240 int (*csp_stop) (struct snd_sb_csp * p);
67241 int (*csp_qsound_transfer) (struct snd_sb_csp * p);
67242-};
67243+} __no_const;
67244
67245 /*
67246 * CSP private data
67247diff -urNp linux-2.6.32.48/include/sound/ymfpci.h linux-2.6.32.48/include/sound/ymfpci.h
67248--- linux-2.6.32.48/include/sound/ymfpci.h 2011-11-08 19:02:43.000000000 -0500
67249+++ linux-2.6.32.48/include/sound/ymfpci.h 2011-11-15 19:59:43.000000000 -0500
67250@@ -358,7 +358,7 @@ struct snd_ymfpci {
67251 spinlock_t reg_lock;
67252 spinlock_t voice_lock;
67253 wait_queue_head_t interrupt_sleep;
67254- atomic_t interrupt_sleep_count;
67255+ atomic_unchecked_t interrupt_sleep_count;
67256 struct snd_info_entry *proc_entry;
67257 const struct firmware *dsp_microcode;
67258 const struct firmware *controller_microcode;
67259diff -urNp linux-2.6.32.48/include/trace/events/irq.h linux-2.6.32.48/include/trace/events/irq.h
67260--- linux-2.6.32.48/include/trace/events/irq.h 2011-11-08 19:02:43.000000000 -0500
67261+++ linux-2.6.32.48/include/trace/events/irq.h 2011-11-15 19:59:43.000000000 -0500
67262@@ -34,7 +34,7 @@
67263 */
67264 TRACE_EVENT(irq_handler_entry,
67265
67266- TP_PROTO(int irq, struct irqaction *action),
67267+ TP_PROTO(int irq, const struct irqaction *action),
67268
67269 TP_ARGS(irq, action),
67270
67271@@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
67272 */
67273 TRACE_EVENT(irq_handler_exit,
67274
67275- TP_PROTO(int irq, struct irqaction *action, int ret),
67276+ TP_PROTO(int irq, const struct irqaction *action, int ret),
67277
67278 TP_ARGS(irq, action, ret),
67279
67280@@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
67281 */
67282 TRACE_EVENT(softirq_entry,
67283
67284- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
67285+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
67286
67287 TP_ARGS(h, vec),
67288
67289@@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
67290 */
67291 TRACE_EVENT(softirq_exit,
67292
67293- TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
67294+ TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
67295
67296 TP_ARGS(h, vec),
67297
67298diff -urNp linux-2.6.32.48/include/video/uvesafb.h linux-2.6.32.48/include/video/uvesafb.h
67299--- linux-2.6.32.48/include/video/uvesafb.h 2011-11-08 19:02:43.000000000 -0500
67300+++ linux-2.6.32.48/include/video/uvesafb.h 2011-11-15 19:59:43.000000000 -0500
67301@@ -177,6 +177,7 @@ struct uvesafb_par {
67302 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
67303 u8 pmi_setpal; /* PMI for palette changes */
67304 u16 *pmi_base; /* protected mode interface location */
67305+ u8 *pmi_code; /* protected mode code location */
67306 void *pmi_start;
67307 void *pmi_pal;
67308 u8 *vbe_state_orig; /*
67309diff -urNp linux-2.6.32.48/init/do_mounts.c linux-2.6.32.48/init/do_mounts.c
67310--- linux-2.6.32.48/init/do_mounts.c 2011-11-08 19:02:43.000000000 -0500
67311+++ linux-2.6.32.48/init/do_mounts.c 2011-11-15 19:59:43.000000000 -0500
67312@@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
67313
67314 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
67315 {
67316- int err = sys_mount(name, "/root", fs, flags, data);
67317+ int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
67318 if (err)
67319 return err;
67320
67321- sys_chdir("/root");
67322+ sys_chdir((__force const char __user *)"/root");
67323 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
67324 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
67325 current->fs->pwd.mnt->mnt_sb->s_type->name,
67326@@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
67327 va_start(args, fmt);
67328 vsprintf(buf, fmt, args);
67329 va_end(args);
67330- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
67331+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
67332 if (fd >= 0) {
67333 sys_ioctl(fd, FDEJECT, 0);
67334 sys_close(fd);
67335 }
67336 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
67337- fd = sys_open("/dev/console", O_RDWR, 0);
67338+ fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
67339 if (fd >= 0) {
67340 sys_ioctl(fd, TCGETS, (long)&termios);
67341 termios.c_lflag &= ~ICANON;
67342 sys_ioctl(fd, TCSETSF, (long)&termios);
67343- sys_read(fd, &c, 1);
67344+ sys_read(fd, (char __user *)&c, 1);
67345 termios.c_lflag |= ICANON;
67346 sys_ioctl(fd, TCSETSF, (long)&termios);
67347 sys_close(fd);
67348@@ -416,6 +416,6 @@ void __init prepare_namespace(void)
67349 mount_root();
67350 out:
67351 devtmpfs_mount("dev");
67352- sys_mount(".", "/", NULL, MS_MOVE, NULL);
67353- sys_chroot(".");
67354+ sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
67355+ sys_chroot((__force char __user *)".");
67356 }
67357diff -urNp linux-2.6.32.48/init/do_mounts.h linux-2.6.32.48/init/do_mounts.h
67358--- linux-2.6.32.48/init/do_mounts.h 2011-11-08 19:02:43.000000000 -0500
67359+++ linux-2.6.32.48/init/do_mounts.h 2011-11-15 19:59:43.000000000 -0500
67360@@ -15,15 +15,15 @@ extern int root_mountflags;
67361
67362 static inline int create_dev(char *name, dev_t dev)
67363 {
67364- sys_unlink(name);
67365- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
67366+ sys_unlink((char __force_user *)name);
67367+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
67368 }
67369
67370 #if BITS_PER_LONG == 32
67371 static inline u32 bstat(char *name)
67372 {
67373 struct stat64 stat;
67374- if (sys_stat64(name, &stat) != 0)
67375+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
67376 return 0;
67377 if (!S_ISBLK(stat.st_mode))
67378 return 0;
67379@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
67380 static inline u32 bstat(char *name)
67381 {
67382 struct stat stat;
67383- if (sys_newstat(name, &stat) != 0)
67384+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
67385 return 0;
67386 if (!S_ISBLK(stat.st_mode))
67387 return 0;
67388diff -urNp linux-2.6.32.48/init/do_mounts_initrd.c linux-2.6.32.48/init/do_mounts_initrd.c
67389--- linux-2.6.32.48/init/do_mounts_initrd.c 2011-11-08 19:02:43.000000000 -0500
67390+++ linux-2.6.32.48/init/do_mounts_initrd.c 2011-11-15 19:59:43.000000000 -0500
67391@@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
67392 sys_close(old_fd);sys_close(root_fd);
67393 sys_close(0);sys_close(1);sys_close(2);
67394 sys_setsid();
67395- (void) sys_open("/dev/console",O_RDWR,0);
67396+ (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
67397 (void) sys_dup(0);
67398 (void) sys_dup(0);
67399 return kernel_execve(shell, argv, envp_init);
67400@@ -47,13 +47,13 @@ static void __init handle_initrd(void)
67401 create_dev("/dev/root.old", Root_RAM0);
67402 /* mount initrd on rootfs' /root */
67403 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
67404- sys_mkdir("/old", 0700);
67405- root_fd = sys_open("/", 0, 0);
67406- old_fd = sys_open("/old", 0, 0);
67407+ sys_mkdir((const char __force_user *)"/old", 0700);
67408+ root_fd = sys_open((const char __force_user *)"/", 0, 0);
67409+ old_fd = sys_open((const char __force_user *)"/old", 0, 0);
67410 /* move initrd over / and chdir/chroot in initrd root */
67411- sys_chdir("/root");
67412- sys_mount(".", "/", NULL, MS_MOVE, NULL);
67413- sys_chroot(".");
67414+ sys_chdir((const char __force_user *)"/root");
67415+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
67416+ sys_chroot((const char __force_user *)".");
67417
67418 /*
67419 * In case that a resume from disk is carried out by linuxrc or one of
67420@@ -70,15 +70,15 @@ static void __init handle_initrd(void)
67421
67422 /* move initrd to rootfs' /old */
67423 sys_fchdir(old_fd);
67424- sys_mount("/", ".", NULL, MS_MOVE, NULL);
67425+ sys_mount((char __force_user *)"/", (char __force_user *)".", NULL, MS_MOVE, NULL);
67426 /* switch root and cwd back to / of rootfs */
67427 sys_fchdir(root_fd);
67428- sys_chroot(".");
67429+ sys_chroot((const char __force_user *)".");
67430 sys_close(old_fd);
67431 sys_close(root_fd);
67432
67433 if (new_decode_dev(real_root_dev) == Root_RAM0) {
67434- sys_chdir("/old");
67435+ sys_chdir((const char __force_user *)"/old");
67436 return;
67437 }
67438
67439@@ -86,17 +86,17 @@ static void __init handle_initrd(void)
67440 mount_root();
67441
67442 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
67443- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
67444+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
67445 if (!error)
67446 printk("okay\n");
67447 else {
67448- int fd = sys_open("/dev/root.old", O_RDWR, 0);
67449+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
67450 if (error == -ENOENT)
67451 printk("/initrd does not exist. Ignored.\n");
67452 else
67453 printk("failed\n");
67454 printk(KERN_NOTICE "Unmounting old root\n");
67455- sys_umount("/old", MNT_DETACH);
67456+ sys_umount((char __force_user *)"/old", MNT_DETACH);
67457 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
67458 if (fd < 0) {
67459 error = fd;
67460@@ -119,11 +119,11 @@ int __init initrd_load(void)
67461 * mounted in the normal path.
67462 */
67463 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
67464- sys_unlink("/initrd.image");
67465+ sys_unlink((const char __force_user *)"/initrd.image");
67466 handle_initrd();
67467 return 1;
67468 }
67469 }
67470- sys_unlink("/initrd.image");
67471+ sys_unlink((const char __force_user *)"/initrd.image");
67472 return 0;
67473 }
67474diff -urNp linux-2.6.32.48/init/do_mounts_md.c linux-2.6.32.48/init/do_mounts_md.c
67475--- linux-2.6.32.48/init/do_mounts_md.c 2011-11-08 19:02:43.000000000 -0500
67476+++ linux-2.6.32.48/init/do_mounts_md.c 2011-11-15 19:59:43.000000000 -0500
67477@@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
67478 partitioned ? "_d" : "", minor,
67479 md_setup_args[ent].device_names);
67480
67481- fd = sys_open(name, 0, 0);
67482+ fd = sys_open((char __force_user *)name, 0, 0);
67483 if (fd < 0) {
67484 printk(KERN_ERR "md: open failed - cannot start "
67485 "array %s\n", name);
67486@@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
67487 * array without it
67488 */
67489 sys_close(fd);
67490- fd = sys_open(name, 0, 0);
67491+ fd = sys_open((char __force_user *)name, 0, 0);
67492 sys_ioctl(fd, BLKRRPART, 0);
67493 }
67494 sys_close(fd);
67495@@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
67496
67497 wait_for_device_probe();
67498
67499- fd = sys_open("/dev/md0", 0, 0);
67500+ fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
67501 if (fd >= 0) {
67502 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
67503 sys_close(fd);
67504diff -urNp linux-2.6.32.48/init/initramfs.c linux-2.6.32.48/init/initramfs.c
67505--- linux-2.6.32.48/init/initramfs.c 2011-11-08 19:02:43.000000000 -0500
67506+++ linux-2.6.32.48/init/initramfs.c 2011-11-15 19:59:43.000000000 -0500
67507@@ -74,7 +74,7 @@ static void __init free_hash(void)
67508 }
67509 }
67510
67511-static long __init do_utime(char __user *filename, time_t mtime)
67512+static long __init do_utime(__force char __user *filename, time_t mtime)
67513 {
67514 struct timespec t[2];
67515
67516@@ -109,7 +109,7 @@ static void __init dir_utime(void)
67517 struct dir_entry *de, *tmp;
67518 list_for_each_entry_safe(de, tmp, &dir_list, list) {
67519 list_del(&de->list);
67520- do_utime(de->name, de->mtime);
67521+ do_utime((char __force_user *)de->name, de->mtime);
67522 kfree(de->name);
67523 kfree(de);
67524 }
67525@@ -271,7 +271,7 @@ static int __init maybe_link(void)
67526 if (nlink >= 2) {
67527 char *old = find_link(major, minor, ino, mode, collected);
67528 if (old)
67529- return (sys_link(old, collected) < 0) ? -1 : 1;
67530+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
67531 }
67532 return 0;
67533 }
67534@@ -280,11 +280,11 @@ static void __init clean_path(char *path
67535 {
67536 struct stat st;
67537
67538- if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
67539+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode^mode) & S_IFMT) {
67540 if (S_ISDIR(st.st_mode))
67541- sys_rmdir(path);
67542+ sys_rmdir((char __force_user *)path);
67543 else
67544- sys_unlink(path);
67545+ sys_unlink((char __force_user *)path);
67546 }
67547 }
67548
67549@@ -305,7 +305,7 @@ static int __init do_name(void)
67550 int openflags = O_WRONLY|O_CREAT;
67551 if (ml != 1)
67552 openflags |= O_TRUNC;
67553- wfd = sys_open(collected, openflags, mode);
67554+ wfd = sys_open((char __force_user *)collected, openflags, mode);
67555
67556 if (wfd >= 0) {
67557 sys_fchown(wfd, uid, gid);
67558@@ -317,17 +317,17 @@ static int __init do_name(void)
67559 }
67560 }
67561 } else if (S_ISDIR(mode)) {
67562- sys_mkdir(collected, mode);
67563- sys_chown(collected, uid, gid);
67564- sys_chmod(collected, mode);
67565+ sys_mkdir((char __force_user *)collected, mode);
67566+ sys_chown((char __force_user *)collected, uid, gid);
67567+ sys_chmod((char __force_user *)collected, mode);
67568 dir_add(collected, mtime);
67569 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
67570 S_ISFIFO(mode) || S_ISSOCK(mode)) {
67571 if (maybe_link() == 0) {
67572- sys_mknod(collected, mode, rdev);
67573- sys_chown(collected, uid, gid);
67574- sys_chmod(collected, mode);
67575- do_utime(collected, mtime);
67576+ sys_mknod((char __force_user *)collected, mode, rdev);
67577+ sys_chown((char __force_user *)collected, uid, gid);
67578+ sys_chmod((char __force_user *)collected, mode);
67579+ do_utime((char __force_user *)collected, mtime);
67580 }
67581 }
67582 return 0;
67583@@ -336,15 +336,15 @@ static int __init do_name(void)
67584 static int __init do_copy(void)
67585 {
67586 if (count >= body_len) {
67587- sys_write(wfd, victim, body_len);
67588+ sys_write(wfd, (char __force_user *)victim, body_len);
67589 sys_close(wfd);
67590- do_utime(vcollected, mtime);
67591+ do_utime((char __force_user *)vcollected, mtime);
67592 kfree(vcollected);
67593 eat(body_len);
67594 state = SkipIt;
67595 return 0;
67596 } else {
67597- sys_write(wfd, victim, count);
67598+ sys_write(wfd, (char __force_user *)victim, count);
67599 body_len -= count;
67600 eat(count);
67601 return 1;
67602@@ -355,9 +355,9 @@ static int __init do_symlink(void)
67603 {
67604 collected[N_ALIGN(name_len) + body_len] = '\0';
67605 clean_path(collected, 0);
67606- sys_symlink(collected + N_ALIGN(name_len), collected);
67607- sys_lchown(collected, uid, gid);
67608- do_utime(collected, mtime);
67609+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
67610+ sys_lchown((char __force_user *)collected, uid, gid);
67611+ do_utime((char __force_user *)collected, mtime);
67612 state = SkipIt;
67613 next_state = Reset;
67614 return 0;
67615diff -urNp linux-2.6.32.48/init/Kconfig linux-2.6.32.48/init/Kconfig
67616--- linux-2.6.32.48/init/Kconfig 2011-11-08 19:02:43.000000000 -0500
67617+++ linux-2.6.32.48/init/Kconfig 2011-11-15 19:59:43.000000000 -0500
67618@@ -1004,7 +1004,7 @@ config SLUB_DEBUG
67619
67620 config COMPAT_BRK
67621 bool "Disable heap randomization"
67622- default y
67623+ default n
67624 help
67625 Randomizing heap placement makes heap exploits harder, but it
67626 also breaks ancient binaries (including anything libc5 based).
67627diff -urNp linux-2.6.32.48/init/main.c linux-2.6.32.48/init/main.c
67628--- linux-2.6.32.48/init/main.c 2011-11-08 19:02:43.000000000 -0500
67629+++ linux-2.6.32.48/init/main.c 2011-11-15 19:59:43.000000000 -0500
67630@@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
67631 #ifdef CONFIG_TC
67632 extern void tc_init(void);
67633 #endif
67634+extern void grsecurity_init(void);
67635
67636 enum system_states system_state __read_mostly;
67637 EXPORT_SYMBOL(system_state);
67638@@ -183,6 +184,49 @@ static int __init set_reset_devices(char
67639
67640 __setup("reset_devices", set_reset_devices);
67641
67642+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
67643+extern char pax_enter_kernel_user[];
67644+extern char pax_exit_kernel_user[];
67645+extern pgdval_t clone_pgd_mask;
67646+#endif
67647+
67648+#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
67649+static int __init setup_pax_nouderef(char *str)
67650+{
67651+#ifdef CONFIG_X86_32
67652+ unsigned int cpu;
67653+ struct desc_struct *gdt;
67654+
67655+ for (cpu = 0; cpu < NR_CPUS; cpu++) {
67656+ gdt = get_cpu_gdt_table(cpu);
67657+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
67658+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
67659+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
67660+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
67661+ }
67662+ asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
67663+#else
67664+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
67665+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
67666+ clone_pgd_mask = ~(pgdval_t)0UL;
67667+#endif
67668+
67669+ return 0;
67670+}
67671+early_param("pax_nouderef", setup_pax_nouderef);
67672+#endif
67673+
67674+#ifdef CONFIG_PAX_SOFTMODE
67675+int pax_softmode;
67676+
67677+static int __init setup_pax_softmode(char *str)
67678+{
67679+ get_option(&str, &pax_softmode);
67680+ return 1;
67681+}
67682+__setup("pax_softmode=", setup_pax_softmode);
67683+#endif
67684+
67685 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
67686 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
67687 static const char *panic_later, *panic_param;
67688@@ -705,52 +749,53 @@ int initcall_debug;
67689 core_param(initcall_debug, initcall_debug, bool, 0644);
67690
67691 static char msgbuf[64];
67692-static struct boot_trace_call call;
67693-static struct boot_trace_ret ret;
67694+static struct boot_trace_call trace_call;
67695+static struct boot_trace_ret trace_ret;
67696
67697 int do_one_initcall(initcall_t fn)
67698 {
67699 int count = preempt_count();
67700 ktime_t calltime, delta, rettime;
67701+ const char *msg1 = "", *msg2 = "";
67702
67703 if (initcall_debug) {
67704- call.caller = task_pid_nr(current);
67705- printk("calling %pF @ %i\n", fn, call.caller);
67706+ trace_call.caller = task_pid_nr(current);
67707+ printk("calling %pF @ %i\n", fn, trace_call.caller);
67708 calltime = ktime_get();
67709- trace_boot_call(&call, fn);
67710+ trace_boot_call(&trace_call, fn);
67711 enable_boot_trace();
67712 }
67713
67714- ret.result = fn();
67715+ trace_ret.result = fn();
67716
67717 if (initcall_debug) {
67718 disable_boot_trace();
67719 rettime = ktime_get();
67720 delta = ktime_sub(rettime, calltime);
67721- ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
67722- trace_boot_ret(&ret, fn);
67723+ trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
67724+ trace_boot_ret(&trace_ret, fn);
67725 printk("initcall %pF returned %d after %Ld usecs\n", fn,
67726- ret.result, ret.duration);
67727+ trace_ret.result, trace_ret.duration);
67728 }
67729
67730 msgbuf[0] = 0;
67731
67732- if (ret.result && ret.result != -ENODEV && initcall_debug)
67733- sprintf(msgbuf, "error code %d ", ret.result);
67734+ if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
67735+ sprintf(msgbuf, "error code %d ", trace_ret.result);
67736
67737 if (preempt_count() != count) {
67738- strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
67739+ msg1 = " preemption imbalance";
67740 preempt_count() = count;
67741 }
67742 if (irqs_disabled()) {
67743- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
67744+ msg2 = " disabled interrupts";
67745 local_irq_enable();
67746 }
67747- if (msgbuf[0]) {
67748- printk("initcall %pF returned with %s\n", fn, msgbuf);
67749+ if (msgbuf[0] || *msg1 || *msg2) {
67750+ printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
67751 }
67752
67753- return ret.result;
67754+ return trace_ret.result;
67755 }
67756
67757
67758@@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
67759 if (!ramdisk_execute_command)
67760 ramdisk_execute_command = "/init";
67761
67762- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
67763+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
67764 ramdisk_execute_command = NULL;
67765 prepare_namespace();
67766 }
67767
67768+ grsecurity_init();
67769+
67770 /*
67771 * Ok, we have completed the initial bootup, and
67772 * we're essentially up and running. Get rid of the
67773diff -urNp linux-2.6.32.48/init/noinitramfs.c linux-2.6.32.48/init/noinitramfs.c
67774--- linux-2.6.32.48/init/noinitramfs.c 2011-11-08 19:02:43.000000000 -0500
67775+++ linux-2.6.32.48/init/noinitramfs.c 2011-11-15 19:59:43.000000000 -0500
67776@@ -29,7 +29,7 @@ static int __init default_rootfs(void)
67777 {
67778 int err;
67779
67780- err = sys_mkdir("/dev", 0755);
67781+ err = sys_mkdir((const char __user *)"/dev", 0755);
67782 if (err < 0)
67783 goto out;
67784
67785@@ -39,7 +39,7 @@ static int __init default_rootfs(void)
67786 if (err < 0)
67787 goto out;
67788
67789- err = sys_mkdir("/root", 0700);
67790+ err = sys_mkdir((const char __user *)"/root", 0700);
67791 if (err < 0)
67792 goto out;
67793
67794diff -urNp linux-2.6.32.48/ipc/mqueue.c linux-2.6.32.48/ipc/mqueue.c
67795--- linux-2.6.32.48/ipc/mqueue.c 2011-11-08 19:02:43.000000000 -0500
67796+++ linux-2.6.32.48/ipc/mqueue.c 2011-11-15 19:59:43.000000000 -0500
67797@@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
67798 mq_bytes = (mq_msg_tblsz +
67799 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
67800
67801+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
67802 spin_lock(&mq_lock);
67803 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
67804 u->mq_bytes + mq_bytes >
67805diff -urNp linux-2.6.32.48/ipc/msg.c linux-2.6.32.48/ipc/msg.c
67806--- linux-2.6.32.48/ipc/msg.c 2011-11-08 19:02:43.000000000 -0500
67807+++ linux-2.6.32.48/ipc/msg.c 2011-11-15 19:59:43.000000000 -0500
67808@@ -310,18 +310,19 @@ static inline int msg_security(struct ke
67809 return security_msg_queue_associate(msq, msgflg);
67810 }
67811
67812+static struct ipc_ops msg_ops = {
67813+ .getnew = newque,
67814+ .associate = msg_security,
67815+ .more_checks = NULL
67816+};
67817+
67818 SYSCALL_DEFINE2(msgget, key_t, key, int, msgflg)
67819 {
67820 struct ipc_namespace *ns;
67821- struct ipc_ops msg_ops;
67822 struct ipc_params msg_params;
67823
67824 ns = current->nsproxy->ipc_ns;
67825
67826- msg_ops.getnew = newque;
67827- msg_ops.associate = msg_security;
67828- msg_ops.more_checks = NULL;
67829-
67830 msg_params.key = key;
67831 msg_params.flg = msgflg;
67832
67833diff -urNp linux-2.6.32.48/ipc/sem.c linux-2.6.32.48/ipc/sem.c
67834--- linux-2.6.32.48/ipc/sem.c 2011-11-08 19:02:43.000000000 -0500
67835+++ linux-2.6.32.48/ipc/sem.c 2011-11-15 19:59:43.000000000 -0500
67836@@ -309,10 +309,15 @@ static inline int sem_more_checks(struct
67837 return 0;
67838 }
67839
67840+static struct ipc_ops sem_ops = {
67841+ .getnew = newary,
67842+ .associate = sem_security,
67843+ .more_checks = sem_more_checks
67844+};
67845+
67846 SYSCALL_DEFINE3(semget, key_t, key, int, nsems, int, semflg)
67847 {
67848 struct ipc_namespace *ns;
67849- struct ipc_ops sem_ops;
67850 struct ipc_params sem_params;
67851
67852 ns = current->nsproxy->ipc_ns;
67853@@ -320,10 +325,6 @@ SYSCALL_DEFINE3(semget, key_t, key, int,
67854 if (nsems < 0 || nsems > ns->sc_semmsl)
67855 return -EINVAL;
67856
67857- sem_ops.getnew = newary;
67858- sem_ops.associate = sem_security;
67859- sem_ops.more_checks = sem_more_checks;
67860-
67861 sem_params.key = key;
67862 sem_params.flg = semflg;
67863 sem_params.u.nsems = nsems;
67864@@ -671,6 +672,8 @@ static int semctl_main(struct ipc_namesp
67865 ushort* sem_io = fast_sem_io;
67866 int nsems;
67867
67868+ pax_track_stack();
67869+
67870 sma = sem_lock_check(ns, semid);
67871 if (IS_ERR(sma))
67872 return PTR_ERR(sma);
67873@@ -1071,6 +1074,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
67874 unsigned long jiffies_left = 0;
67875 struct ipc_namespace *ns;
67876
67877+ pax_track_stack();
67878+
67879 ns = current->nsproxy->ipc_ns;
67880
67881 if (nsops < 1 || semid < 0)
67882diff -urNp linux-2.6.32.48/ipc/shm.c linux-2.6.32.48/ipc/shm.c
67883--- linux-2.6.32.48/ipc/shm.c 2011-11-08 19:02:43.000000000 -0500
67884+++ linux-2.6.32.48/ipc/shm.c 2011-11-15 19:59:43.000000000 -0500
67885@@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
67886 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
67887 #endif
67888
67889+#ifdef CONFIG_GRKERNSEC
67890+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67891+ const time_t shm_createtime, const uid_t cuid,
67892+ const int shmid);
67893+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
67894+ const time_t shm_createtime);
67895+#endif
67896+
67897 void shm_init_ns(struct ipc_namespace *ns)
67898 {
67899 ns->shm_ctlmax = SHMMAX;
67900@@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
67901 shp->shm_lprid = 0;
67902 shp->shm_atim = shp->shm_dtim = 0;
67903 shp->shm_ctim = get_seconds();
67904+#ifdef CONFIG_GRKERNSEC
67905+ {
67906+ struct timespec timeval;
67907+ do_posix_clock_monotonic_gettime(&timeval);
67908+
67909+ shp->shm_createtime = timeval.tv_sec;
67910+ }
67911+#endif
67912 shp->shm_segsz = size;
67913 shp->shm_nattch = 0;
67914 shp->shm_file = file;
67915@@ -446,18 +462,19 @@ static inline int shm_more_checks(struct
67916 return 0;
67917 }
67918
67919+static struct ipc_ops shm_ops = {
67920+ .getnew = newseg,
67921+ .associate = shm_security,
67922+ .more_checks = shm_more_checks
67923+};
67924+
67925 SYSCALL_DEFINE3(shmget, key_t, key, size_t, size, int, shmflg)
67926 {
67927 struct ipc_namespace *ns;
67928- struct ipc_ops shm_ops;
67929 struct ipc_params shm_params;
67930
67931 ns = current->nsproxy->ipc_ns;
67932
67933- shm_ops.getnew = newseg;
67934- shm_ops.associate = shm_security;
67935- shm_ops.more_checks = shm_more_checks;
67936-
67937 shm_params.key = key;
67938 shm_params.flg = shmflg;
67939 shm_params.u.size = size;
67940@@ -880,9 +897,21 @@ long do_shmat(int shmid, char __user *sh
67941 if (err)
67942 goto out_unlock;
67943
67944+#ifdef CONFIG_GRKERNSEC
67945+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
67946+ shp->shm_perm.cuid, shmid) ||
67947+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
67948+ err = -EACCES;
67949+ goto out_unlock;
67950+ }
67951+#endif
67952+
67953 path.dentry = dget(shp->shm_file->f_path.dentry);
67954 path.mnt = shp->shm_file->f_path.mnt;
67955 shp->shm_nattch++;
67956+#ifdef CONFIG_GRKERNSEC
67957+ shp->shm_lapid = current->pid;
67958+#endif
67959 size = i_size_read(path.dentry->d_inode);
67960 shm_unlock(shp);
67961
67962diff -urNp linux-2.6.32.48/kernel/acct.c linux-2.6.32.48/kernel/acct.c
67963--- linux-2.6.32.48/kernel/acct.c 2011-11-08 19:02:43.000000000 -0500
67964+++ linux-2.6.32.48/kernel/acct.c 2011-11-15 19:59:43.000000000 -0500
67965@@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
67966 */
67967 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
67968 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
67969- file->f_op->write(file, (char *)&ac,
67970+ file->f_op->write(file, (char __force_user *)&ac,
67971 sizeof(acct_t), &file->f_pos);
67972 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
67973 set_fs(fs);
67974diff -urNp linux-2.6.32.48/kernel/audit.c linux-2.6.32.48/kernel/audit.c
67975--- linux-2.6.32.48/kernel/audit.c 2011-11-08 19:02:43.000000000 -0500
67976+++ linux-2.6.32.48/kernel/audit.c 2011-11-15 19:59:43.000000000 -0500
67977@@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
67978 3) suppressed due to audit_rate_limit
67979 4) suppressed due to audit_backlog_limit
67980 */
67981-static atomic_t audit_lost = ATOMIC_INIT(0);
67982+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
67983
67984 /* The netlink socket. */
67985 static struct sock *audit_sock;
67986@@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
67987 unsigned long now;
67988 int print;
67989
67990- atomic_inc(&audit_lost);
67991+ atomic_inc_unchecked(&audit_lost);
67992
67993 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
67994
67995@@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
67996 printk(KERN_WARNING
67997 "audit: audit_lost=%d audit_rate_limit=%d "
67998 "audit_backlog_limit=%d\n",
67999- atomic_read(&audit_lost),
68000+ atomic_read_unchecked(&audit_lost),
68001 audit_rate_limit,
68002 audit_backlog_limit);
68003 audit_panic(message);
68004@@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
68005 status_set.pid = audit_pid;
68006 status_set.rate_limit = audit_rate_limit;
68007 status_set.backlog_limit = audit_backlog_limit;
68008- status_set.lost = atomic_read(&audit_lost);
68009+ status_set.lost = atomic_read_unchecked(&audit_lost);
68010 status_set.backlog = skb_queue_len(&audit_skb_queue);
68011 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
68012 &status_set, sizeof(status_set));
68013@@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
68014 spin_unlock_irq(&tsk->sighand->siglock);
68015 }
68016 read_unlock(&tasklist_lock);
68017- audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
68018- &s, sizeof(s));
68019+
68020+ if (!err)
68021+ audit_send_reply(NETLINK_CB(skb).pid, seq,
68022+ AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
68023 break;
68024 }
68025 case AUDIT_TTY_SET: {
68026diff -urNp linux-2.6.32.48/kernel/auditsc.c linux-2.6.32.48/kernel/auditsc.c
68027--- linux-2.6.32.48/kernel/auditsc.c 2011-11-08 19:02:43.000000000 -0500
68028+++ linux-2.6.32.48/kernel/auditsc.c 2011-11-15 19:59:43.000000000 -0500
68029@@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
68030 }
68031
68032 /* global counter which is incremented every time something logs in */
68033-static atomic_t session_id = ATOMIC_INIT(0);
68034+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
68035
68036 /**
68037 * audit_set_loginuid - set a task's audit_context loginuid
68038@@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
68039 */
68040 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
68041 {
68042- unsigned int sessionid = atomic_inc_return(&session_id);
68043+ unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
68044 struct audit_context *context = task->audit_context;
68045
68046 if (context && context->in_syscall) {
68047diff -urNp linux-2.6.32.48/kernel/capability.c linux-2.6.32.48/kernel/capability.c
68048--- linux-2.6.32.48/kernel/capability.c 2011-11-08 19:02:43.000000000 -0500
68049+++ linux-2.6.32.48/kernel/capability.c 2011-11-15 19:59:43.000000000 -0500
68050@@ -305,10 +305,26 @@ int capable(int cap)
68051 BUG();
68052 }
68053
68054- if (security_capable(cap) == 0) {
68055+ if (security_capable(cap) == 0 && gr_is_capable(cap)) {
68056 current->flags |= PF_SUPERPRIV;
68057 return 1;
68058 }
68059 return 0;
68060 }
68061+
68062+int capable_nolog(int cap)
68063+{
68064+ if (unlikely(!cap_valid(cap))) {
68065+ printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
68066+ BUG();
68067+ }
68068+
68069+ if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
68070+ current->flags |= PF_SUPERPRIV;
68071+ return 1;
68072+ }
68073+ return 0;
68074+}
68075+
68076 EXPORT_SYMBOL(capable);
68077+EXPORT_SYMBOL(capable_nolog);
68078diff -urNp linux-2.6.32.48/kernel/cgroup.c linux-2.6.32.48/kernel/cgroup.c
68079--- linux-2.6.32.48/kernel/cgroup.c 2011-11-08 19:02:43.000000000 -0500
68080+++ linux-2.6.32.48/kernel/cgroup.c 2011-11-15 19:59:43.000000000 -0500
68081@@ -536,6 +536,8 @@ static struct css_set *find_css_set(
68082 struct hlist_head *hhead;
68083 struct cg_cgroup_link *link;
68084
68085+ pax_track_stack();
68086+
68087 /* First see if we already have a cgroup group that matches
68088 * the desired set */
68089 read_lock(&css_set_lock);
68090diff -urNp linux-2.6.32.48/kernel/compat.c linux-2.6.32.48/kernel/compat.c
68091--- linux-2.6.32.48/kernel/compat.c 2011-11-08 19:02:43.000000000 -0500
68092+++ linux-2.6.32.48/kernel/compat.c 2011-11-15 19:59:43.000000000 -0500
68093@@ -108,7 +108,7 @@ static long compat_nanosleep_restart(str
68094 mm_segment_t oldfs;
68095 long ret;
68096
68097- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
68098+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
68099 oldfs = get_fs();
68100 set_fs(KERNEL_DS);
68101 ret = hrtimer_nanosleep_restart(restart);
68102@@ -140,7 +140,7 @@ asmlinkage long compat_sys_nanosleep(str
68103 oldfs = get_fs();
68104 set_fs(KERNEL_DS);
68105 ret = hrtimer_nanosleep(&tu,
68106- rmtp ? (struct timespec __user *)&rmt : NULL,
68107+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
68108 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
68109 set_fs(oldfs);
68110
68111@@ -247,7 +247,7 @@ asmlinkage long compat_sys_sigpending(co
68112 mm_segment_t old_fs = get_fs();
68113
68114 set_fs(KERNEL_DS);
68115- ret = sys_sigpending((old_sigset_t __user *) &s);
68116+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
68117 set_fs(old_fs);
68118 if (ret == 0)
68119 ret = put_user(s, set);
68120@@ -266,8 +266,8 @@ asmlinkage long compat_sys_sigprocmask(i
68121 old_fs = get_fs();
68122 set_fs(KERNEL_DS);
68123 ret = sys_sigprocmask(how,
68124- set ? (old_sigset_t __user *) &s : NULL,
68125- oset ? (old_sigset_t __user *) &s : NULL);
68126+ set ? (old_sigset_t __force_user *) &s : NULL,
68127+ oset ? (old_sigset_t __force_user *) &s : NULL);
68128 set_fs(old_fs);
68129 if (ret == 0)
68130 if (oset)
68131@@ -310,7 +310,7 @@ asmlinkage long compat_sys_old_getrlimit
68132 mm_segment_t old_fs = get_fs();
68133
68134 set_fs(KERNEL_DS);
68135- ret = sys_old_getrlimit(resource, &r);
68136+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
68137 set_fs(old_fs);
68138
68139 if (!ret) {
68140@@ -385,7 +385,7 @@ asmlinkage long compat_sys_getrusage(int
68141 mm_segment_t old_fs = get_fs();
68142
68143 set_fs(KERNEL_DS);
68144- ret = sys_getrusage(who, (struct rusage __user *) &r);
68145+ ret = sys_getrusage(who, (struct rusage __force_user *) &r);
68146 set_fs(old_fs);
68147
68148 if (ret)
68149@@ -412,8 +412,8 @@ compat_sys_wait4(compat_pid_t pid, compa
68150 set_fs (KERNEL_DS);
68151 ret = sys_wait4(pid,
68152 (stat_addr ?
68153- (unsigned int __user *) &status : NULL),
68154- options, (struct rusage __user *) &r);
68155+ (unsigned int __force_user *) &status : NULL),
68156+ options, (struct rusage __force_user *) &r);
68157 set_fs (old_fs);
68158
68159 if (ret > 0) {
68160@@ -438,8 +438,8 @@ asmlinkage long compat_sys_waitid(int wh
68161 memset(&info, 0, sizeof(info));
68162
68163 set_fs(KERNEL_DS);
68164- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
68165- uru ? (struct rusage __user *)&ru : NULL);
68166+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
68167+ uru ? (struct rusage __force_user *)&ru : NULL);
68168 set_fs(old_fs);
68169
68170 if ((ret < 0) || (info.si_signo == 0))
68171@@ -569,8 +569,8 @@ long compat_sys_timer_settime(timer_t ti
68172 oldfs = get_fs();
68173 set_fs(KERNEL_DS);
68174 err = sys_timer_settime(timer_id, flags,
68175- (struct itimerspec __user *) &newts,
68176- (struct itimerspec __user *) &oldts);
68177+ (struct itimerspec __force_user *) &newts,
68178+ (struct itimerspec __force_user *) &oldts);
68179 set_fs(oldfs);
68180 if (!err && old && put_compat_itimerspec(old, &oldts))
68181 return -EFAULT;
68182@@ -587,7 +587,7 @@ long compat_sys_timer_gettime(timer_t ti
68183 oldfs = get_fs();
68184 set_fs(KERNEL_DS);
68185 err = sys_timer_gettime(timer_id,
68186- (struct itimerspec __user *) &ts);
68187+ (struct itimerspec __force_user *) &ts);
68188 set_fs(oldfs);
68189 if (!err && put_compat_itimerspec(setting, &ts))
68190 return -EFAULT;
68191@@ -606,7 +606,7 @@ long compat_sys_clock_settime(clockid_t
68192 oldfs = get_fs();
68193 set_fs(KERNEL_DS);
68194 err = sys_clock_settime(which_clock,
68195- (struct timespec __user *) &ts);
68196+ (struct timespec __force_user *) &ts);
68197 set_fs(oldfs);
68198 return err;
68199 }
68200@@ -621,7 +621,7 @@ long compat_sys_clock_gettime(clockid_t
68201 oldfs = get_fs();
68202 set_fs(KERNEL_DS);
68203 err = sys_clock_gettime(which_clock,
68204- (struct timespec __user *) &ts);
68205+ (struct timespec __force_user *) &ts);
68206 set_fs(oldfs);
68207 if (!err && put_compat_timespec(&ts, tp))
68208 return -EFAULT;
68209@@ -638,7 +638,7 @@ long compat_sys_clock_getres(clockid_t w
68210 oldfs = get_fs();
68211 set_fs(KERNEL_DS);
68212 err = sys_clock_getres(which_clock,
68213- (struct timespec __user *) &ts);
68214+ (struct timespec __force_user *) &ts);
68215 set_fs(oldfs);
68216 if (!err && tp && put_compat_timespec(&ts, tp))
68217 return -EFAULT;
68218@@ -650,9 +650,9 @@ static long compat_clock_nanosleep_resta
68219 long err;
68220 mm_segment_t oldfs;
68221 struct timespec tu;
68222- struct compat_timespec *rmtp = restart->nanosleep.compat_rmtp;
68223+ struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
68224
68225- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
68226+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
68227 oldfs = get_fs();
68228 set_fs(KERNEL_DS);
68229 err = clock_nanosleep_restart(restart);
68230@@ -684,8 +684,8 @@ long compat_sys_clock_nanosleep(clockid_
68231 oldfs = get_fs();
68232 set_fs(KERNEL_DS);
68233 err = sys_clock_nanosleep(which_clock, flags,
68234- (struct timespec __user *) &in,
68235- (struct timespec __user *) &out);
68236+ (struct timespec __force_user *) &in,
68237+ (struct timespec __force_user *) &out);
68238 set_fs(oldfs);
68239
68240 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
68241diff -urNp linux-2.6.32.48/kernel/configs.c linux-2.6.32.48/kernel/configs.c
68242--- linux-2.6.32.48/kernel/configs.c 2011-11-08 19:02:43.000000000 -0500
68243+++ linux-2.6.32.48/kernel/configs.c 2011-11-15 19:59:43.000000000 -0500
68244@@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
68245 struct proc_dir_entry *entry;
68246
68247 /* create the current config file */
68248+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
68249+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
68250+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
68251+ &ikconfig_file_ops);
68252+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
68253+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
68254+ &ikconfig_file_ops);
68255+#endif
68256+#else
68257 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
68258 &ikconfig_file_ops);
68259+#endif
68260+
68261 if (!entry)
68262 return -ENOMEM;
68263
68264diff -urNp linux-2.6.32.48/kernel/cpu.c linux-2.6.32.48/kernel/cpu.c
68265--- linux-2.6.32.48/kernel/cpu.c 2011-11-08 19:02:43.000000000 -0500
68266+++ linux-2.6.32.48/kernel/cpu.c 2011-11-15 19:59:43.000000000 -0500
68267@@ -19,7 +19,7 @@
68268 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
68269 static DEFINE_MUTEX(cpu_add_remove_lock);
68270
68271-static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
68272+static RAW_NOTIFIER_HEAD(cpu_chain);
68273
68274 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
68275 * Should always be manipulated under cpu_add_remove_lock
68276diff -urNp linux-2.6.32.48/kernel/cred.c linux-2.6.32.48/kernel/cred.c
68277--- linux-2.6.32.48/kernel/cred.c 2011-11-08 19:02:43.000000000 -0500
68278+++ linux-2.6.32.48/kernel/cred.c 2011-11-15 19:59:43.000000000 -0500
68279@@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
68280 */
68281 void __put_cred(struct cred *cred)
68282 {
68283+ pax_track_stack();
68284+
68285 kdebug("__put_cred(%p{%d,%d})", cred,
68286 atomic_read(&cred->usage),
68287 read_cred_subscribers(cred));
68288@@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
68289 {
68290 struct cred *cred;
68291
68292+ pax_track_stack();
68293+
68294 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
68295 atomic_read(&tsk->cred->usage),
68296 read_cred_subscribers(tsk->cred));
68297@@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
68298 {
68299 const struct cred *cred;
68300
68301+ pax_track_stack();
68302+
68303 rcu_read_lock();
68304
68305 do {
68306@@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
68307 {
68308 struct cred *new;
68309
68310+ pax_track_stack();
68311+
68312 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
68313 if (!new)
68314 return NULL;
68315@@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
68316 const struct cred *old;
68317 struct cred *new;
68318
68319+ pax_track_stack();
68320+
68321 validate_process_creds();
68322
68323 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
68324@@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
68325 struct thread_group_cred *tgcred = NULL;
68326 struct cred *new;
68327
68328+ pax_track_stack();
68329+
68330 #ifdef CONFIG_KEYS
68331 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
68332 if (!tgcred)
68333@@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
68334 struct cred *new;
68335 int ret;
68336
68337+ pax_track_stack();
68338+
68339 mutex_init(&p->cred_guard_mutex);
68340
68341 if (
68342@@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
68343 struct task_struct *task = current;
68344 const struct cred *old = task->real_cred;
68345
68346+ pax_track_stack();
68347+
68348 kdebug("commit_creds(%p{%d,%d})", new,
68349 atomic_read(&new->usage),
68350 read_cred_subscribers(new));
68351@@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
68352
68353 get_cred(new); /* we will require a ref for the subj creds too */
68354
68355+ gr_set_role_label(task, new->uid, new->gid);
68356+
68357 /* dumpability changes */
68358 if (old->euid != new->euid ||
68359 old->egid != new->egid ||
68360@@ -563,10 +581,8 @@ int commit_creds(struct cred *new)
68361 key_fsgid_changed(task);
68362
68363 /* do it
68364- * - What if a process setreuid()'s and this brings the
68365- * new uid over his NPROC rlimit? We can check this now
68366- * cheaply with the new uid cache, so if it matters
68367- * we should be checking for it. -DaveM
68368+ * RLIMIT_NPROC limits on user->processes have already been checked
68369+ * in set_user().
68370 */
68371 alter_cred_subscribers(new, 2);
68372 if (new->user != old->user)
68373@@ -606,6 +622,8 @@ EXPORT_SYMBOL(commit_creds);
68374 */
68375 void abort_creds(struct cred *new)
68376 {
68377+ pax_track_stack();
68378+
68379 kdebug("abort_creds(%p{%d,%d})", new,
68380 atomic_read(&new->usage),
68381 read_cred_subscribers(new));
68382@@ -629,6 +647,8 @@ const struct cred *override_creds(const
68383 {
68384 const struct cred *old = current->cred;
68385
68386+ pax_track_stack();
68387+
68388 kdebug("override_creds(%p{%d,%d})", new,
68389 atomic_read(&new->usage),
68390 read_cred_subscribers(new));
68391@@ -658,6 +678,8 @@ void revert_creds(const struct cred *old
68392 {
68393 const struct cred *override = current->cred;
68394
68395+ pax_track_stack();
68396+
68397 kdebug("revert_creds(%p{%d,%d})", old,
68398 atomic_read(&old->usage),
68399 read_cred_subscribers(old));
68400@@ -704,6 +726,8 @@ struct cred *prepare_kernel_cred(struct
68401 const struct cred *old;
68402 struct cred *new;
68403
68404+ pax_track_stack();
68405+
68406 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
68407 if (!new)
68408 return NULL;
68409@@ -758,6 +782,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
68410 */
68411 int set_security_override(struct cred *new, u32 secid)
68412 {
68413+ pax_track_stack();
68414+
68415 return security_kernel_act_as(new, secid);
68416 }
68417 EXPORT_SYMBOL(set_security_override);
68418@@ -777,6 +803,8 @@ int set_security_override_from_ctx(struc
68419 u32 secid;
68420 int ret;
68421
68422+ pax_track_stack();
68423+
68424 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
68425 if (ret < 0)
68426 return ret;
68427diff -urNp linux-2.6.32.48/kernel/exit.c linux-2.6.32.48/kernel/exit.c
68428--- linux-2.6.32.48/kernel/exit.c 2011-11-08 19:02:43.000000000 -0500
68429+++ linux-2.6.32.48/kernel/exit.c 2011-11-15 19:59:43.000000000 -0500
68430@@ -55,6 +55,10 @@
68431 #include <asm/pgtable.h>
68432 #include <asm/mmu_context.h>
68433
68434+#ifdef CONFIG_GRKERNSEC
68435+extern rwlock_t grsec_exec_file_lock;
68436+#endif
68437+
68438 static void exit_mm(struct task_struct * tsk);
68439
68440 static void __unhash_process(struct task_struct *p)
68441@@ -174,6 +178,10 @@ void release_task(struct task_struct * p
68442 struct task_struct *leader;
68443 int zap_leader;
68444 repeat:
68445+#ifdef CONFIG_NET
68446+ gr_del_task_from_ip_table(p);
68447+#endif
68448+
68449 tracehook_prepare_release_task(p);
68450 /* don't need to get the RCU readlock here - the process is dead and
68451 * can't be modifying its own credentials */
68452@@ -341,11 +349,22 @@ static void reparent_to_kthreadd(void)
68453 {
68454 write_lock_irq(&tasklist_lock);
68455
68456+#ifdef CONFIG_GRKERNSEC
68457+ write_lock(&grsec_exec_file_lock);
68458+ if (current->exec_file) {
68459+ fput(current->exec_file);
68460+ current->exec_file = NULL;
68461+ }
68462+ write_unlock(&grsec_exec_file_lock);
68463+#endif
68464+
68465 ptrace_unlink(current);
68466 /* Reparent to init */
68467 current->real_parent = current->parent = kthreadd_task;
68468 list_move_tail(&current->sibling, &current->real_parent->children);
68469
68470+ gr_set_kernel_label(current);
68471+
68472 /* Set the exit signal to SIGCHLD so we signal init on exit */
68473 current->exit_signal = SIGCHLD;
68474
68475@@ -397,7 +416,7 @@ int allow_signal(int sig)
68476 * know it'll be handled, so that they don't get converted to
68477 * SIGKILL or just silently dropped.
68478 */
68479- current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
68480+ current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
68481 recalc_sigpending();
68482 spin_unlock_irq(&current->sighand->siglock);
68483 return 0;
68484@@ -433,6 +452,17 @@ void daemonize(const char *name, ...)
68485 vsnprintf(current->comm, sizeof(current->comm), name, args);
68486 va_end(args);
68487
68488+#ifdef CONFIG_GRKERNSEC
68489+ write_lock(&grsec_exec_file_lock);
68490+ if (current->exec_file) {
68491+ fput(current->exec_file);
68492+ current->exec_file = NULL;
68493+ }
68494+ write_unlock(&grsec_exec_file_lock);
68495+#endif
68496+
68497+ gr_set_kernel_label(current);
68498+
68499 /*
68500 * If we were started as result of loading a module, close all of the
68501 * user space pages. We don't need them, and if we didn't close them
68502@@ -897,17 +927,17 @@ NORET_TYPE void do_exit(long code)
68503 struct task_struct *tsk = current;
68504 int group_dead;
68505
68506- profile_task_exit(tsk);
68507-
68508- WARN_ON(atomic_read(&tsk->fs_excl));
68509-
68510+ /*
68511+ * Check this first since set_fs() below depends on
68512+ * current_thread_info(), which we better not access when we're in
68513+ * interrupt context. Other than that, we want to do the set_fs()
68514+ * as early as possible.
68515+ */
68516 if (unlikely(in_interrupt()))
68517 panic("Aiee, killing interrupt handler!");
68518- if (unlikely(!tsk->pid))
68519- panic("Attempted to kill the idle task!");
68520
68521 /*
68522- * If do_exit is called because this processes oopsed, it's possible
68523+ * If do_exit is called because this processes Oops'ed, it's possible
68524 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
68525 * continuing. Amongst other possible reasons, this is to prevent
68526 * mm_release()->clear_child_tid() from writing to a user-controlled
68527@@ -915,6 +945,13 @@ NORET_TYPE void do_exit(long code)
68528 */
68529 set_fs(USER_DS);
68530
68531+ profile_task_exit(tsk);
68532+
68533+ WARN_ON(atomic_read(&tsk->fs_excl));
68534+
68535+ if (unlikely(!tsk->pid))
68536+ panic("Attempted to kill the idle task!");
68537+
68538 tracehook_report_exit(&code);
68539
68540 validate_creds_for_do_exit(tsk);
68541@@ -973,6 +1010,9 @@ NORET_TYPE void do_exit(long code)
68542 tsk->exit_code = code;
68543 taskstats_exit(tsk, group_dead);
68544
68545+ gr_acl_handle_psacct(tsk, code);
68546+ gr_acl_handle_exit();
68547+
68548 exit_mm(tsk);
68549
68550 if (group_dead)
68551@@ -1188,7 +1228,7 @@ static int wait_task_zombie(struct wait_
68552
68553 if (unlikely(wo->wo_flags & WNOWAIT)) {
68554 int exit_code = p->exit_code;
68555- int why, status;
68556+ int why;
68557
68558 get_task_struct(p);
68559 read_unlock(&tasklist_lock);
68560diff -urNp linux-2.6.32.48/kernel/fork.c linux-2.6.32.48/kernel/fork.c
68561--- linux-2.6.32.48/kernel/fork.c 2011-11-08 19:02:43.000000000 -0500
68562+++ linux-2.6.32.48/kernel/fork.c 2011-11-15 19:59:43.000000000 -0500
68563@@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
68564 *stackend = STACK_END_MAGIC; /* for overflow detection */
68565
68566 #ifdef CONFIG_CC_STACKPROTECTOR
68567- tsk->stack_canary = get_random_int();
68568+ tsk->stack_canary = pax_get_random_long();
68569 #endif
68570
68571 /* One for us, one for whoever does the "release_task()" (usually parent) */
68572@@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
68573 mm->locked_vm = 0;
68574 mm->mmap = NULL;
68575 mm->mmap_cache = NULL;
68576- mm->free_area_cache = oldmm->mmap_base;
68577- mm->cached_hole_size = ~0UL;
68578+ mm->free_area_cache = oldmm->free_area_cache;
68579+ mm->cached_hole_size = oldmm->cached_hole_size;
68580 mm->map_count = 0;
68581 cpumask_clear(mm_cpumask(mm));
68582 mm->mm_rb = RB_ROOT;
68583@@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
68584 tmp->vm_flags &= ~VM_LOCKED;
68585 tmp->vm_mm = mm;
68586 tmp->vm_next = tmp->vm_prev = NULL;
68587+ tmp->vm_mirror = NULL;
68588 anon_vma_link(tmp);
68589 file = tmp->vm_file;
68590 if (file) {
68591@@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
68592 if (retval)
68593 goto out;
68594 }
68595+
68596+#ifdef CONFIG_PAX_SEGMEXEC
68597+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
68598+ struct vm_area_struct *mpnt_m;
68599+
68600+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
68601+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
68602+
68603+ if (!mpnt->vm_mirror)
68604+ continue;
68605+
68606+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
68607+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
68608+ mpnt->vm_mirror = mpnt_m;
68609+ } else {
68610+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
68611+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
68612+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
68613+ mpnt->vm_mirror->vm_mirror = mpnt;
68614+ }
68615+ }
68616+ BUG_ON(mpnt_m);
68617+ }
68618+#endif
68619+
68620 /* a new mm has just been created */
68621 arch_dup_mmap(oldmm, mm);
68622 retval = 0;
68623@@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
68624 write_unlock(&fs->lock);
68625 return -EAGAIN;
68626 }
68627- fs->users++;
68628+ atomic_inc(&fs->users);
68629 write_unlock(&fs->lock);
68630 return 0;
68631 }
68632 tsk->fs = copy_fs_struct(fs);
68633 if (!tsk->fs)
68634 return -ENOMEM;
68635+ gr_set_chroot_entries(tsk, &tsk->fs->root);
68636 return 0;
68637 }
68638
68639@@ -1033,12 +1060,16 @@ static struct task_struct *copy_process(
68640 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
68641 #endif
68642 retval = -EAGAIN;
68643+
68644+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
68645+
68646 if (atomic_read(&p->real_cred->user->processes) >=
68647 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
68648- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
68649- p->real_cred->user != INIT_USER)
68650+ if (p->real_cred->user != INIT_USER &&
68651+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
68652 goto bad_fork_free;
68653 }
68654+ current->flags &= ~PF_NPROC_EXCEEDED;
68655
68656 retval = copy_creds(p, clone_flags);
68657 if (retval < 0)
68658@@ -1183,6 +1214,8 @@ static struct task_struct *copy_process(
68659 goto bad_fork_free_pid;
68660 }
68661
68662+ gr_copy_label(p);
68663+
68664 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
68665 /*
68666 * Clear TID on mm_release()?
68667@@ -1333,6 +1366,8 @@ bad_fork_cleanup_count:
68668 bad_fork_free:
68669 free_task(p);
68670 fork_out:
68671+ gr_log_forkfail(retval);
68672+
68673 return ERR_PTR(retval);
68674 }
68675
68676@@ -1426,6 +1461,8 @@ long do_fork(unsigned long clone_flags,
68677 if (clone_flags & CLONE_PARENT_SETTID)
68678 put_user(nr, parent_tidptr);
68679
68680+ gr_handle_brute_check();
68681+
68682 if (clone_flags & CLONE_VFORK) {
68683 p->vfork_done = &vfork;
68684 init_completion(&vfork);
68685@@ -1558,7 +1595,7 @@ static int unshare_fs(unsigned long unsh
68686 return 0;
68687
68688 /* don't need lock here; in the worst case we'll do useless copy */
68689- if (fs->users == 1)
68690+ if (atomic_read(&fs->users) == 1)
68691 return 0;
68692
68693 *new_fsp = copy_fs_struct(fs);
68694@@ -1681,7 +1718,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
68695 fs = current->fs;
68696 write_lock(&fs->lock);
68697 current->fs = new_fs;
68698- if (--fs->users)
68699+ gr_set_chroot_entries(current, &current->fs->root);
68700+ if (atomic_dec_return(&fs->users))
68701 new_fs = NULL;
68702 else
68703 new_fs = fs;
68704diff -urNp linux-2.6.32.48/kernel/futex.c linux-2.6.32.48/kernel/futex.c
68705--- linux-2.6.32.48/kernel/futex.c 2011-11-08 19:02:43.000000000 -0500
68706+++ linux-2.6.32.48/kernel/futex.c 2011-11-15 19:59:43.000000000 -0500
68707@@ -54,6 +54,7 @@
68708 #include <linux/mount.h>
68709 #include <linux/pagemap.h>
68710 #include <linux/syscalls.h>
68711+#include <linux/ptrace.h>
68712 #include <linux/signal.h>
68713 #include <linux/module.h>
68714 #include <linux/magic.h>
68715@@ -223,6 +224,11 @@ get_futex_key(u32 __user *uaddr, int fsh
68716 struct page *page;
68717 int err, ro = 0;
68718
68719+#ifdef CONFIG_PAX_SEGMEXEC
68720+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
68721+ return -EFAULT;
68722+#endif
68723+
68724 /*
68725 * The futex address must be "naturally" aligned.
68726 */
68727@@ -1819,6 +1825,8 @@ static int futex_wait(u32 __user *uaddr,
68728 struct futex_q q;
68729 int ret;
68730
68731+ pax_track_stack();
68732+
68733 if (!bitset)
68734 return -EINVAL;
68735
68736@@ -1871,7 +1879,7 @@ retry:
68737
68738 restart = &current_thread_info()->restart_block;
68739 restart->fn = futex_wait_restart;
68740- restart->futex.uaddr = (u32 *)uaddr;
68741+ restart->futex.uaddr = uaddr;
68742 restart->futex.val = val;
68743 restart->futex.time = abs_time->tv64;
68744 restart->futex.bitset = bitset;
68745@@ -2233,6 +2241,8 @@ static int futex_wait_requeue_pi(u32 __u
68746 struct futex_q q;
68747 int res, ret;
68748
68749+ pax_track_stack();
68750+
68751 if (!bitset)
68752 return -EINVAL;
68753
68754@@ -2407,7 +2417,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68755 {
68756 struct robust_list_head __user *head;
68757 unsigned long ret;
68758+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68759 const struct cred *cred = current_cred(), *pcred;
68760+#endif
68761
68762 if (!futex_cmpxchg_enabled)
68763 return -ENOSYS;
68764@@ -2423,11 +2435,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
68765 if (!p)
68766 goto err_unlock;
68767 ret = -EPERM;
68768+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68769+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
68770+ goto err_unlock;
68771+#else
68772 pcred = __task_cred(p);
68773 if (cred->euid != pcred->euid &&
68774 cred->euid != pcred->uid &&
68775 !capable(CAP_SYS_PTRACE))
68776 goto err_unlock;
68777+#endif
68778 head = p->robust_list;
68779 rcu_read_unlock();
68780 }
68781@@ -2489,7 +2506,7 @@ retry:
68782 */
68783 static inline int fetch_robust_entry(struct robust_list __user **entry,
68784 struct robust_list __user * __user *head,
68785- int *pi)
68786+ unsigned int *pi)
68787 {
68788 unsigned long uentry;
68789
68790@@ -2670,6 +2687,7 @@ static int __init futex_init(void)
68791 {
68792 u32 curval;
68793 int i;
68794+ mm_segment_t oldfs;
68795
68796 /*
68797 * This will fail and we want it. Some arch implementations do
68798@@ -2681,7 +2699,10 @@ static int __init futex_init(void)
68799 * implementation, the non functional ones will return
68800 * -ENOSYS.
68801 */
68802+ oldfs = get_fs();
68803+ set_fs(USER_DS);
68804 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
68805+ set_fs(oldfs);
68806 if (curval == -EFAULT)
68807 futex_cmpxchg_enabled = 1;
68808
68809diff -urNp linux-2.6.32.48/kernel/futex_compat.c linux-2.6.32.48/kernel/futex_compat.c
68810--- linux-2.6.32.48/kernel/futex_compat.c 2011-11-08 19:02:43.000000000 -0500
68811+++ linux-2.6.32.48/kernel/futex_compat.c 2011-11-15 19:59:43.000000000 -0500
68812@@ -10,6 +10,7 @@
68813 #include <linux/compat.h>
68814 #include <linux/nsproxy.h>
68815 #include <linux/futex.h>
68816+#include <linux/ptrace.h>
68817
68818 #include <asm/uaccess.h>
68819
68820@@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
68821 {
68822 struct compat_robust_list_head __user *head;
68823 unsigned long ret;
68824- const struct cred *cred = current_cred(), *pcred;
68825+#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
68826+ const struct cred *cred = current_cred();
68827+ const struct cred *pcred;
68828+#endif
68829
68830 if (!futex_cmpxchg_enabled)
68831 return -ENOSYS;
68832@@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
68833 if (!p)
68834 goto err_unlock;
68835 ret = -EPERM;
68836+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
68837+ if (!ptrace_may_access(p, PTRACE_MODE_READ))
68838+ goto err_unlock;
68839+#else
68840 pcred = __task_cred(p);
68841 if (cred->euid != pcred->euid &&
68842 cred->euid != pcred->uid &&
68843 !capable(CAP_SYS_PTRACE))
68844 goto err_unlock;
68845+#endif
68846 head = p->compat_robust_list;
68847 read_unlock(&tasklist_lock);
68848 }
68849diff -urNp linux-2.6.32.48/kernel/gcov/base.c linux-2.6.32.48/kernel/gcov/base.c
68850--- linux-2.6.32.48/kernel/gcov/base.c 2011-11-08 19:02:43.000000000 -0500
68851+++ linux-2.6.32.48/kernel/gcov/base.c 2011-11-15 19:59:43.000000000 -0500
68852@@ -102,11 +102,6 @@ void gcov_enable_events(void)
68853 }
68854
68855 #ifdef CONFIG_MODULES
68856-static inline int within(void *addr, void *start, unsigned long size)
68857-{
68858- return ((addr >= start) && (addr < start + size));
68859-}
68860-
68861 /* Update list and generate events when modules are unloaded. */
68862 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
68863 void *data)
68864@@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
68865 prev = NULL;
68866 /* Remove entries located in module from linked list. */
68867 for (info = gcov_info_head; info; info = info->next) {
68868- if (within(info, mod->module_core, mod->core_size)) {
68869+ if (within_module_core_rw((unsigned long)info, mod)) {
68870 if (prev)
68871 prev->next = info->next;
68872 else
68873diff -urNp linux-2.6.32.48/kernel/hrtimer.c linux-2.6.32.48/kernel/hrtimer.c
68874--- linux-2.6.32.48/kernel/hrtimer.c 2011-11-08 19:02:43.000000000 -0500
68875+++ linux-2.6.32.48/kernel/hrtimer.c 2011-11-15 19:59:43.000000000 -0500
68876@@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
68877 local_irq_restore(flags);
68878 }
68879
68880-static void run_hrtimer_softirq(struct softirq_action *h)
68881+static void run_hrtimer_softirq(void)
68882 {
68883 hrtimer_peek_ahead_timers();
68884 }
68885diff -urNp linux-2.6.32.48/kernel/kallsyms.c linux-2.6.32.48/kernel/kallsyms.c
68886--- linux-2.6.32.48/kernel/kallsyms.c 2011-11-08 19:02:43.000000000 -0500
68887+++ linux-2.6.32.48/kernel/kallsyms.c 2011-11-15 19:59:43.000000000 -0500
68888@@ -11,6 +11,9 @@
68889 * Changed the compression method from stem compression to "table lookup"
68890 * compression (see scripts/kallsyms.c for a more complete description)
68891 */
68892+#ifdef CONFIG_GRKERNSEC_HIDESYM
68893+#define __INCLUDED_BY_HIDESYM 1
68894+#endif
68895 #include <linux/kallsyms.h>
68896 #include <linux/module.h>
68897 #include <linux/init.h>
68898@@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
68899
68900 static inline int is_kernel_inittext(unsigned long addr)
68901 {
68902+ if (system_state != SYSTEM_BOOTING)
68903+ return 0;
68904+
68905 if (addr >= (unsigned long)_sinittext
68906 && addr <= (unsigned long)_einittext)
68907 return 1;
68908 return 0;
68909 }
68910
68911+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68912+#ifdef CONFIG_MODULES
68913+static inline int is_module_text(unsigned long addr)
68914+{
68915+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
68916+ return 1;
68917+
68918+ addr = ktla_ktva(addr);
68919+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
68920+}
68921+#else
68922+static inline int is_module_text(unsigned long addr)
68923+{
68924+ return 0;
68925+}
68926+#endif
68927+#endif
68928+
68929 static inline int is_kernel_text(unsigned long addr)
68930 {
68931 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
68932@@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
68933
68934 static inline int is_kernel(unsigned long addr)
68935 {
68936+
68937+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68938+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
68939+ return 1;
68940+
68941+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
68942+#else
68943 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
68944+#endif
68945+
68946 return 1;
68947 return in_gate_area_no_task(addr);
68948 }
68949
68950 static int is_ksym_addr(unsigned long addr)
68951 {
68952+
68953+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
68954+ if (is_module_text(addr))
68955+ return 0;
68956+#endif
68957+
68958 if (all_var)
68959 return is_kernel(addr);
68960
68961@@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
68962
68963 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
68964 {
68965- iter->name[0] = '\0';
68966 iter->nameoff = get_symbol_offset(new_pos);
68967 iter->pos = new_pos;
68968 }
68969@@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
68970 {
68971 struct kallsym_iter *iter = m->private;
68972
68973+#ifdef CONFIG_GRKERNSEC_HIDESYM
68974+ if (current_uid())
68975+ return 0;
68976+#endif
68977+
68978 /* Some debugging symbols have no name. Ignore them. */
68979 if (!iter->name[0])
68980 return 0;
68981@@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
68982 struct kallsym_iter *iter;
68983 int ret;
68984
68985- iter = kmalloc(sizeof(*iter), GFP_KERNEL);
68986+ iter = kzalloc(sizeof(*iter), GFP_KERNEL);
68987 if (!iter)
68988 return -ENOMEM;
68989 reset_iter(iter, 0);
68990diff -urNp linux-2.6.32.48/kernel/kexec.c linux-2.6.32.48/kernel/kexec.c
68991--- linux-2.6.32.48/kernel/kexec.c 2011-11-08 19:02:43.000000000 -0500
68992+++ linux-2.6.32.48/kernel/kexec.c 2011-11-15 19:59:43.000000000 -0500
68993@@ -1028,7 +1028,8 @@ asmlinkage long compat_sys_kexec_load(un
68994 unsigned long flags)
68995 {
68996 struct compat_kexec_segment in;
68997- struct kexec_segment out, __user *ksegments;
68998+ struct kexec_segment out;
68999+ struct kexec_segment __user *ksegments;
69000 unsigned long i, result;
69001
69002 /* Don't allow clients that don't understand the native
69003diff -urNp linux-2.6.32.48/kernel/kgdb.c linux-2.6.32.48/kernel/kgdb.c
69004--- linux-2.6.32.48/kernel/kgdb.c 2011-11-08 19:02:43.000000000 -0500
69005+++ linux-2.6.32.48/kernel/kgdb.c 2011-11-15 19:59:43.000000000 -0500
69006@@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
69007 /* Guard for recursive entry */
69008 static int exception_level;
69009
69010-static struct kgdb_io *kgdb_io_ops;
69011+static const struct kgdb_io *kgdb_io_ops;
69012 static DEFINE_SPINLOCK(kgdb_registration_lock);
69013
69014 /* kgdb console driver is loaded */
69015@@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
69016 */
69017 static atomic_t passive_cpu_wait[NR_CPUS];
69018 static atomic_t cpu_in_kgdb[NR_CPUS];
69019-atomic_t kgdb_setting_breakpoint;
69020+atomic_unchecked_t kgdb_setting_breakpoint;
69021
69022 struct task_struct *kgdb_usethread;
69023 struct task_struct *kgdb_contthread;
69024@@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
69025 sizeof(unsigned long)];
69026
69027 /* to keep track of the CPU which is doing the single stepping*/
69028-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
69029+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
69030
69031 /*
69032 * If you are debugging a problem where roundup (the collection of
69033@@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
69034 return 0;
69035 if (kgdb_connected)
69036 return 1;
69037- if (atomic_read(&kgdb_setting_breakpoint))
69038+ if (atomic_read_unchecked(&kgdb_setting_breakpoint))
69039 return 1;
69040 if (print_wait)
69041 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
69042@@ -1426,8 +1426,8 @@ acquirelock:
69043 * instance of the exception handler wanted to come into the
69044 * debugger on a different CPU via a single step
69045 */
69046- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
69047- atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
69048+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
69049+ atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
69050
69051 atomic_set(&kgdb_active, -1);
69052 touch_softlockup_watchdog();
69053@@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
69054 *
69055 * Register it with the KGDB core.
69056 */
69057-int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
69058+int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
69059 {
69060 int err;
69061
69062@@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
69063 *
69064 * Unregister it with the KGDB core.
69065 */
69066-void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
69067+void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
69068 {
69069 BUG_ON(kgdb_connected);
69070
69071@@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
69072 */
69073 void kgdb_breakpoint(void)
69074 {
69075- atomic_set(&kgdb_setting_breakpoint, 1);
69076+ atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
69077 wmb(); /* Sync point before breakpoint */
69078 arch_kgdb_breakpoint();
69079 wmb(); /* Sync point after breakpoint */
69080- atomic_set(&kgdb_setting_breakpoint, 0);
69081+ atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
69082 }
69083 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
69084
69085diff -urNp linux-2.6.32.48/kernel/kmod.c linux-2.6.32.48/kernel/kmod.c
69086--- linux-2.6.32.48/kernel/kmod.c 2011-11-08 19:02:43.000000000 -0500
69087+++ linux-2.6.32.48/kernel/kmod.c 2011-11-15 19:59:43.000000000 -0500
69088@@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
69089 * If module auto-loading support is disabled then this function
69090 * becomes a no-operation.
69091 */
69092-int __request_module(bool wait, const char *fmt, ...)
69093+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
69094 {
69095- va_list args;
69096 char module_name[MODULE_NAME_LEN];
69097 unsigned int max_modprobes;
69098 int ret;
69099- char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
69100+ char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
69101 static char *envp[] = { "HOME=/",
69102 "TERM=linux",
69103 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
69104@@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
69105 if (ret)
69106 return ret;
69107
69108- va_start(args, fmt);
69109- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
69110- va_end(args);
69111+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
69112 if (ret >= MODULE_NAME_LEN)
69113 return -ENAMETOOLONG;
69114
69115+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69116+ if (!current_uid()) {
69117+ /* hack to workaround consolekit/udisks stupidity */
69118+ read_lock(&tasklist_lock);
69119+ if (!strcmp(current->comm, "mount") &&
69120+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
69121+ read_unlock(&tasklist_lock);
69122+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
69123+ return -EPERM;
69124+ }
69125+ read_unlock(&tasklist_lock);
69126+ }
69127+#endif
69128+
69129 /* If modprobe needs a service that is in a module, we get a recursive
69130 * loop. Limit the number of running kmod threads to max_threads/2 or
69131 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
69132@@ -123,6 +134,48 @@ int __request_module(bool wait, const ch
69133 atomic_dec(&kmod_concurrent);
69134 return ret;
69135 }
69136+
69137+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
69138+{
69139+ va_list args;
69140+ int ret;
69141+
69142+ va_start(args, fmt);
69143+ ret = ____request_module(wait, module_param, fmt, args);
69144+ va_end(args);
69145+
69146+ return ret;
69147+}
69148+
69149+int __request_module(bool wait, const char *fmt, ...)
69150+{
69151+ va_list args;
69152+ int ret;
69153+
69154+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69155+ if (current_uid()) {
69156+ char module_param[MODULE_NAME_LEN];
69157+
69158+ memset(module_param, 0, sizeof(module_param));
69159+
69160+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
69161+
69162+ va_start(args, fmt);
69163+ ret = ____request_module(wait, module_param, fmt, args);
69164+ va_end(args);
69165+
69166+ return ret;
69167+ }
69168+#endif
69169+
69170+ va_start(args, fmt);
69171+ ret = ____request_module(wait, NULL, fmt, args);
69172+ va_end(args);
69173+
69174+ return ret;
69175+}
69176+
69177+
69178 EXPORT_SYMBOL(__request_module);
69179 #endif /* CONFIG_MODULES */
69180
69181@@ -228,7 +281,7 @@ static int wait_for_helper(void *data)
69182 *
69183 * Thus the __user pointer cast is valid here.
69184 */
69185- sys_wait4(pid, (int __user *)&ret, 0, NULL);
69186+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
69187
69188 /*
69189 * If ret is 0, either ____call_usermodehelper failed and the
69190diff -urNp linux-2.6.32.48/kernel/kprobes.c linux-2.6.32.48/kernel/kprobes.c
69191--- linux-2.6.32.48/kernel/kprobes.c 2011-11-08 19:02:43.000000000 -0500
69192+++ linux-2.6.32.48/kernel/kprobes.c 2011-11-15 19:59:43.000000000 -0500
69193@@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
69194 * kernel image and loaded module images reside. This is required
69195 * so x86_64 can correctly handle the %rip-relative fixups.
69196 */
69197- kip->insns = module_alloc(PAGE_SIZE);
69198+ kip->insns = module_alloc_exec(PAGE_SIZE);
69199 if (!kip->insns) {
69200 kfree(kip);
69201 return NULL;
69202@@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
69203 */
69204 if (!list_is_singular(&kprobe_insn_pages)) {
69205 list_del(&kip->list);
69206- module_free(NULL, kip->insns);
69207+ module_free_exec(NULL, kip->insns);
69208 kfree(kip);
69209 }
69210 return 1;
69211@@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
69212 {
69213 int i, err = 0;
69214 unsigned long offset = 0, size = 0;
69215- char *modname, namebuf[128];
69216+ char *modname, namebuf[KSYM_NAME_LEN];
69217 const char *symbol_name;
69218 void *addr;
69219 struct kprobe_blackpoint *kb;
69220@@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
69221 const char *sym = NULL;
69222 unsigned int i = *(loff_t *) v;
69223 unsigned long offset = 0;
69224- char *modname, namebuf[128];
69225+ char *modname, namebuf[KSYM_NAME_LEN];
69226
69227 head = &kprobe_table[i];
69228 preempt_disable();
69229diff -urNp linux-2.6.32.48/kernel/lockdep.c linux-2.6.32.48/kernel/lockdep.c
69230--- linux-2.6.32.48/kernel/lockdep.c 2011-11-08 19:02:43.000000000 -0500
69231+++ linux-2.6.32.48/kernel/lockdep.c 2011-11-15 19:59:43.000000000 -0500
69232@@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
69233 /*
69234 * Various lockdep statistics:
69235 */
69236-atomic_t chain_lookup_hits;
69237-atomic_t chain_lookup_misses;
69238-atomic_t hardirqs_on_events;
69239-atomic_t hardirqs_off_events;
69240-atomic_t redundant_hardirqs_on;
69241-atomic_t redundant_hardirqs_off;
69242-atomic_t softirqs_on_events;
69243-atomic_t softirqs_off_events;
69244-atomic_t redundant_softirqs_on;
69245-atomic_t redundant_softirqs_off;
69246-atomic_t nr_unused_locks;
69247-atomic_t nr_cyclic_checks;
69248-atomic_t nr_find_usage_forwards_checks;
69249-atomic_t nr_find_usage_backwards_checks;
69250+atomic_unchecked_t chain_lookup_hits;
69251+atomic_unchecked_t chain_lookup_misses;
69252+atomic_unchecked_t hardirqs_on_events;
69253+atomic_unchecked_t hardirqs_off_events;
69254+atomic_unchecked_t redundant_hardirqs_on;
69255+atomic_unchecked_t redundant_hardirqs_off;
69256+atomic_unchecked_t softirqs_on_events;
69257+atomic_unchecked_t softirqs_off_events;
69258+atomic_unchecked_t redundant_softirqs_on;
69259+atomic_unchecked_t redundant_softirqs_off;
69260+atomic_unchecked_t nr_unused_locks;
69261+atomic_unchecked_t nr_cyclic_checks;
69262+atomic_unchecked_t nr_find_usage_forwards_checks;
69263+atomic_unchecked_t nr_find_usage_backwards_checks;
69264 #endif
69265
69266 /*
69267@@ -577,6 +577,10 @@ static int static_obj(void *obj)
69268 int i;
69269 #endif
69270
69271+#ifdef CONFIG_PAX_KERNEXEC
69272+ start = ktla_ktva(start);
69273+#endif
69274+
69275 /*
69276 * static variable?
69277 */
69278@@ -592,8 +596,7 @@ static int static_obj(void *obj)
69279 */
69280 for_each_possible_cpu(i) {
69281 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
69282- end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
69283- + per_cpu_offset(i);
69284+ end = start + PERCPU_ENOUGH_ROOM;
69285
69286 if ((addr >= start) && (addr < end))
69287 return 1;
69288@@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
69289 if (!static_obj(lock->key)) {
69290 debug_locks_off();
69291 printk("INFO: trying to register non-static key.\n");
69292+ printk("lock:%pS key:%pS.\n", lock, lock->key);
69293 printk("the code is fine but needs lockdep annotation.\n");
69294 printk("turning off the locking correctness validator.\n");
69295 dump_stack();
69296@@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
69297 if (!class)
69298 return 0;
69299 }
69300- debug_atomic_inc((atomic_t *)&class->ops);
69301+ debug_atomic_inc((atomic_unchecked_t *)&class->ops);
69302 if (very_verbose(class)) {
69303 printk("\nacquire class [%p] %s", class->key, class->name);
69304 if (class->name_version > 1)
69305diff -urNp linux-2.6.32.48/kernel/lockdep_internals.h linux-2.6.32.48/kernel/lockdep_internals.h
69306--- linux-2.6.32.48/kernel/lockdep_internals.h 2011-11-08 19:02:43.000000000 -0500
69307+++ linux-2.6.32.48/kernel/lockdep_internals.h 2011-11-15 19:59:43.000000000 -0500
69308@@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
69309 /*
69310 * Various lockdep statistics:
69311 */
69312-extern atomic_t chain_lookup_hits;
69313-extern atomic_t chain_lookup_misses;
69314-extern atomic_t hardirqs_on_events;
69315-extern atomic_t hardirqs_off_events;
69316-extern atomic_t redundant_hardirqs_on;
69317-extern atomic_t redundant_hardirqs_off;
69318-extern atomic_t softirqs_on_events;
69319-extern atomic_t softirqs_off_events;
69320-extern atomic_t redundant_softirqs_on;
69321-extern atomic_t redundant_softirqs_off;
69322-extern atomic_t nr_unused_locks;
69323-extern atomic_t nr_cyclic_checks;
69324-extern atomic_t nr_cyclic_check_recursions;
69325-extern atomic_t nr_find_usage_forwards_checks;
69326-extern atomic_t nr_find_usage_forwards_recursions;
69327-extern atomic_t nr_find_usage_backwards_checks;
69328-extern atomic_t nr_find_usage_backwards_recursions;
69329-# define debug_atomic_inc(ptr) atomic_inc(ptr)
69330-# define debug_atomic_dec(ptr) atomic_dec(ptr)
69331-# define debug_atomic_read(ptr) atomic_read(ptr)
69332+extern atomic_unchecked_t chain_lookup_hits;
69333+extern atomic_unchecked_t chain_lookup_misses;
69334+extern atomic_unchecked_t hardirqs_on_events;
69335+extern atomic_unchecked_t hardirqs_off_events;
69336+extern atomic_unchecked_t redundant_hardirqs_on;
69337+extern atomic_unchecked_t redundant_hardirqs_off;
69338+extern atomic_unchecked_t softirqs_on_events;
69339+extern atomic_unchecked_t softirqs_off_events;
69340+extern atomic_unchecked_t redundant_softirqs_on;
69341+extern atomic_unchecked_t redundant_softirqs_off;
69342+extern atomic_unchecked_t nr_unused_locks;
69343+extern atomic_unchecked_t nr_cyclic_checks;
69344+extern atomic_unchecked_t nr_cyclic_check_recursions;
69345+extern atomic_unchecked_t nr_find_usage_forwards_checks;
69346+extern atomic_unchecked_t nr_find_usage_forwards_recursions;
69347+extern atomic_unchecked_t nr_find_usage_backwards_checks;
69348+extern atomic_unchecked_t nr_find_usage_backwards_recursions;
69349+# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
69350+# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
69351+# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
69352 #else
69353 # define debug_atomic_inc(ptr) do { } while (0)
69354 # define debug_atomic_dec(ptr) do { } while (0)
69355diff -urNp linux-2.6.32.48/kernel/lockdep_proc.c linux-2.6.32.48/kernel/lockdep_proc.c
69356--- linux-2.6.32.48/kernel/lockdep_proc.c 2011-11-08 19:02:43.000000000 -0500
69357+++ linux-2.6.32.48/kernel/lockdep_proc.c 2011-11-15 19:59:43.000000000 -0500
69358@@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
69359
69360 static void print_name(struct seq_file *m, struct lock_class *class)
69361 {
69362- char str[128];
69363+ char str[KSYM_NAME_LEN];
69364 const char *name = class->name;
69365
69366 if (!name) {
69367diff -urNp linux-2.6.32.48/kernel/module.c linux-2.6.32.48/kernel/module.c
69368--- linux-2.6.32.48/kernel/module.c 2011-11-08 19:02:43.000000000 -0500
69369+++ linux-2.6.32.48/kernel/module.c 2011-11-15 19:59:43.000000000 -0500
69370@@ -55,6 +55,7 @@
69371 #include <linux/async.h>
69372 #include <linux/percpu.h>
69373 #include <linux/kmemleak.h>
69374+#include <linux/grsecurity.h>
69375
69376 #define CREATE_TRACE_POINTS
69377 #include <trace/events/module.h>
69378@@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
69379 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
69380
69381 /* Bounds of module allocation, for speeding __module_address */
69382-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
69383+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
69384+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
69385
69386 int register_module_notifier(struct notifier_block * nb)
69387 {
69388@@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
69389 return true;
69390
69391 list_for_each_entry_rcu(mod, &modules, list) {
69392- struct symsearch arr[] = {
69393+ struct symsearch modarr[] = {
69394 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
69395 NOT_GPL_ONLY, false },
69396 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
69397@@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
69398 #endif
69399 };
69400
69401- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
69402+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
69403 return true;
69404 }
69405 return false;
69406@@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
69407 void *ptr;
69408 int cpu;
69409
69410- if (align > PAGE_SIZE) {
69411+ if (align-1 >= PAGE_SIZE) {
69412 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
69413 name, align, PAGE_SIZE);
69414 align = PAGE_SIZE;
69415@@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
69416 * /sys/module/foo/sections stuff
69417 * J. Corbet <corbet@lwn.net>
69418 */
69419-#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
69420+#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
69421
69422 static inline bool sect_empty(const Elf_Shdr *sect)
69423 {
69424@@ -1545,7 +1547,8 @@ static void free_module(struct module *m
69425 destroy_params(mod->kp, mod->num_kp);
69426
69427 /* This may be NULL, but that's OK */
69428- module_free(mod, mod->module_init);
69429+ module_free(mod, mod->module_init_rw);
69430+ module_free_exec(mod, mod->module_init_rx);
69431 kfree(mod->args);
69432 if (mod->percpu)
69433 percpu_modfree(mod->percpu);
69434@@ -1554,10 +1557,12 @@ static void free_module(struct module *m
69435 percpu_modfree(mod->refptr);
69436 #endif
69437 /* Free lock-classes: */
69438- lockdep_free_key_range(mod->module_core, mod->core_size);
69439+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
69440+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
69441
69442 /* Finally, free the core (containing the module structure) */
69443- module_free(mod, mod->module_core);
69444+ module_free_exec(mod, mod->module_core_rx);
69445+ module_free(mod, mod->module_core_rw);
69446
69447 #ifdef CONFIG_MPU
69448 update_protections(current->mm);
69449@@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
69450 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
69451 int ret = 0;
69452 const struct kernel_symbol *ksym;
69453+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69454+ int is_fs_load = 0;
69455+ int register_filesystem_found = 0;
69456+ char *p;
69457+
69458+ p = strstr(mod->args, "grsec_modharden_fs");
69459+
69460+ if (p) {
69461+ char *endptr = p + strlen("grsec_modharden_fs");
69462+ /* copy \0 as well */
69463+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
69464+ is_fs_load = 1;
69465+ }
69466+#endif
69467+
69468
69469 for (i = 1; i < n; i++) {
69470+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69471+ const char *name = strtab + sym[i].st_name;
69472+
69473+ /* it's a real shame this will never get ripped and copied
69474+ upstream! ;(
69475+ */
69476+ if (is_fs_load && !strcmp(name, "register_filesystem"))
69477+ register_filesystem_found = 1;
69478+#endif
69479 switch (sym[i].st_shndx) {
69480 case SHN_COMMON:
69481 /* We compiled with -fno-common. These are not
69482@@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
69483 strtab + sym[i].st_name, mod);
69484 /* Ok if resolved. */
69485 if (ksym) {
69486+ pax_open_kernel();
69487 sym[i].st_value = ksym->value;
69488+ pax_close_kernel();
69489 break;
69490 }
69491
69492@@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
69493 secbase = (unsigned long)mod->percpu;
69494 else
69495 secbase = sechdrs[sym[i].st_shndx].sh_addr;
69496+ pax_open_kernel();
69497 sym[i].st_value += secbase;
69498+ pax_close_kernel();
69499 break;
69500 }
69501 }
69502
69503+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69504+ if (is_fs_load && !register_filesystem_found) {
69505+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
69506+ ret = -EPERM;
69507+ }
69508+#endif
69509+
69510 return ret;
69511 }
69512
69513@@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
69514 || s->sh_entsize != ~0UL
69515 || strstarts(secstrings + s->sh_name, ".init"))
69516 continue;
69517- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
69518+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
69519+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
69520+ else
69521+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
69522 DEBUGP("\t%s\n", secstrings + s->sh_name);
69523 }
69524- if (m == 0)
69525- mod->core_text_size = mod->core_size;
69526 }
69527
69528 DEBUGP("Init section allocation order:\n");
69529@@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
69530 || s->sh_entsize != ~0UL
69531 || !strstarts(secstrings + s->sh_name, ".init"))
69532 continue;
69533- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
69534- | INIT_OFFSET_MASK);
69535+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
69536+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
69537+ else
69538+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
69539+ s->sh_entsize |= INIT_OFFSET_MASK;
69540 DEBUGP("\t%s\n", secstrings + s->sh_name);
69541 }
69542- if (m == 0)
69543- mod->init_text_size = mod->init_size;
69544 }
69545 }
69546
69547@@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
69548
69549 /* As per nm */
69550 static char elf_type(const Elf_Sym *sym,
69551- Elf_Shdr *sechdrs,
69552- const char *secstrings,
69553- struct module *mod)
69554+ const Elf_Shdr *sechdrs,
69555+ const char *secstrings)
69556 {
69557 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
69558 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
69559@@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
69560
69561 /* Put symbol section at end of init part of module. */
69562 symsect->sh_flags |= SHF_ALLOC;
69563- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
69564+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
69565 symindex) | INIT_OFFSET_MASK;
69566 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
69567
69568@@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
69569 }
69570
69571 /* Append room for core symbols at end of core part. */
69572- symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
69573- mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
69574+ symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
69575+ mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
69576
69577 /* Put string table section at end of init part of module. */
69578 strsect->sh_flags |= SHF_ALLOC;
69579- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
69580+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
69581 strindex) | INIT_OFFSET_MASK;
69582 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
69583
69584 /* Append room for core symbols' strings at end of core part. */
69585- *pstroffs = mod->core_size;
69586+ *pstroffs = mod->core_size_rx;
69587 __set_bit(0, strmap);
69588- mod->core_size += bitmap_weight(strmap, strsect->sh_size);
69589+ mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
69590
69591 return symoffs;
69592 }
69593@@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
69594 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
69595 mod->strtab = (void *)sechdrs[strindex].sh_addr;
69596
69597+ pax_open_kernel();
69598+
69599 /* Set types up while we still have access to sections. */
69600 for (i = 0; i < mod->num_symtab; i++)
69601 mod->symtab[i].st_info
69602- = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
69603+ = elf_type(&mod->symtab[i], sechdrs, secstrings);
69604
69605- mod->core_symtab = dst = mod->module_core + symoffs;
69606+ mod->core_symtab = dst = mod->module_core_rx + symoffs;
69607 src = mod->symtab;
69608 *dst = *src;
69609 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
69610@@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
69611 }
69612 mod->core_num_syms = ndst;
69613
69614- mod->core_strtab = s = mod->module_core + stroffs;
69615+ mod->core_strtab = s = mod->module_core_rx + stroffs;
69616 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
69617 if (test_bit(i, strmap))
69618 *++s = mod->strtab[i];
69619+
69620+ pax_close_kernel();
69621 }
69622 #else
69623 static inline unsigned long layout_symtab(struct module *mod,
69624@@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
69625 #endif
69626 }
69627
69628-static void *module_alloc_update_bounds(unsigned long size)
69629+static void *module_alloc_update_bounds_rw(unsigned long size)
69630 {
69631 void *ret = module_alloc(size);
69632
69633 if (ret) {
69634 /* Update module bounds. */
69635- if ((unsigned long)ret < module_addr_min)
69636- module_addr_min = (unsigned long)ret;
69637- if ((unsigned long)ret + size > module_addr_max)
69638- module_addr_max = (unsigned long)ret + size;
69639+ if ((unsigned long)ret < module_addr_min_rw)
69640+ module_addr_min_rw = (unsigned long)ret;
69641+ if ((unsigned long)ret + size > module_addr_max_rw)
69642+ module_addr_max_rw = (unsigned long)ret + size;
69643+ }
69644+ return ret;
69645+}
69646+
69647+static void *module_alloc_update_bounds_rx(unsigned long size)
69648+{
69649+ void *ret = module_alloc_exec(size);
69650+
69651+ if (ret) {
69652+ /* Update module bounds. */
69653+ if ((unsigned long)ret < module_addr_min_rx)
69654+ module_addr_min_rx = (unsigned long)ret;
69655+ if ((unsigned long)ret + size > module_addr_max_rx)
69656+ module_addr_max_rx = (unsigned long)ret + size;
69657 }
69658 return ret;
69659 }
69660@@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
69661 unsigned int i;
69662
69663 /* only scan the sections containing data */
69664- kmemleak_scan_area(mod->module_core, (unsigned long)mod -
69665- (unsigned long)mod->module_core,
69666+ kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
69667+ (unsigned long)mod->module_core_rw,
69668 sizeof(struct module), GFP_KERNEL);
69669
69670 for (i = 1; i < hdr->e_shnum; i++) {
69671@@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
69672 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
69673 continue;
69674
69675- kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
69676- (unsigned long)mod->module_core,
69677+ kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
69678+ (unsigned long)mod->module_core_rw,
69679 sechdrs[i].sh_size, GFP_KERNEL);
69680 }
69681 }
69682@@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
69683 secstrings, &stroffs, strmap);
69684
69685 /* Do the allocs. */
69686- ptr = module_alloc_update_bounds(mod->core_size);
69687+ ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
69688 /*
69689 * The pointer to this block is stored in the module structure
69690 * which is inside the block. Just mark it as not being a
69691@@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
69692 err = -ENOMEM;
69693 goto free_percpu;
69694 }
69695- memset(ptr, 0, mod->core_size);
69696- mod->module_core = ptr;
69697+ memset(ptr, 0, mod->core_size_rw);
69698+ mod->module_core_rw = ptr;
69699
69700- ptr = module_alloc_update_bounds(mod->init_size);
69701+ ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
69702 /*
69703 * The pointer to this block is stored in the module structure
69704 * which is inside the block. This block doesn't need to be
69705 * scanned as it contains data and code that will be freed
69706 * after the module is initialized.
69707 */
69708- kmemleak_ignore(ptr);
69709- if (!ptr && mod->init_size) {
69710+ kmemleak_not_leak(ptr);
69711+ if (!ptr && mod->init_size_rw) {
69712+ err = -ENOMEM;
69713+ goto free_core_rw;
69714+ }
69715+ memset(ptr, 0, mod->init_size_rw);
69716+ mod->module_init_rw = ptr;
69717+
69718+ ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
69719+ kmemleak_not_leak(ptr);
69720+ if (!ptr) {
69721 err = -ENOMEM;
69722- goto free_core;
69723+ goto free_init_rw;
69724 }
69725- memset(ptr, 0, mod->init_size);
69726- mod->module_init = ptr;
69727+
69728+ pax_open_kernel();
69729+ memset(ptr, 0, mod->core_size_rx);
69730+ pax_close_kernel();
69731+ mod->module_core_rx = ptr;
69732+
69733+ ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
69734+ kmemleak_not_leak(ptr);
69735+ if (!ptr && mod->init_size_rx) {
69736+ err = -ENOMEM;
69737+ goto free_core_rx;
69738+ }
69739+
69740+ pax_open_kernel();
69741+ memset(ptr, 0, mod->init_size_rx);
69742+ pax_close_kernel();
69743+ mod->module_init_rx = ptr;
69744
69745 /* Transfer each section which specifies SHF_ALLOC */
69746 DEBUGP("final section addresses:\n");
69747@@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
69748 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
69749 continue;
69750
69751- if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
69752- dest = mod->module_init
69753- + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69754- else
69755- dest = mod->module_core + sechdrs[i].sh_entsize;
69756+ if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
69757+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
69758+ dest = mod->module_init_rw
69759+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69760+ else
69761+ dest = mod->module_init_rx
69762+ + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
69763+ } else {
69764+ if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
69765+ dest = mod->module_core_rw + sechdrs[i].sh_entsize;
69766+ else
69767+ dest = mod->module_core_rx + sechdrs[i].sh_entsize;
69768+ }
69769+
69770+ if (sechdrs[i].sh_type != SHT_NOBITS) {
69771
69772- if (sechdrs[i].sh_type != SHT_NOBITS)
69773- memcpy(dest, (void *)sechdrs[i].sh_addr,
69774- sechdrs[i].sh_size);
69775+#ifdef CONFIG_PAX_KERNEXEC
69776+#ifdef CONFIG_X86_64
69777+ if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
69778+ set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
69779+#endif
69780+ if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
69781+ pax_open_kernel();
69782+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
69783+ pax_close_kernel();
69784+ } else
69785+#endif
69786+
69787+ memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
69788+ }
69789 /* Update sh_addr to point to copy in image. */
69790- sechdrs[i].sh_addr = (unsigned long)dest;
69791+
69792+#ifdef CONFIG_PAX_KERNEXEC
69793+ if (sechdrs[i].sh_flags & SHF_EXECINSTR)
69794+ sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
69795+ else
69796+#endif
69797+
69798+ sechdrs[i].sh_addr = (unsigned long)dest;
69799 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
69800 }
69801 /* Module has been moved. */
69802@@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
69803 mod->name);
69804 if (!mod->refptr) {
69805 err = -ENOMEM;
69806- goto free_init;
69807+ goto free_init_rx;
69808 }
69809 #endif
69810 /* Now we've moved module, initialize linked lists, etc. */
69811@@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
69812 /* Set up MODINFO_ATTR fields */
69813 setup_modinfo(mod, sechdrs, infoindex);
69814
69815+ mod->args = args;
69816+
69817+#ifdef CONFIG_GRKERNSEC_MODHARDEN
69818+ {
69819+ char *p, *p2;
69820+
69821+ if (strstr(mod->args, "grsec_modharden_netdev")) {
69822+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
69823+ err = -EPERM;
69824+ goto cleanup;
69825+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
69826+ p += strlen("grsec_modharden_normal");
69827+ p2 = strstr(p, "_");
69828+ if (p2) {
69829+ *p2 = '\0';
69830+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
69831+ *p2 = '_';
69832+ }
69833+ err = -EPERM;
69834+ goto cleanup;
69835+ }
69836+ }
69837+#endif
69838+
69839+
69840 /* Fix up syms, so that st_value is a pointer to location. */
69841 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
69842 mod);
69843@@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
69844
69845 /* Now do relocations. */
69846 for (i = 1; i < hdr->e_shnum; i++) {
69847- const char *strtab = (char *)sechdrs[strindex].sh_addr;
69848 unsigned int info = sechdrs[i].sh_info;
69849+ strtab = (char *)sechdrs[strindex].sh_addr;
69850
69851 /* Not a valid relocation section? */
69852 if (info >= hdr->e_shnum)
69853@@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
69854 * Do it before processing of module parameters, so the module
69855 * can provide parameter accessor functions of its own.
69856 */
69857- if (mod->module_init)
69858- flush_icache_range((unsigned long)mod->module_init,
69859- (unsigned long)mod->module_init
69860- + mod->init_size);
69861- flush_icache_range((unsigned long)mod->module_core,
69862- (unsigned long)mod->module_core + mod->core_size);
69863+ if (mod->module_init_rx)
69864+ flush_icache_range((unsigned long)mod->module_init_rx,
69865+ (unsigned long)mod->module_init_rx
69866+ + mod->init_size_rx);
69867+ flush_icache_range((unsigned long)mod->module_core_rx,
69868+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
69869
69870 set_fs(old_fs);
69871
69872- mod->args = args;
69873 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
69874 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
69875 mod->name);
69876@@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
69877 free_unload:
69878 module_unload_free(mod);
69879 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
69880+ free_init_rx:
69881 percpu_modfree(mod->refptr);
69882- free_init:
69883 #endif
69884- module_free(mod, mod->module_init);
69885- free_core:
69886- module_free(mod, mod->module_core);
69887+ module_free_exec(mod, mod->module_init_rx);
69888+ free_core_rx:
69889+ module_free_exec(mod, mod->module_core_rx);
69890+ free_init_rw:
69891+ module_free(mod, mod->module_init_rw);
69892+ free_core_rw:
69893+ module_free(mod, mod->module_core_rw);
69894 /* mod will be freed with core. Don't access it beyond this line! */
69895 free_percpu:
69896 if (percpu)
69897@@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
69898 mod->symtab = mod->core_symtab;
69899 mod->strtab = mod->core_strtab;
69900 #endif
69901- module_free(mod, mod->module_init);
69902- mod->module_init = NULL;
69903- mod->init_size = 0;
69904- mod->init_text_size = 0;
69905+ module_free(mod, mod->module_init_rw);
69906+ module_free_exec(mod, mod->module_init_rx);
69907+ mod->module_init_rw = NULL;
69908+ mod->module_init_rx = NULL;
69909+ mod->init_size_rw = 0;
69910+ mod->init_size_rx = 0;
69911 mutex_unlock(&module_mutex);
69912
69913 return 0;
69914@@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
69915 unsigned long nextval;
69916
69917 /* At worse, next value is at end of module */
69918- if (within_module_init(addr, mod))
69919- nextval = (unsigned long)mod->module_init+mod->init_text_size;
69920+ if (within_module_init_rx(addr, mod))
69921+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
69922+ else if (within_module_init_rw(addr, mod))
69923+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
69924+ else if (within_module_core_rx(addr, mod))
69925+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
69926+ else if (within_module_core_rw(addr, mod))
69927+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
69928 else
69929- nextval = (unsigned long)mod->module_core+mod->core_text_size;
69930+ return NULL;
69931
69932 /* Scan for closest preceeding symbol, and next symbol. (ELF
69933 starts real symbols at 1). */
69934@@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
69935 char buf[8];
69936
69937 seq_printf(m, "%s %u",
69938- mod->name, mod->init_size + mod->core_size);
69939+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
69940 print_unload_info(m, mod);
69941
69942 /* Informative for users. */
69943@@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
69944 mod->state == MODULE_STATE_COMING ? "Loading":
69945 "Live");
69946 /* Used by oprofile and other similar tools. */
69947- seq_printf(m, " 0x%p", mod->module_core);
69948+ seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
69949
69950 /* Taints info */
69951 if (mod->taints)
69952@@ -2981,7 +3128,17 @@ static const struct file_operations proc
69953
69954 static int __init proc_modules_init(void)
69955 {
69956+#ifndef CONFIG_GRKERNSEC_HIDESYM
69957+#ifdef CONFIG_GRKERNSEC_PROC_USER
69958+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69959+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
69960+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
69961+#else
69962 proc_create("modules", 0, NULL, &proc_modules_operations);
69963+#endif
69964+#else
69965+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
69966+#endif
69967 return 0;
69968 }
69969 module_init(proc_modules_init);
69970@@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
69971 {
69972 struct module *mod;
69973
69974- if (addr < module_addr_min || addr > module_addr_max)
69975+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
69976+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
69977 return NULL;
69978
69979 list_for_each_entry_rcu(mod, &modules, list)
69980- if (within_module_core(addr, mod)
69981- || within_module_init(addr, mod))
69982+ if (within_module_init(addr, mod) || within_module_core(addr, mod))
69983 return mod;
69984 return NULL;
69985 }
69986@@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
69987 */
69988 struct module *__module_text_address(unsigned long addr)
69989 {
69990- struct module *mod = __module_address(addr);
69991+ struct module *mod;
69992+
69993+#ifdef CONFIG_X86_32
69994+ addr = ktla_ktva(addr);
69995+#endif
69996+
69997+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
69998+ return NULL;
69999+
70000+ mod = __module_address(addr);
70001+
70002 if (mod) {
70003 /* Make sure it's within the text section. */
70004- if (!within(addr, mod->module_init, mod->init_text_size)
70005- && !within(addr, mod->module_core, mod->core_text_size))
70006+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
70007 mod = NULL;
70008 }
70009 return mod;
70010diff -urNp linux-2.6.32.48/kernel/mutex.c linux-2.6.32.48/kernel/mutex.c
70011--- linux-2.6.32.48/kernel/mutex.c 2011-11-08 19:02:43.000000000 -0500
70012+++ linux-2.6.32.48/kernel/mutex.c 2011-11-15 19:59:43.000000000 -0500
70013@@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
70014 */
70015
70016 for (;;) {
70017- struct thread_info *owner;
70018+ struct task_struct *owner;
70019
70020 /*
70021 * If we own the BKL, then don't spin. The owner of
70022@@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
70023 spin_lock_mutex(&lock->wait_lock, flags);
70024
70025 debug_mutex_lock_common(lock, &waiter);
70026- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
70027+ debug_mutex_add_waiter(lock, &waiter, task);
70028
70029 /* add waiting tasks to the end of the waitqueue (FIFO): */
70030 list_add_tail(&waiter.list, &lock->wait_list);
70031@@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
70032 * TASK_UNINTERRUPTIBLE case.)
70033 */
70034 if (unlikely(signal_pending_state(state, task))) {
70035- mutex_remove_waiter(lock, &waiter,
70036- task_thread_info(task));
70037+ mutex_remove_waiter(lock, &waiter, task);
70038 mutex_release(&lock->dep_map, 1, ip);
70039 spin_unlock_mutex(&lock->wait_lock, flags);
70040
70041@@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
70042 done:
70043 lock_acquired(&lock->dep_map, ip);
70044 /* got the lock - rejoice! */
70045- mutex_remove_waiter(lock, &waiter, current_thread_info());
70046+ mutex_remove_waiter(lock, &waiter, task);
70047 mutex_set_owner(lock);
70048
70049 /* set it to 0 if there are no waiters left: */
70050diff -urNp linux-2.6.32.48/kernel/mutex-debug.c linux-2.6.32.48/kernel/mutex-debug.c
70051--- linux-2.6.32.48/kernel/mutex-debug.c 2011-11-08 19:02:43.000000000 -0500
70052+++ linux-2.6.32.48/kernel/mutex-debug.c 2011-11-15 19:59:43.000000000 -0500
70053@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
70054 }
70055
70056 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70057- struct thread_info *ti)
70058+ struct task_struct *task)
70059 {
70060 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
70061
70062 /* Mark the current thread as blocked on the lock: */
70063- ti->task->blocked_on = waiter;
70064+ task->blocked_on = waiter;
70065 }
70066
70067 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70068- struct thread_info *ti)
70069+ struct task_struct *task)
70070 {
70071 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
70072- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
70073- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
70074- ti->task->blocked_on = NULL;
70075+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
70076+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
70077+ task->blocked_on = NULL;
70078
70079 list_del_init(&waiter->list);
70080 waiter->task = NULL;
70081@@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
70082 return;
70083
70084 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
70085- DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
70086+ DEBUG_LOCKS_WARN_ON(lock->owner != current);
70087 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
70088 mutex_clear_owner(lock);
70089 }
70090diff -urNp linux-2.6.32.48/kernel/mutex-debug.h linux-2.6.32.48/kernel/mutex-debug.h
70091--- linux-2.6.32.48/kernel/mutex-debug.h 2011-11-08 19:02:43.000000000 -0500
70092+++ linux-2.6.32.48/kernel/mutex-debug.h 2011-11-15 19:59:43.000000000 -0500
70093@@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
70094 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
70095 extern void debug_mutex_add_waiter(struct mutex *lock,
70096 struct mutex_waiter *waiter,
70097- struct thread_info *ti);
70098+ struct task_struct *task);
70099 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
70100- struct thread_info *ti);
70101+ struct task_struct *task);
70102 extern void debug_mutex_unlock(struct mutex *lock);
70103 extern void debug_mutex_init(struct mutex *lock, const char *name,
70104 struct lock_class_key *key);
70105
70106 static inline void mutex_set_owner(struct mutex *lock)
70107 {
70108- lock->owner = current_thread_info();
70109+ lock->owner = current;
70110 }
70111
70112 static inline void mutex_clear_owner(struct mutex *lock)
70113diff -urNp linux-2.6.32.48/kernel/mutex.h linux-2.6.32.48/kernel/mutex.h
70114--- linux-2.6.32.48/kernel/mutex.h 2011-11-08 19:02:43.000000000 -0500
70115+++ linux-2.6.32.48/kernel/mutex.h 2011-11-15 19:59:43.000000000 -0500
70116@@ -19,7 +19,7 @@
70117 #ifdef CONFIG_SMP
70118 static inline void mutex_set_owner(struct mutex *lock)
70119 {
70120- lock->owner = current_thread_info();
70121+ lock->owner = current;
70122 }
70123
70124 static inline void mutex_clear_owner(struct mutex *lock)
70125diff -urNp linux-2.6.32.48/kernel/panic.c linux-2.6.32.48/kernel/panic.c
70126--- linux-2.6.32.48/kernel/panic.c 2011-11-08 19:02:43.000000000 -0500
70127+++ linux-2.6.32.48/kernel/panic.c 2011-11-15 19:59:43.000000000 -0500
70128@@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
70129 const char *board;
70130
70131 printk(KERN_WARNING "------------[ cut here ]------------\n");
70132- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
70133+ printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
70134 board = dmi_get_system_info(DMI_PRODUCT_NAME);
70135 if (board)
70136 printk(KERN_WARNING "Hardware name: %s\n", board);
70137@@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
70138 */
70139 void __stack_chk_fail(void)
70140 {
70141- panic("stack-protector: Kernel stack is corrupted in: %p\n",
70142+ dump_stack();
70143+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
70144 __builtin_return_address(0));
70145 }
70146 EXPORT_SYMBOL(__stack_chk_fail);
70147diff -urNp linux-2.6.32.48/kernel/params.c linux-2.6.32.48/kernel/params.c
70148--- linux-2.6.32.48/kernel/params.c 2011-11-08 19:02:43.000000000 -0500
70149+++ linux-2.6.32.48/kernel/params.c 2011-11-15 19:59:43.000000000 -0500
70150@@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
70151 return ret;
70152 }
70153
70154-static struct sysfs_ops module_sysfs_ops = {
70155+static const struct sysfs_ops module_sysfs_ops = {
70156 .show = module_attr_show,
70157 .store = module_attr_store,
70158 };
70159@@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
70160 return 0;
70161 }
70162
70163-static struct kset_uevent_ops module_uevent_ops = {
70164+static const struct kset_uevent_ops module_uevent_ops = {
70165 .filter = uevent_filter,
70166 };
70167
70168diff -urNp linux-2.6.32.48/kernel/perf_event.c linux-2.6.32.48/kernel/perf_event.c
70169--- linux-2.6.32.48/kernel/perf_event.c 2011-11-08 19:02:43.000000000 -0500
70170+++ linux-2.6.32.48/kernel/perf_event.c 2011-11-15 19:59:43.000000000 -0500
70171@@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
70172 */
70173 int sysctl_perf_event_sample_rate __read_mostly = 100000;
70174
70175-static atomic64_t perf_event_id;
70176+static atomic64_unchecked_t perf_event_id;
70177
70178 /*
70179 * Lock for (sysadmin-configurable) event reservations:
70180@@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
70181 * In order to keep per-task stats reliable we need to flip the event
70182 * values when we flip the contexts.
70183 */
70184- value = atomic64_read(&next_event->count);
70185- value = atomic64_xchg(&event->count, value);
70186- atomic64_set(&next_event->count, value);
70187+ value = atomic64_read_unchecked(&next_event->count);
70188+ value = atomic64_xchg_unchecked(&event->count, value);
70189+ atomic64_set_unchecked(&next_event->count, value);
70190
70191 swap(event->total_time_enabled, next_event->total_time_enabled);
70192 swap(event->total_time_running, next_event->total_time_running);
70193@@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
70194 update_event_times(event);
70195 }
70196
70197- return atomic64_read(&event->count);
70198+ return atomic64_read_unchecked(&event->count);
70199 }
70200
70201 /*
70202@@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
70203 values[n++] = 1 + leader->nr_siblings;
70204 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70205 values[n++] = leader->total_time_enabled +
70206- atomic64_read(&leader->child_total_time_enabled);
70207+ atomic64_read_unchecked(&leader->child_total_time_enabled);
70208 }
70209 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70210 values[n++] = leader->total_time_running +
70211- atomic64_read(&leader->child_total_time_running);
70212+ atomic64_read_unchecked(&leader->child_total_time_running);
70213 }
70214
70215 size = n * sizeof(u64);
70216@@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
70217 values[n++] = perf_event_read_value(event);
70218 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70219 values[n++] = event->total_time_enabled +
70220- atomic64_read(&event->child_total_time_enabled);
70221+ atomic64_read_unchecked(&event->child_total_time_enabled);
70222 }
70223 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70224 values[n++] = event->total_time_running +
70225- atomic64_read(&event->child_total_time_running);
70226+ atomic64_read_unchecked(&event->child_total_time_running);
70227 }
70228 if (read_format & PERF_FORMAT_ID)
70229 values[n++] = primary_event_id(event);
70230@@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
70231 static void perf_event_reset(struct perf_event *event)
70232 {
70233 (void)perf_event_read(event);
70234- atomic64_set(&event->count, 0);
70235+ atomic64_set_unchecked(&event->count, 0);
70236 perf_event_update_userpage(event);
70237 }
70238
70239@@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
70240 ++userpg->lock;
70241 barrier();
70242 userpg->index = perf_event_index(event);
70243- userpg->offset = atomic64_read(&event->count);
70244+ userpg->offset = atomic64_read_unchecked(&event->count);
70245 if (event->state == PERF_EVENT_STATE_ACTIVE)
70246- userpg->offset -= atomic64_read(&event->hw.prev_count);
70247+ userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
70248
70249 userpg->time_enabled = event->total_time_enabled +
70250- atomic64_read(&event->child_total_time_enabled);
70251+ atomic64_read_unchecked(&event->child_total_time_enabled);
70252
70253 userpg->time_running = event->total_time_running +
70254- atomic64_read(&event->child_total_time_running);
70255+ atomic64_read_unchecked(&event->child_total_time_running);
70256
70257 barrier();
70258 ++userpg->lock;
70259@@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
70260 u64 values[4];
70261 int n = 0;
70262
70263- values[n++] = atomic64_read(&event->count);
70264+ values[n++] = atomic64_read_unchecked(&event->count);
70265 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
70266 values[n++] = event->total_time_enabled +
70267- atomic64_read(&event->child_total_time_enabled);
70268+ atomic64_read_unchecked(&event->child_total_time_enabled);
70269 }
70270 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
70271 values[n++] = event->total_time_running +
70272- atomic64_read(&event->child_total_time_running);
70273+ atomic64_read_unchecked(&event->child_total_time_running);
70274 }
70275 if (read_format & PERF_FORMAT_ID)
70276 values[n++] = primary_event_id(event);
70277@@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
70278 if (leader != event)
70279 leader->pmu->read(leader);
70280
70281- values[n++] = atomic64_read(&leader->count);
70282+ values[n++] = atomic64_read_unchecked(&leader->count);
70283 if (read_format & PERF_FORMAT_ID)
70284 values[n++] = primary_event_id(leader);
70285
70286@@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
70287 if (sub != event)
70288 sub->pmu->read(sub);
70289
70290- values[n++] = atomic64_read(&sub->count);
70291+ values[n++] = atomic64_read_unchecked(&sub->count);
70292 if (read_format & PERF_FORMAT_ID)
70293 values[n++] = primary_event_id(sub);
70294
70295@@ -3525,12 +3525,12 @@ static void perf_event_mmap_event(struct
70296 * need to add enough zero bytes after the string to handle
70297 * the 64bit alignment we do later.
70298 */
70299- buf = kzalloc(PATH_MAX + sizeof(u64), GFP_KERNEL);
70300+ buf = kzalloc(PATH_MAX, GFP_KERNEL);
70301 if (!buf) {
70302 name = strncpy(tmp, "//enomem", sizeof(tmp));
70303 goto got_name;
70304 }
70305- name = d_path(&file->f_path, buf, PATH_MAX);
70306+ name = d_path(&file->f_path, buf, PATH_MAX - sizeof(u64));
70307 if (IS_ERR(name)) {
70308 name = strncpy(tmp, "//toolong", sizeof(tmp));
70309 goto got_name;
70310@@ -3783,7 +3783,7 @@ static void perf_swevent_add(struct perf
70311 {
70312 struct hw_perf_event *hwc = &event->hw;
70313
70314- atomic64_add(nr, &event->count);
70315+ atomic64_add_unchecked(nr, &event->count);
70316
70317 if (!hwc->sample_period)
70318 return;
70319@@ -4040,9 +4040,9 @@ static void cpu_clock_perf_event_update(
70320 u64 now;
70321
70322 now = cpu_clock(cpu);
70323- prev = atomic64_read(&event->hw.prev_count);
70324- atomic64_set(&event->hw.prev_count, now);
70325- atomic64_add(now - prev, &event->count);
70326+ prev = atomic64_read_unchecked(&event->hw.prev_count);
70327+ atomic64_set_unchecked(&event->hw.prev_count, now);
70328+ atomic64_add_unchecked(now - prev, &event->count);
70329 }
70330
70331 static int cpu_clock_perf_event_enable(struct perf_event *event)
70332@@ -4050,7 +4050,7 @@ static int cpu_clock_perf_event_enable(s
70333 struct hw_perf_event *hwc = &event->hw;
70334 int cpu = raw_smp_processor_id();
70335
70336- atomic64_set(&hwc->prev_count, cpu_clock(cpu));
70337+ atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
70338 perf_swevent_start_hrtimer(event);
70339
70340 return 0;
70341@@ -4082,9 +4082,9 @@ static void task_clock_perf_event_update
70342 u64 prev;
70343 s64 delta;
70344
70345- prev = atomic64_xchg(&event->hw.prev_count, now);
70346+ prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
70347 delta = now - prev;
70348- atomic64_add(delta, &event->count);
70349+ atomic64_add_unchecked(delta, &event->count);
70350 }
70351
70352 static int task_clock_perf_event_enable(struct perf_event *event)
70353@@ -4094,7 +4094,7 @@ static int task_clock_perf_event_enable(
70354
70355 now = event->ctx->time;
70356
70357- atomic64_set(&hwc->prev_count, now);
70358+ atomic64_set_unchecked(&hwc->prev_count, now);
70359
70360 perf_swevent_start_hrtimer(event);
70361
70362@@ -4289,7 +4289,7 @@ perf_event_alloc(struct perf_event_attr
70363 event->parent = parent_event;
70364
70365 event->ns = get_pid_ns(current->nsproxy->pid_ns);
70366- event->id = atomic64_inc_return(&perf_event_id);
70367+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
70368
70369 event->state = PERF_EVENT_STATE_INACTIVE;
70370
70371@@ -4720,15 +4720,15 @@ static void sync_child_event(struct perf
70372 if (child_event->attr.inherit_stat)
70373 perf_event_read_event(child_event, child);
70374
70375- child_val = atomic64_read(&child_event->count);
70376+ child_val = atomic64_read_unchecked(&child_event->count);
70377
70378 /*
70379 * Add back the child's count to the parent's count:
70380 */
70381- atomic64_add(child_val, &parent_event->count);
70382- atomic64_add(child_event->total_time_enabled,
70383+ atomic64_add_unchecked(child_val, &parent_event->count);
70384+ atomic64_add_unchecked(child_event->total_time_enabled,
70385 &parent_event->child_total_time_enabled);
70386- atomic64_add(child_event->total_time_running,
70387+ atomic64_add_unchecked(child_event->total_time_running,
70388 &parent_event->child_total_time_running);
70389
70390 /*
70391diff -urNp linux-2.6.32.48/kernel/pid.c linux-2.6.32.48/kernel/pid.c
70392--- linux-2.6.32.48/kernel/pid.c 2011-11-08 19:02:43.000000000 -0500
70393+++ linux-2.6.32.48/kernel/pid.c 2011-11-15 19:59:43.000000000 -0500
70394@@ -33,6 +33,7 @@
70395 #include <linux/rculist.h>
70396 #include <linux/bootmem.h>
70397 #include <linux/hash.h>
70398+#include <linux/security.h>
70399 #include <linux/pid_namespace.h>
70400 #include <linux/init_task.h>
70401 #include <linux/syscalls.h>
70402@@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
70403
70404 int pid_max = PID_MAX_DEFAULT;
70405
70406-#define RESERVED_PIDS 300
70407+#define RESERVED_PIDS 500
70408
70409 int pid_max_min = RESERVED_PIDS + 1;
70410 int pid_max_max = PID_MAX_LIMIT;
70411@@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
70412 */
70413 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
70414 {
70415- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
70416+ struct task_struct *task;
70417+
70418+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
70419+
70420+ if (gr_pid_is_chrooted(task))
70421+ return NULL;
70422+
70423+ return task;
70424 }
70425
70426 struct task_struct *find_task_by_vpid(pid_t vnr)
70427@@ -391,6 +399,11 @@ struct task_struct *find_task_by_vpid(pi
70428 return find_task_by_pid_ns(vnr, current->nsproxy->pid_ns);
70429 }
70430
70431+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
70432+{
70433+ return pid_task(find_pid_ns(vnr, current->nsproxy->pid_ns), PIDTYPE_PID);
70434+}
70435+
70436 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
70437 {
70438 struct pid *pid;
70439diff -urNp linux-2.6.32.48/kernel/posix-cpu-timers.c linux-2.6.32.48/kernel/posix-cpu-timers.c
70440--- linux-2.6.32.48/kernel/posix-cpu-timers.c 2011-11-08 19:02:43.000000000 -0500
70441+++ linux-2.6.32.48/kernel/posix-cpu-timers.c 2011-11-15 19:59:43.000000000 -0500
70442@@ -6,6 +6,7 @@
70443 #include <linux/posix-timers.h>
70444 #include <linux/errno.h>
70445 #include <linux/math64.h>
70446+#include <linux/security.h>
70447 #include <asm/uaccess.h>
70448 #include <linux/kernel_stat.h>
70449 #include <trace/events/timer.h>
70450@@ -1697,7 +1698,7 @@ static long thread_cpu_nsleep_restart(st
70451
70452 static __init int init_posix_cpu_timers(void)
70453 {
70454- struct k_clock process = {
70455+ static struct k_clock process = {
70456 .clock_getres = process_cpu_clock_getres,
70457 .clock_get = process_cpu_clock_get,
70458 .clock_set = do_posix_clock_nosettime,
70459@@ -1705,7 +1706,7 @@ static __init int init_posix_cpu_timers(
70460 .nsleep = process_cpu_nsleep,
70461 .nsleep_restart = process_cpu_nsleep_restart,
70462 };
70463- struct k_clock thread = {
70464+ static struct k_clock thread = {
70465 .clock_getres = thread_cpu_clock_getres,
70466 .clock_get = thread_cpu_clock_get,
70467 .clock_set = do_posix_clock_nosettime,
70468diff -urNp linux-2.6.32.48/kernel/posix-timers.c linux-2.6.32.48/kernel/posix-timers.c
70469--- linux-2.6.32.48/kernel/posix-timers.c 2011-11-08 19:02:43.000000000 -0500
70470+++ linux-2.6.32.48/kernel/posix-timers.c 2011-11-15 19:59:43.000000000 -0500
70471@@ -42,6 +42,7 @@
70472 #include <linux/compiler.h>
70473 #include <linux/idr.h>
70474 #include <linux/posix-timers.h>
70475+#include <linux/grsecurity.h>
70476 #include <linux/syscalls.h>
70477 #include <linux/wait.h>
70478 #include <linux/workqueue.h>
70479@@ -131,7 +132,7 @@ static DEFINE_SPINLOCK(idr_lock);
70480 * which we beg off on and pass to do_sys_settimeofday().
70481 */
70482
70483-static struct k_clock posix_clocks[MAX_CLOCKS];
70484+static struct k_clock *posix_clocks[MAX_CLOCKS];
70485
70486 /*
70487 * These ones are defined below.
70488@@ -157,8 +158,8 @@ static inline void unlock_timer(struct k
70489 */
70490 #define CLOCK_DISPATCH(clock, call, arglist) \
70491 ((clock) < 0 ? posix_cpu_##call arglist : \
70492- (posix_clocks[clock].call != NULL \
70493- ? (*posix_clocks[clock].call) arglist : common_##call arglist))
70494+ (posix_clocks[clock]->call != NULL \
70495+ ? (*posix_clocks[clock]->call) arglist : common_##call arglist))
70496
70497 /*
70498 * Default clock hook functions when the struct k_clock passed
70499@@ -172,7 +173,7 @@ static inline int common_clock_getres(co
70500 struct timespec *tp)
70501 {
70502 tp->tv_sec = 0;
70503- tp->tv_nsec = posix_clocks[which_clock].res;
70504+ tp->tv_nsec = posix_clocks[which_clock]->res;
70505 return 0;
70506 }
70507
70508@@ -217,9 +218,11 @@ static inline int invalid_clockid(const
70509 return 0;
70510 if ((unsigned) which_clock >= MAX_CLOCKS)
70511 return 1;
70512- if (posix_clocks[which_clock].clock_getres != NULL)
70513+ if (posix_clocks[which_clock] == NULL)
70514 return 0;
70515- if (posix_clocks[which_clock].res != 0)
70516+ if (posix_clocks[which_clock]->clock_getres != NULL)
70517+ return 0;
70518+ if (posix_clocks[which_clock]->res != 0)
70519 return 0;
70520 return 1;
70521 }
70522@@ -266,29 +269,29 @@ int posix_get_coarse_res(const clockid_t
70523 */
70524 static __init int init_posix_timers(void)
70525 {
70526- struct k_clock clock_realtime = {
70527+ static struct k_clock clock_realtime = {
70528 .clock_getres = hrtimer_get_res,
70529 };
70530- struct k_clock clock_monotonic = {
70531+ static struct k_clock clock_monotonic = {
70532 .clock_getres = hrtimer_get_res,
70533 .clock_get = posix_ktime_get_ts,
70534 .clock_set = do_posix_clock_nosettime,
70535 };
70536- struct k_clock clock_monotonic_raw = {
70537+ static struct k_clock clock_monotonic_raw = {
70538 .clock_getres = hrtimer_get_res,
70539 .clock_get = posix_get_monotonic_raw,
70540 .clock_set = do_posix_clock_nosettime,
70541 .timer_create = no_timer_create,
70542 .nsleep = no_nsleep,
70543 };
70544- struct k_clock clock_realtime_coarse = {
70545+ static struct k_clock clock_realtime_coarse = {
70546 .clock_getres = posix_get_coarse_res,
70547 .clock_get = posix_get_realtime_coarse,
70548 .clock_set = do_posix_clock_nosettime,
70549 .timer_create = no_timer_create,
70550 .nsleep = no_nsleep,
70551 };
70552- struct k_clock clock_monotonic_coarse = {
70553+ static struct k_clock clock_monotonic_coarse = {
70554 .clock_getres = posix_get_coarse_res,
70555 .clock_get = posix_get_monotonic_coarse,
70556 .clock_set = do_posix_clock_nosettime,
70557@@ -296,6 +299,8 @@ static __init int init_posix_timers(void
70558 .nsleep = no_nsleep,
70559 };
70560
70561+ pax_track_stack();
70562+
70563 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
70564 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
70565 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
70566@@ -484,7 +489,7 @@ void register_posix_clock(const clockid_
70567 return;
70568 }
70569
70570- posix_clocks[clock_id] = *new_clock;
70571+ posix_clocks[clock_id] = new_clock;
70572 }
70573 EXPORT_SYMBOL_GPL(register_posix_clock);
70574
70575@@ -948,6 +953,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
70576 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
70577 return -EFAULT;
70578
70579+ /* only the CLOCK_REALTIME clock can be set, all other clocks
70580+ have their clock_set fptr set to a nosettime dummy function
70581+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
70582+ call common_clock_set, which calls do_sys_settimeofday, which
70583+ we hook
70584+ */
70585+
70586 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
70587 }
70588
70589diff -urNp linux-2.6.32.48/kernel/power/hibernate.c linux-2.6.32.48/kernel/power/hibernate.c
70590--- linux-2.6.32.48/kernel/power/hibernate.c 2011-11-08 19:02:43.000000000 -0500
70591+++ linux-2.6.32.48/kernel/power/hibernate.c 2011-11-15 19:59:43.000000000 -0500
70592@@ -48,14 +48,14 @@ enum {
70593
70594 static int hibernation_mode = HIBERNATION_SHUTDOWN;
70595
70596-static struct platform_hibernation_ops *hibernation_ops;
70597+static const struct platform_hibernation_ops *hibernation_ops;
70598
70599 /**
70600 * hibernation_set_ops - set the global hibernate operations
70601 * @ops: the hibernation operations to use in subsequent hibernation transitions
70602 */
70603
70604-void hibernation_set_ops(struct platform_hibernation_ops *ops)
70605+void hibernation_set_ops(const struct platform_hibernation_ops *ops)
70606 {
70607 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
70608 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
70609diff -urNp linux-2.6.32.48/kernel/power/poweroff.c linux-2.6.32.48/kernel/power/poweroff.c
70610--- linux-2.6.32.48/kernel/power/poweroff.c 2011-11-08 19:02:43.000000000 -0500
70611+++ linux-2.6.32.48/kernel/power/poweroff.c 2011-11-15 19:59:43.000000000 -0500
70612@@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
70613 .enable_mask = SYSRQ_ENABLE_BOOT,
70614 };
70615
70616-static int pm_sysrq_init(void)
70617+static int __init pm_sysrq_init(void)
70618 {
70619 register_sysrq_key('o', &sysrq_poweroff_op);
70620 return 0;
70621diff -urNp linux-2.6.32.48/kernel/power/process.c linux-2.6.32.48/kernel/power/process.c
70622--- linux-2.6.32.48/kernel/power/process.c 2011-11-08 19:02:43.000000000 -0500
70623+++ linux-2.6.32.48/kernel/power/process.c 2011-11-15 19:59:43.000000000 -0500
70624@@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
70625 struct timeval start, end;
70626 u64 elapsed_csecs64;
70627 unsigned int elapsed_csecs;
70628+ bool timedout = false;
70629
70630 do_gettimeofday(&start);
70631
70632 end_time = jiffies + TIMEOUT;
70633 do {
70634 todo = 0;
70635+ if (time_after(jiffies, end_time))
70636+ timedout = true;
70637 read_lock(&tasklist_lock);
70638 do_each_thread(g, p) {
70639 if (frozen(p) || !freezeable(p))
70640@@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
70641 * It is "frozen enough". If the task does wake
70642 * up, it will immediately call try_to_freeze.
70643 */
70644- if (!task_is_stopped_or_traced(p) &&
70645- !freezer_should_skip(p))
70646+ if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
70647 todo++;
70648+ if (timedout) {
70649+ printk(KERN_ERR "Task refusing to freeze:\n");
70650+ sched_show_task(p);
70651+ }
70652+ }
70653 } while_each_thread(g, p);
70654 read_unlock(&tasklist_lock);
70655 yield(); /* Yield is okay here */
70656- if (time_after(jiffies, end_time))
70657- break;
70658- } while (todo);
70659+ } while (todo && !timedout);
70660
70661 do_gettimeofday(&end);
70662 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
70663diff -urNp linux-2.6.32.48/kernel/power/suspend.c linux-2.6.32.48/kernel/power/suspend.c
70664--- linux-2.6.32.48/kernel/power/suspend.c 2011-11-08 19:02:43.000000000 -0500
70665+++ linux-2.6.32.48/kernel/power/suspend.c 2011-11-15 19:59:43.000000000 -0500
70666@@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
70667 [PM_SUSPEND_MEM] = "mem",
70668 };
70669
70670-static struct platform_suspend_ops *suspend_ops;
70671+static const struct platform_suspend_ops *suspend_ops;
70672
70673 /**
70674 * suspend_set_ops - Set the global suspend method table.
70675 * @ops: Pointer to ops structure.
70676 */
70677-void suspend_set_ops(struct platform_suspend_ops *ops)
70678+void suspend_set_ops(const struct platform_suspend_ops *ops)
70679 {
70680 mutex_lock(&pm_mutex);
70681 suspend_ops = ops;
70682diff -urNp linux-2.6.32.48/kernel/printk.c linux-2.6.32.48/kernel/printk.c
70683--- linux-2.6.32.48/kernel/printk.c 2011-11-08 19:02:43.000000000 -0500
70684+++ linux-2.6.32.48/kernel/printk.c 2011-11-15 19:59:43.000000000 -0500
70685@@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
70686 char c;
70687 int error = 0;
70688
70689+#ifdef CONFIG_GRKERNSEC_DMESG
70690+ if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
70691+ return -EPERM;
70692+#endif
70693+
70694 error = security_syslog(type);
70695 if (error)
70696 return error;
70697diff -urNp linux-2.6.32.48/kernel/profile.c linux-2.6.32.48/kernel/profile.c
70698--- linux-2.6.32.48/kernel/profile.c 2011-11-08 19:02:43.000000000 -0500
70699+++ linux-2.6.32.48/kernel/profile.c 2011-11-15 19:59:43.000000000 -0500
70700@@ -39,7 +39,7 @@ struct profile_hit {
70701 /* Oprofile timer tick hook */
70702 static int (*timer_hook)(struct pt_regs *) __read_mostly;
70703
70704-static atomic_t *prof_buffer;
70705+static atomic_unchecked_t *prof_buffer;
70706 static unsigned long prof_len, prof_shift;
70707
70708 int prof_on __read_mostly;
70709@@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
70710 hits[i].pc = 0;
70711 continue;
70712 }
70713- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
70714+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
70715 hits[i].hits = hits[i].pc = 0;
70716 }
70717 }
70718@@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
70719 * Add the current hit(s) and flush the write-queue out
70720 * to the global buffer:
70721 */
70722- atomic_add(nr_hits, &prof_buffer[pc]);
70723+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
70724 for (i = 0; i < NR_PROFILE_HIT; ++i) {
70725- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
70726+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
70727 hits[i].pc = hits[i].hits = 0;
70728 }
70729 out:
70730@@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
70731 if (prof_on != type || !prof_buffer)
70732 return;
70733 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
70734- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
70735+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
70736 }
70737 #endif /* !CONFIG_SMP */
70738 EXPORT_SYMBOL_GPL(profile_hits);
70739@@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
70740 return -EFAULT;
70741 buf++; p++; count--; read++;
70742 }
70743- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
70744+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
70745 if (copy_to_user(buf, (void *)pnt, count))
70746 return -EFAULT;
70747 read += count;
70748@@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
70749 }
70750 #endif
70751 profile_discard_flip_buffers();
70752- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
70753+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
70754 return count;
70755 }
70756
70757diff -urNp linux-2.6.32.48/kernel/ptrace.c linux-2.6.32.48/kernel/ptrace.c
70758--- linux-2.6.32.48/kernel/ptrace.c 2011-11-08 19:02:43.000000000 -0500
70759+++ linux-2.6.32.48/kernel/ptrace.c 2011-11-15 19:59:43.000000000 -0500
70760@@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
70761 return ret;
70762 }
70763
70764-int __ptrace_may_access(struct task_struct *task, unsigned int mode)
70765+static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
70766+ unsigned int log)
70767 {
70768 const struct cred *cred = current_cred(), *tcred;
70769
70770@@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
70771 cred->gid != tcred->egid ||
70772 cred->gid != tcred->sgid ||
70773 cred->gid != tcred->gid) &&
70774- !capable(CAP_SYS_PTRACE)) {
70775+ ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
70776+ (log && !capable(CAP_SYS_PTRACE)))
70777+ ) {
70778 rcu_read_unlock();
70779 return -EPERM;
70780 }
70781@@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
70782 smp_rmb();
70783 if (task->mm)
70784 dumpable = get_dumpable(task->mm);
70785- if (!dumpable && !capable(CAP_SYS_PTRACE))
70786+ if (!dumpable &&
70787+ ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
70788+ (log && !capable(CAP_SYS_PTRACE))))
70789 return -EPERM;
70790
70791 return security_ptrace_access_check(task, mode);
70792@@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
70793 {
70794 int err;
70795 task_lock(task);
70796- err = __ptrace_may_access(task, mode);
70797+ err = __ptrace_may_access(task, mode, 0);
70798+ task_unlock(task);
70799+ return !err;
70800+}
70801+
70802+bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
70803+{
70804+ int err;
70805+ task_lock(task);
70806+ err = __ptrace_may_access(task, mode, 1);
70807 task_unlock(task);
70808 return !err;
70809 }
70810@@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
70811 goto out;
70812
70813 task_lock(task);
70814- retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
70815+ retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
70816 task_unlock(task);
70817 if (retval)
70818 goto unlock_creds;
70819@@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
70820 goto unlock_tasklist;
70821
70822 task->ptrace = PT_PTRACED;
70823- if (capable(CAP_SYS_PTRACE))
70824+ if (capable_nolog(CAP_SYS_PTRACE))
70825 task->ptrace |= PT_PTRACE_CAP;
70826
70827 __ptrace_link(task, current);
70828@@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
70829 {
70830 int copied = 0;
70831
70832+ pax_track_stack();
70833+
70834 while (len > 0) {
70835 char buf[128];
70836 int this_len, retval;
70837@@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
70838 {
70839 int copied = 0;
70840
70841+ pax_track_stack();
70842+
70843 while (len > 0) {
70844 char buf[128];
70845 int this_len, retval;
70846@@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
70847 int ret = -EIO;
70848 siginfo_t siginfo;
70849
70850+ pax_track_stack();
70851+
70852 switch (request) {
70853 case PTRACE_PEEKTEXT:
70854 case PTRACE_PEEKDATA:
70855@@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
70856 ret = ptrace_setoptions(child, data);
70857 break;
70858 case PTRACE_GETEVENTMSG:
70859- ret = put_user(child->ptrace_message, (unsigned long __user *) data);
70860+ ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
70861 break;
70862
70863 case PTRACE_GETSIGINFO:
70864 ret = ptrace_getsiginfo(child, &siginfo);
70865 if (!ret)
70866- ret = copy_siginfo_to_user((siginfo_t __user *) data,
70867+ ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
70868 &siginfo);
70869 break;
70870
70871 case PTRACE_SETSIGINFO:
70872- if (copy_from_user(&siginfo, (siginfo_t __user *) data,
70873+ if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
70874 sizeof siginfo))
70875 ret = -EFAULT;
70876 else
70877@@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
70878 goto out;
70879 }
70880
70881+ if (gr_handle_ptrace(child, request)) {
70882+ ret = -EPERM;
70883+ goto out_put_task_struct;
70884+ }
70885+
70886 if (request == PTRACE_ATTACH) {
70887 ret = ptrace_attach(child);
70888 /*
70889 * Some architectures need to do book-keeping after
70890 * a ptrace attach.
70891 */
70892- if (!ret)
70893+ if (!ret) {
70894 arch_ptrace_attach(child);
70895+ gr_audit_ptrace(child);
70896+ }
70897 goto out_put_task_struct;
70898 }
70899
70900@@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
70901 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
70902 if (copied != sizeof(tmp))
70903 return -EIO;
70904- return put_user(tmp, (unsigned long __user *)data);
70905+ return put_user(tmp, (__force unsigned long __user *)data);
70906 }
70907
70908 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
70909@@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
70910 siginfo_t siginfo;
70911 int ret;
70912
70913+ pax_track_stack();
70914+
70915 switch (request) {
70916 case PTRACE_PEEKTEXT:
70917 case PTRACE_PEEKDATA:
70918@@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
70919 goto out;
70920 }
70921
70922+ if (gr_handle_ptrace(child, request)) {
70923+ ret = -EPERM;
70924+ goto out_put_task_struct;
70925+ }
70926+
70927 if (request == PTRACE_ATTACH) {
70928 ret = ptrace_attach(child);
70929 /*
70930 * Some architectures need to do book-keeping after
70931 * a ptrace attach.
70932 */
70933- if (!ret)
70934+ if (!ret) {
70935 arch_ptrace_attach(child);
70936+ gr_audit_ptrace(child);
70937+ }
70938 goto out_put_task_struct;
70939 }
70940
70941diff -urNp linux-2.6.32.48/kernel/rcutorture.c linux-2.6.32.48/kernel/rcutorture.c
70942--- linux-2.6.32.48/kernel/rcutorture.c 2011-11-08 19:02:43.000000000 -0500
70943+++ linux-2.6.32.48/kernel/rcutorture.c 2011-11-15 19:59:43.000000000 -0500
70944@@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
70945 { 0 };
70946 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
70947 { 0 };
70948-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70949-static atomic_t n_rcu_torture_alloc;
70950-static atomic_t n_rcu_torture_alloc_fail;
70951-static atomic_t n_rcu_torture_free;
70952-static atomic_t n_rcu_torture_mberror;
70953-static atomic_t n_rcu_torture_error;
70954+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
70955+static atomic_unchecked_t n_rcu_torture_alloc;
70956+static atomic_unchecked_t n_rcu_torture_alloc_fail;
70957+static atomic_unchecked_t n_rcu_torture_free;
70958+static atomic_unchecked_t n_rcu_torture_mberror;
70959+static atomic_unchecked_t n_rcu_torture_error;
70960 static long n_rcu_torture_timers;
70961 static struct list_head rcu_torture_removed;
70962 static cpumask_var_t shuffle_tmp_mask;
70963@@ -187,11 +187,11 @@ rcu_torture_alloc(void)
70964
70965 spin_lock_bh(&rcu_torture_lock);
70966 if (list_empty(&rcu_torture_freelist)) {
70967- atomic_inc(&n_rcu_torture_alloc_fail);
70968+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
70969 spin_unlock_bh(&rcu_torture_lock);
70970 return NULL;
70971 }
70972- atomic_inc(&n_rcu_torture_alloc);
70973+ atomic_inc_unchecked(&n_rcu_torture_alloc);
70974 p = rcu_torture_freelist.next;
70975 list_del_init(p);
70976 spin_unlock_bh(&rcu_torture_lock);
70977@@ -204,7 +204,7 @@ rcu_torture_alloc(void)
70978 static void
70979 rcu_torture_free(struct rcu_torture *p)
70980 {
70981- atomic_inc(&n_rcu_torture_free);
70982+ atomic_inc_unchecked(&n_rcu_torture_free);
70983 spin_lock_bh(&rcu_torture_lock);
70984 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
70985 spin_unlock_bh(&rcu_torture_lock);
70986@@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
70987 i = rp->rtort_pipe_count;
70988 if (i > RCU_TORTURE_PIPE_LEN)
70989 i = RCU_TORTURE_PIPE_LEN;
70990- atomic_inc(&rcu_torture_wcount[i]);
70991+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
70992 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
70993 rp->rtort_mbtest = 0;
70994 rcu_torture_free(rp);
70995@@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
70996 i = rp->rtort_pipe_count;
70997 if (i > RCU_TORTURE_PIPE_LEN)
70998 i = RCU_TORTURE_PIPE_LEN;
70999- atomic_inc(&rcu_torture_wcount[i]);
71000+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
71001 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
71002 rp->rtort_mbtest = 0;
71003 list_del(&rp->rtort_free);
71004@@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
71005 i = old_rp->rtort_pipe_count;
71006 if (i > RCU_TORTURE_PIPE_LEN)
71007 i = RCU_TORTURE_PIPE_LEN;
71008- atomic_inc(&rcu_torture_wcount[i]);
71009+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
71010 old_rp->rtort_pipe_count++;
71011 cur_ops->deferred_free(old_rp);
71012 }
71013@@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
71014 return;
71015 }
71016 if (p->rtort_mbtest == 0)
71017- atomic_inc(&n_rcu_torture_mberror);
71018+ atomic_inc_unchecked(&n_rcu_torture_mberror);
71019 spin_lock(&rand_lock);
71020 cur_ops->read_delay(&rand);
71021 n_rcu_torture_timers++;
71022@@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
71023 continue;
71024 }
71025 if (p->rtort_mbtest == 0)
71026- atomic_inc(&n_rcu_torture_mberror);
71027+ atomic_inc_unchecked(&n_rcu_torture_mberror);
71028 cur_ops->read_delay(&rand);
71029 preempt_disable();
71030 pipe_count = p->rtort_pipe_count;
71031@@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
71032 rcu_torture_current,
71033 rcu_torture_current_version,
71034 list_empty(&rcu_torture_freelist),
71035- atomic_read(&n_rcu_torture_alloc),
71036- atomic_read(&n_rcu_torture_alloc_fail),
71037- atomic_read(&n_rcu_torture_free),
71038- atomic_read(&n_rcu_torture_mberror),
71039+ atomic_read_unchecked(&n_rcu_torture_alloc),
71040+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
71041+ atomic_read_unchecked(&n_rcu_torture_free),
71042+ atomic_read_unchecked(&n_rcu_torture_mberror),
71043 n_rcu_torture_timers);
71044- if (atomic_read(&n_rcu_torture_mberror) != 0)
71045+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
71046 cnt += sprintf(&page[cnt], " !!!");
71047 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
71048 if (i > 1) {
71049 cnt += sprintf(&page[cnt], "!!! ");
71050- atomic_inc(&n_rcu_torture_error);
71051+ atomic_inc_unchecked(&n_rcu_torture_error);
71052 WARN_ON_ONCE(1);
71053 }
71054 cnt += sprintf(&page[cnt], "Reader Pipe: ");
71055@@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
71056 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
71057 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
71058 cnt += sprintf(&page[cnt], " %d",
71059- atomic_read(&rcu_torture_wcount[i]));
71060+ atomic_read_unchecked(&rcu_torture_wcount[i]));
71061 }
71062 cnt += sprintf(&page[cnt], "\n");
71063 if (cur_ops->stats)
71064@@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
71065
71066 if (cur_ops->cleanup)
71067 cur_ops->cleanup();
71068- if (atomic_read(&n_rcu_torture_error))
71069+ if (atomic_read_unchecked(&n_rcu_torture_error))
71070 rcu_torture_print_module_parms("End of test: FAILURE");
71071 else
71072 rcu_torture_print_module_parms("End of test: SUCCESS");
71073@@ -1138,13 +1138,13 @@ rcu_torture_init(void)
71074
71075 rcu_torture_current = NULL;
71076 rcu_torture_current_version = 0;
71077- atomic_set(&n_rcu_torture_alloc, 0);
71078- atomic_set(&n_rcu_torture_alloc_fail, 0);
71079- atomic_set(&n_rcu_torture_free, 0);
71080- atomic_set(&n_rcu_torture_mberror, 0);
71081- atomic_set(&n_rcu_torture_error, 0);
71082+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
71083+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
71084+ atomic_set_unchecked(&n_rcu_torture_free, 0);
71085+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
71086+ atomic_set_unchecked(&n_rcu_torture_error, 0);
71087 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
71088- atomic_set(&rcu_torture_wcount[i], 0);
71089+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
71090 for_each_possible_cpu(cpu) {
71091 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
71092 per_cpu(rcu_torture_count, cpu)[i] = 0;
71093diff -urNp linux-2.6.32.48/kernel/rcutree.c linux-2.6.32.48/kernel/rcutree.c
71094--- linux-2.6.32.48/kernel/rcutree.c 2011-11-08 19:02:43.000000000 -0500
71095+++ linux-2.6.32.48/kernel/rcutree.c 2011-11-15 19:59:43.000000000 -0500
71096@@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
71097 /*
71098 * Do softirq processing for the current CPU.
71099 */
71100-static void rcu_process_callbacks(struct softirq_action *unused)
71101+static void rcu_process_callbacks(void)
71102 {
71103 /*
71104 * Memory references from any prior RCU read-side critical sections
71105diff -urNp linux-2.6.32.48/kernel/rcutree_plugin.h linux-2.6.32.48/kernel/rcutree_plugin.h
71106--- linux-2.6.32.48/kernel/rcutree_plugin.h 2011-11-08 19:02:43.000000000 -0500
71107+++ linux-2.6.32.48/kernel/rcutree_plugin.h 2011-11-15 19:59:43.000000000 -0500
71108@@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
71109 */
71110 void __rcu_read_lock(void)
71111 {
71112- ACCESS_ONCE(current->rcu_read_lock_nesting)++;
71113+ ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
71114 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
71115 }
71116 EXPORT_SYMBOL_GPL(__rcu_read_lock);
71117@@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
71118 struct task_struct *t = current;
71119
71120 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
71121- if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
71122+ if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
71123 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
71124 rcu_read_unlock_special(t);
71125 }
71126diff -urNp linux-2.6.32.48/kernel/relay.c linux-2.6.32.48/kernel/relay.c
71127--- linux-2.6.32.48/kernel/relay.c 2011-11-08 19:02:43.000000000 -0500
71128+++ linux-2.6.32.48/kernel/relay.c 2011-11-15 19:59:43.000000000 -0500
71129@@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
71130 unsigned int flags,
71131 int *nonpad_ret)
71132 {
71133- unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
71134+ unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
71135 struct rchan_buf *rbuf = in->private_data;
71136 unsigned int subbuf_size = rbuf->chan->subbuf_size;
71137 uint64_t pos = (uint64_t) *ppos;
71138@@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
71139 .ops = &relay_pipe_buf_ops,
71140 .spd_release = relay_page_release,
71141 };
71142+ ssize_t ret;
71143+
71144+ pax_track_stack();
71145
71146 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
71147 return 0;
71148diff -urNp linux-2.6.32.48/kernel/resource.c linux-2.6.32.48/kernel/resource.c
71149--- linux-2.6.32.48/kernel/resource.c 2011-11-08 19:02:43.000000000 -0500
71150+++ linux-2.6.32.48/kernel/resource.c 2011-11-15 19:59:43.000000000 -0500
71151@@ -132,8 +132,18 @@ static const struct file_operations proc
71152
71153 static int __init ioresources_init(void)
71154 {
71155+#ifdef CONFIG_GRKERNSEC_PROC_ADD
71156+#ifdef CONFIG_GRKERNSEC_PROC_USER
71157+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
71158+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
71159+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
71160+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
71161+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
71162+#endif
71163+#else
71164 proc_create("ioports", 0, NULL, &proc_ioports_operations);
71165 proc_create("iomem", 0, NULL, &proc_iomem_operations);
71166+#endif
71167 return 0;
71168 }
71169 __initcall(ioresources_init);
71170diff -urNp linux-2.6.32.48/kernel/rtmutex.c linux-2.6.32.48/kernel/rtmutex.c
71171--- linux-2.6.32.48/kernel/rtmutex.c 2011-11-08 19:02:43.000000000 -0500
71172+++ linux-2.6.32.48/kernel/rtmutex.c 2011-11-15 19:59:43.000000000 -0500
71173@@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
71174 */
71175 spin_lock_irqsave(&pendowner->pi_lock, flags);
71176
71177- WARN_ON(!pendowner->pi_blocked_on);
71178+ BUG_ON(!pendowner->pi_blocked_on);
71179 WARN_ON(pendowner->pi_blocked_on != waiter);
71180 WARN_ON(pendowner->pi_blocked_on->lock != lock);
71181
71182diff -urNp linux-2.6.32.48/kernel/rtmutex-tester.c linux-2.6.32.48/kernel/rtmutex-tester.c
71183--- linux-2.6.32.48/kernel/rtmutex-tester.c 2011-11-08 19:02:43.000000000 -0500
71184+++ linux-2.6.32.48/kernel/rtmutex-tester.c 2011-11-15 19:59:43.000000000 -0500
71185@@ -21,7 +21,7 @@
71186 #define MAX_RT_TEST_MUTEXES 8
71187
71188 static spinlock_t rttest_lock;
71189-static atomic_t rttest_event;
71190+static atomic_unchecked_t rttest_event;
71191
71192 struct test_thread_data {
71193 int opcode;
71194@@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
71195
71196 case RTTEST_LOCKCONT:
71197 td->mutexes[td->opdata] = 1;
71198- td->event = atomic_add_return(1, &rttest_event);
71199+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71200 return 0;
71201
71202 case RTTEST_RESET:
71203@@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
71204 return 0;
71205
71206 case RTTEST_RESETEVENT:
71207- atomic_set(&rttest_event, 0);
71208+ atomic_set_unchecked(&rttest_event, 0);
71209 return 0;
71210
71211 default:
71212@@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
71213 return ret;
71214
71215 td->mutexes[id] = 1;
71216- td->event = atomic_add_return(1, &rttest_event);
71217+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71218 rt_mutex_lock(&mutexes[id]);
71219- td->event = atomic_add_return(1, &rttest_event);
71220+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71221 td->mutexes[id] = 4;
71222 return 0;
71223
71224@@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
71225 return ret;
71226
71227 td->mutexes[id] = 1;
71228- td->event = atomic_add_return(1, &rttest_event);
71229+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71230 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
71231- td->event = atomic_add_return(1, &rttest_event);
71232+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71233 td->mutexes[id] = ret ? 0 : 4;
71234 return ret ? -EINTR : 0;
71235
71236@@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
71237 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
71238 return ret;
71239
71240- td->event = atomic_add_return(1, &rttest_event);
71241+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71242 rt_mutex_unlock(&mutexes[id]);
71243- td->event = atomic_add_return(1, &rttest_event);
71244+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71245 td->mutexes[id] = 0;
71246 return 0;
71247
71248@@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
71249 break;
71250
71251 td->mutexes[dat] = 2;
71252- td->event = atomic_add_return(1, &rttest_event);
71253+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71254 break;
71255
71256 case RTTEST_LOCKBKL:
71257@@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
71258 return;
71259
71260 td->mutexes[dat] = 3;
71261- td->event = atomic_add_return(1, &rttest_event);
71262+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71263 break;
71264
71265 case RTTEST_LOCKNOWAIT:
71266@@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
71267 return;
71268
71269 td->mutexes[dat] = 1;
71270- td->event = atomic_add_return(1, &rttest_event);
71271+ td->event = atomic_add_return_unchecked(1, &rttest_event);
71272 return;
71273
71274 case RTTEST_LOCKBKL:
71275diff -urNp linux-2.6.32.48/kernel/sched.c linux-2.6.32.48/kernel/sched.c
71276--- linux-2.6.32.48/kernel/sched.c 2011-11-08 19:02:43.000000000 -0500
71277+++ linux-2.6.32.48/kernel/sched.c 2011-11-15 19:59:43.000000000 -0500
71278@@ -2764,9 +2764,10 @@ void wake_up_new_task(struct task_struct
71279 {
71280 unsigned long flags;
71281 struct rq *rq;
71282- int cpu = get_cpu();
71283
71284 #ifdef CONFIG_SMP
71285+ int cpu = get_cpu();
71286+
71287 rq = task_rq_lock(p, &flags);
71288 p->state = TASK_WAKING;
71289
71290@@ -5043,7 +5044,7 @@ out:
71291 * In CONFIG_NO_HZ case, the idle load balance owner will do the
71292 * rebalancing for all the cpus for whom scheduler ticks are stopped.
71293 */
71294-static void run_rebalance_domains(struct softirq_action *h)
71295+static void run_rebalance_domains(void)
71296 {
71297 int this_cpu = smp_processor_id();
71298 struct rq *this_rq = cpu_rq(this_cpu);
71299@@ -5700,6 +5701,8 @@ asmlinkage void __sched schedule(void)
71300 struct rq *rq;
71301 int cpu;
71302
71303+ pax_track_stack();
71304+
71305 need_resched:
71306 preempt_disable();
71307 cpu = smp_processor_id();
71308@@ -5770,7 +5773,7 @@ EXPORT_SYMBOL(schedule);
71309 * Look out! "owner" is an entirely speculative pointer
71310 * access and not reliable.
71311 */
71312-int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
71313+int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
71314 {
71315 unsigned int cpu;
71316 struct rq *rq;
71317@@ -5784,10 +5787,10 @@ int mutex_spin_on_owner(struct mutex *lo
71318 * DEBUG_PAGEALLOC could have unmapped it if
71319 * the mutex owner just released it and exited.
71320 */
71321- if (probe_kernel_address(&owner->cpu, cpu))
71322+ if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
71323 return 0;
71324 #else
71325- cpu = owner->cpu;
71326+ cpu = task_thread_info(owner)->cpu;
71327 #endif
71328
71329 /*
71330@@ -5816,7 +5819,7 @@ int mutex_spin_on_owner(struct mutex *lo
71331 /*
71332 * Is that owner really running on that cpu?
71333 */
71334- if (task_thread_info(rq->curr) != owner || need_resched())
71335+ if (rq->curr != owner || need_resched())
71336 return 0;
71337
71338 cpu_relax();
71339@@ -6359,6 +6362,8 @@ int can_nice(const struct task_struct *p
71340 /* convert nice value [19,-20] to rlimit style value [1,40] */
71341 int nice_rlim = 20 - nice;
71342
71343+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
71344+
71345 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
71346 capable(CAP_SYS_NICE));
71347 }
71348@@ -6392,7 +6397,8 @@ SYSCALL_DEFINE1(nice, int, increment)
71349 if (nice > 19)
71350 nice = 19;
71351
71352- if (increment < 0 && !can_nice(current, nice))
71353+ if (increment < 0 && (!can_nice(current, nice) ||
71354+ gr_handle_chroot_nice()))
71355 return -EPERM;
71356
71357 retval = security_task_setnice(current, nice);
71358@@ -8774,7 +8780,7 @@ static void init_sched_groups_power(int
71359 long power;
71360 int weight;
71361
71362- WARN_ON(!sd || !sd->groups);
71363+ BUG_ON(!sd || !sd->groups);
71364
71365 if (cpu != group_first_cpu(sd->groups))
71366 return;
71367diff -urNp linux-2.6.32.48/kernel/signal.c linux-2.6.32.48/kernel/signal.c
71368--- linux-2.6.32.48/kernel/signal.c 2011-11-08 19:02:43.000000000 -0500
71369+++ linux-2.6.32.48/kernel/signal.c 2011-11-15 19:59:43.000000000 -0500
71370@@ -41,12 +41,12 @@
71371
71372 static struct kmem_cache *sigqueue_cachep;
71373
71374-static void __user *sig_handler(struct task_struct *t, int sig)
71375+static __sighandler_t sig_handler(struct task_struct *t, int sig)
71376 {
71377 return t->sighand->action[sig - 1].sa.sa_handler;
71378 }
71379
71380-static int sig_handler_ignored(void __user *handler, int sig)
71381+static int sig_handler_ignored(__sighandler_t handler, int sig)
71382 {
71383 /* Is it explicitly or implicitly ignored? */
71384 return handler == SIG_IGN ||
71385@@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
71386 static int sig_task_ignored(struct task_struct *t, int sig,
71387 int from_ancestor_ns)
71388 {
71389- void __user *handler;
71390+ __sighandler_t handler;
71391
71392 handler = sig_handler(t, sig);
71393
71394@@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
71395 */
71396 user = get_uid(__task_cred(t)->user);
71397 atomic_inc(&user->sigpending);
71398+
71399+ if (!override_rlimit)
71400+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
71401 if (override_rlimit ||
71402 atomic_read(&user->sigpending) <=
71403 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
71404@@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
71405
71406 int unhandled_signal(struct task_struct *tsk, int sig)
71407 {
71408- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
71409+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
71410 if (is_global_init(tsk))
71411 return 1;
71412 if (handler != SIG_IGN && handler != SIG_DFL)
71413@@ -627,6 +630,13 @@ static int check_kill_permission(int sig
71414 }
71415 }
71416
71417+ /* allow glibc communication via tgkill to other threads in our
71418+ thread group */
71419+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
71420+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
71421+ && gr_handle_signal(t, sig))
71422+ return -EPERM;
71423+
71424 return security_task_kill(t, info, sig, 0);
71425 }
71426
71427@@ -968,7 +978,7 @@ __group_send_sig_info(int sig, struct si
71428 return send_signal(sig, info, p, 1);
71429 }
71430
71431-static int
71432+int
71433 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
71434 {
71435 return send_signal(sig, info, t, 0);
71436@@ -1005,6 +1015,7 @@ force_sig_info(int sig, struct siginfo *
71437 unsigned long int flags;
71438 int ret, blocked, ignored;
71439 struct k_sigaction *action;
71440+ int is_unhandled = 0;
71441
71442 spin_lock_irqsave(&t->sighand->siglock, flags);
71443 action = &t->sighand->action[sig-1];
71444@@ -1019,9 +1030,18 @@ force_sig_info(int sig, struct siginfo *
71445 }
71446 if (action->sa.sa_handler == SIG_DFL)
71447 t->signal->flags &= ~SIGNAL_UNKILLABLE;
71448+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
71449+ is_unhandled = 1;
71450 ret = specific_send_sig_info(sig, info, t);
71451 spin_unlock_irqrestore(&t->sighand->siglock, flags);
71452
71453+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
71454+ normal operation */
71455+ if (is_unhandled) {
71456+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
71457+ gr_handle_crash(t, sig);
71458+ }
71459+
71460 return ret;
71461 }
71462
71463@@ -1081,8 +1101,11 @@ int group_send_sig_info(int sig, struct
71464 {
71465 int ret = check_kill_permission(sig, info, p);
71466
71467- if (!ret && sig)
71468+ if (!ret && sig) {
71469 ret = do_send_sig_info(sig, info, p, true);
71470+ if (!ret)
71471+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
71472+ }
71473
71474 return ret;
71475 }
71476@@ -1644,6 +1667,8 @@ void ptrace_notify(int exit_code)
71477 {
71478 siginfo_t info;
71479
71480+ pax_track_stack();
71481+
71482 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
71483
71484 memset(&info, 0, sizeof info);
71485@@ -2275,7 +2300,15 @@ do_send_specific(pid_t tgid, pid_t pid,
71486 int error = -ESRCH;
71487
71488 rcu_read_lock();
71489- p = find_task_by_vpid(pid);
71490+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
71491+ /* allow glibc communication via tgkill to other threads in our
71492+ thread group */
71493+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
71494+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
71495+ p = find_task_by_vpid_unrestricted(pid);
71496+ else
71497+#endif
71498+ p = find_task_by_vpid(pid);
71499 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
71500 error = check_kill_permission(sig, info, p);
71501 /*
71502diff -urNp linux-2.6.32.48/kernel/smp.c linux-2.6.32.48/kernel/smp.c
71503--- linux-2.6.32.48/kernel/smp.c 2011-11-08 19:02:43.000000000 -0500
71504+++ linux-2.6.32.48/kernel/smp.c 2011-11-15 19:59:43.000000000 -0500
71505@@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
71506 }
71507 EXPORT_SYMBOL(smp_call_function);
71508
71509-void ipi_call_lock(void)
71510+void ipi_call_lock(void) __acquires(call_function.lock)
71511 {
71512 spin_lock(&call_function.lock);
71513 }
71514
71515-void ipi_call_unlock(void)
71516+void ipi_call_unlock(void) __releases(call_function.lock)
71517 {
71518 spin_unlock(&call_function.lock);
71519 }
71520
71521-void ipi_call_lock_irq(void)
71522+void ipi_call_lock_irq(void) __acquires(call_function.lock)
71523 {
71524 spin_lock_irq(&call_function.lock);
71525 }
71526
71527-void ipi_call_unlock_irq(void)
71528+void ipi_call_unlock_irq(void) __releases(call_function.lock)
71529 {
71530 spin_unlock_irq(&call_function.lock);
71531 }
71532diff -urNp linux-2.6.32.48/kernel/softirq.c linux-2.6.32.48/kernel/softirq.c
71533--- linux-2.6.32.48/kernel/softirq.c 2011-11-08 19:02:43.000000000 -0500
71534+++ linux-2.6.32.48/kernel/softirq.c 2011-11-15 19:59:43.000000000 -0500
71535@@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
71536
71537 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
71538
71539-char *softirq_to_name[NR_SOFTIRQS] = {
71540+const char * const softirq_to_name[NR_SOFTIRQS] = {
71541 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
71542 "TASKLET", "SCHED", "HRTIMER", "RCU"
71543 };
71544@@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
71545
71546 asmlinkage void __do_softirq(void)
71547 {
71548- struct softirq_action *h;
71549+ const struct softirq_action *h;
71550 __u32 pending;
71551 int max_restart = MAX_SOFTIRQ_RESTART;
71552 int cpu;
71553@@ -233,7 +233,7 @@ restart:
71554 kstat_incr_softirqs_this_cpu(h - softirq_vec);
71555
71556 trace_softirq_entry(h, softirq_vec);
71557- h->action(h);
71558+ h->action();
71559 trace_softirq_exit(h, softirq_vec);
71560 if (unlikely(prev_count != preempt_count())) {
71561 printk(KERN_ERR "huh, entered softirq %td %s %p"
71562@@ -363,9 +363,11 @@ void raise_softirq(unsigned int nr)
71563 local_irq_restore(flags);
71564 }
71565
71566-void open_softirq(int nr, void (*action)(struct softirq_action *))
71567+void open_softirq(int nr, void (*action)(void))
71568 {
71569- softirq_vec[nr].action = action;
71570+ pax_open_kernel();
71571+ *(void **)&softirq_vec[nr].action = action;
71572+ pax_close_kernel();
71573 }
71574
71575 /*
71576@@ -419,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
71577
71578 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
71579
71580-static void tasklet_action(struct softirq_action *a)
71581+static void tasklet_action(void)
71582 {
71583 struct tasklet_struct *list;
71584
71585@@ -454,7 +456,7 @@ static void tasklet_action(struct softir
71586 }
71587 }
71588
71589-static void tasklet_hi_action(struct softirq_action *a)
71590+static void tasklet_hi_action(void)
71591 {
71592 struct tasklet_struct *list;
71593
71594diff -urNp linux-2.6.32.48/kernel/sys.c linux-2.6.32.48/kernel/sys.c
71595--- linux-2.6.32.48/kernel/sys.c 2011-11-08 19:02:43.000000000 -0500
71596+++ linux-2.6.32.48/kernel/sys.c 2011-11-15 19:59:43.000000000 -0500
71597@@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
71598 error = -EACCES;
71599 goto out;
71600 }
71601+
71602+ if (gr_handle_chroot_setpriority(p, niceval)) {
71603+ error = -EACCES;
71604+ goto out;
71605+ }
71606+
71607 no_nice = security_task_setnice(p, niceval);
71608 if (no_nice) {
71609 error = no_nice;
71610@@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
71611 !(user = find_user(who)))
71612 goto out_unlock; /* No processes for this user */
71613
71614- do_each_thread(g, p)
71615+ do_each_thread(g, p) {
71616 if (__task_cred(p)->uid == who)
71617 error = set_one_prio(p, niceval, error);
71618- while_each_thread(g, p);
71619+ } while_each_thread(g, p);
71620 if (who != cred->uid)
71621 free_uid(user); /* For find_user() */
71622 break;
71623@@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
71624 !(user = find_user(who)))
71625 goto out_unlock; /* No processes for this user */
71626
71627- do_each_thread(g, p)
71628+ do_each_thread(g, p) {
71629 if (__task_cred(p)->uid == who) {
71630 niceval = 20 - task_nice(p);
71631 if (niceval > retval)
71632 retval = niceval;
71633 }
71634- while_each_thread(g, p);
71635+ } while_each_thread(g, p);
71636 if (who != cred->uid)
71637 free_uid(user); /* for find_user() */
71638 break;
71639@@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
71640 goto error;
71641 }
71642
71643+ if (gr_check_group_change(new->gid, new->egid, -1))
71644+ goto error;
71645+
71646 if (rgid != (gid_t) -1 ||
71647 (egid != (gid_t) -1 && egid != old->gid))
71648 new->sgid = new->egid;
71649@@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
71650 goto error;
71651
71652 retval = -EPERM;
71653+
71654+ if (gr_check_group_change(gid, gid, gid))
71655+ goto error;
71656+
71657 if (capable(CAP_SETGID))
71658 new->gid = new->egid = new->sgid = new->fsgid = gid;
71659 else if (gid == old->gid || gid == old->sgid)
71660@@ -567,12 +580,19 @@ static int set_user(struct cred *new)
71661 if (!new_user)
71662 return -EAGAIN;
71663
71664+ /*
71665+ * We don't fail in case of NPROC limit excess here because too many
71666+ * poorly written programs don't check set*uid() return code, assuming
71667+ * it never fails if called by root. We may still enforce NPROC limit
71668+ * for programs doing set*uid()+execve() by harmlessly deferring the
71669+ * failure to the execve() stage.
71670+ */
71671 if (atomic_read(&new_user->processes) >=
71672 current->signal->rlim[RLIMIT_NPROC].rlim_cur &&
71673- new_user != INIT_USER) {
71674- free_uid(new_user);
71675- return -EAGAIN;
71676- }
71677+ new_user != INIT_USER)
71678+ current->flags |= PF_NPROC_EXCEEDED;
71679+ else
71680+ current->flags &= ~PF_NPROC_EXCEEDED;
71681
71682 free_uid(new->user);
71683 new->user = new_user;
71684@@ -627,6 +647,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
71685 goto error;
71686 }
71687
71688+ if (gr_check_user_change(new->uid, new->euid, -1))
71689+ goto error;
71690+
71691 if (new->uid != old->uid) {
71692 retval = set_user(new);
71693 if (retval < 0)
71694@@ -675,6 +698,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
71695 goto error;
71696
71697 retval = -EPERM;
71698+
71699+ if (gr_check_crash_uid(uid))
71700+ goto error;
71701+ if (gr_check_user_change(uid, uid, uid))
71702+ goto error;
71703+
71704 if (capable(CAP_SETUID)) {
71705 new->suid = new->uid = uid;
71706 if (uid != old->uid) {
71707@@ -732,6 +761,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
71708 goto error;
71709 }
71710
71711+ if (gr_check_user_change(ruid, euid, -1))
71712+ goto error;
71713+
71714 if (ruid != (uid_t) -1) {
71715 new->uid = ruid;
71716 if (ruid != old->uid) {
71717@@ -800,6 +832,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
71718 goto error;
71719 }
71720
71721+ if (gr_check_group_change(rgid, egid, -1))
71722+ goto error;
71723+
71724 if (rgid != (gid_t) -1)
71725 new->gid = rgid;
71726 if (egid != (gid_t) -1)
71727@@ -849,6 +884,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
71728 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
71729 goto error;
71730
71731+ if (gr_check_user_change(-1, -1, uid))
71732+ goto error;
71733+
71734 if (uid == old->uid || uid == old->euid ||
71735 uid == old->suid || uid == old->fsuid ||
71736 capable(CAP_SETUID)) {
71737@@ -889,6 +927,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
71738 if (gid == old->gid || gid == old->egid ||
71739 gid == old->sgid || gid == old->fsgid ||
71740 capable(CAP_SETGID)) {
71741+ if (gr_check_group_change(-1, -1, gid))
71742+ goto error;
71743+
71744 if (gid != old_fsgid) {
71745 new->fsgid = gid;
71746 goto change_okay;
71747@@ -1454,7 +1495,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
71748 error = get_dumpable(me->mm);
71749 break;
71750 case PR_SET_DUMPABLE:
71751- if (arg2 < 0 || arg2 > 1) {
71752+ if (arg2 > 1) {
71753 error = -EINVAL;
71754 break;
71755 }
71756diff -urNp linux-2.6.32.48/kernel/sysctl.c linux-2.6.32.48/kernel/sysctl.c
71757--- linux-2.6.32.48/kernel/sysctl.c 2011-11-08 19:02:43.000000000 -0500
71758+++ linux-2.6.32.48/kernel/sysctl.c 2011-11-15 19:59:43.000000000 -0500
71759@@ -63,6 +63,13 @@
71760 static int deprecated_sysctl_warning(struct __sysctl_args *args);
71761
71762 #if defined(CONFIG_SYSCTL)
71763+#include <linux/grsecurity.h>
71764+#include <linux/grinternal.h>
71765+
71766+extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
71767+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
71768+ const int op);
71769+extern int gr_handle_chroot_sysctl(const int op);
71770
71771 /* External variables not in a header file. */
71772 extern int C_A_D;
71773@@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
71774 static int proc_taint(struct ctl_table *table, int write,
71775 void __user *buffer, size_t *lenp, loff_t *ppos);
71776 #endif
71777+extern ctl_table grsecurity_table[];
71778
71779 static struct ctl_table root_table[];
71780 static struct ctl_table_root sysctl_table_root;
71781@@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
71782 int sysctl_legacy_va_layout;
71783 #endif
71784
71785+#ifdef CONFIG_PAX_SOFTMODE
71786+static ctl_table pax_table[] = {
71787+ {
71788+ .ctl_name = CTL_UNNUMBERED,
71789+ .procname = "softmode",
71790+ .data = &pax_softmode,
71791+ .maxlen = sizeof(unsigned int),
71792+ .mode = 0600,
71793+ .proc_handler = &proc_dointvec,
71794+ },
71795+
71796+ { .ctl_name = 0 }
71797+};
71798+#endif
71799+
71800 extern int prove_locking;
71801 extern int lock_stat;
71802
71803@@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
71804 #endif
71805
71806 static struct ctl_table kern_table[] = {
71807+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
71808+ {
71809+ .ctl_name = CTL_UNNUMBERED,
71810+ .procname = "grsecurity",
71811+ .mode = 0500,
71812+ .child = grsecurity_table,
71813+ },
71814+#endif
71815+
71816+#ifdef CONFIG_PAX_SOFTMODE
71817+ {
71818+ .ctl_name = CTL_UNNUMBERED,
71819+ .procname = "pax",
71820+ .mode = 0500,
71821+ .child = pax_table,
71822+ },
71823+#endif
71824+
71825 {
71826 .ctl_name = CTL_UNNUMBERED,
71827 .procname = "sched_child_runs_first",
71828@@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
71829 .data = &modprobe_path,
71830 .maxlen = KMOD_PATH_LEN,
71831 .mode = 0644,
71832- .proc_handler = &proc_dostring,
71833- .strategy = &sysctl_string,
71834+ .proc_handler = &proc_dostring_modpriv,
71835+ .strategy = &sysctl_string_modpriv,
71836 },
71837 {
71838 .ctl_name = CTL_UNNUMBERED,
71839@@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
71840 .mode = 0644,
71841 .proc_handler = &proc_dointvec
71842 },
71843+ {
71844+ .procname = "heap_stack_gap",
71845+ .data = &sysctl_heap_stack_gap,
71846+ .maxlen = sizeof(sysctl_heap_stack_gap),
71847+ .mode = 0644,
71848+ .proc_handler = proc_doulongvec_minmax,
71849+ },
71850 #else
71851 {
71852 .ctl_name = CTL_UNNUMBERED,
71853@@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
71854 return 0;
71855 }
71856
71857+static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
71858+
71859 static int parse_table(int __user *name, int nlen,
71860 void __user *oldval, size_t __user *oldlenp,
71861 void __user *newval, size_t newlen,
71862@@ -1821,7 +1871,7 @@ repeat:
71863 if (n == table->ctl_name) {
71864 int error;
71865 if (table->child) {
71866- if (sysctl_perm(root, table, MAY_EXEC))
71867+ if (sysctl_perm_nochk(root, table, MAY_EXEC))
71868 return -EPERM;
71869 name++;
71870 nlen--;
71871@@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
71872 int error;
71873 int mode;
71874
71875+ if (table->parent != NULL && table->parent->procname != NULL &&
71876+ table->procname != NULL &&
71877+ gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
71878+ return -EACCES;
71879+ if (gr_handle_chroot_sysctl(op))
71880+ return -EACCES;
71881+ error = gr_handle_sysctl(table, op);
71882+ if (error)
71883+ return error;
71884+
71885+ error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
71886+ if (error)
71887+ return error;
71888+
71889+ if (root->permissions)
71890+ mode = root->permissions(root, current->nsproxy, table);
71891+ else
71892+ mode = table->mode;
71893+
71894+ return test_perm(mode, op);
71895+}
71896+
71897+int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
71898+{
71899+ int error;
71900+ int mode;
71901+
71902 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
71903 if (error)
71904 return error;
71905@@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
71906 buffer, lenp, ppos);
71907 }
71908
71909+int proc_dostring_modpriv(struct ctl_table *table, int write,
71910+ void __user *buffer, size_t *lenp, loff_t *ppos)
71911+{
71912+ if (write && !capable(CAP_SYS_MODULE))
71913+ return -EPERM;
71914+
71915+ return _proc_do_string(table->data, table->maxlen, write,
71916+ buffer, lenp, ppos);
71917+}
71918+
71919
71920 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
71921 int *valp,
71922@@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
71923 vleft = table->maxlen / sizeof(unsigned long);
71924 left = *lenp;
71925
71926- for (; left && vleft--; i++, min++, max++, first=0) {
71927+ for (; left && vleft--; i++, first=0) {
71928 if (write) {
71929 while (left) {
71930 char c;
71931@@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
71932 return -ENOSYS;
71933 }
71934
71935+int proc_dostring_modpriv(struct ctl_table *table, int write,
71936+ void __user *buffer, size_t *lenp, loff_t *ppos)
71937+{
71938+ return -ENOSYS;
71939+}
71940+
71941 int proc_dointvec(struct ctl_table *table, int write,
71942 void __user *buffer, size_t *lenp, loff_t *ppos)
71943 {
71944@@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
71945 return 1;
71946 }
71947
71948+int sysctl_string_modpriv(struct ctl_table *table,
71949+ void __user *oldval, size_t __user *oldlenp,
71950+ void __user *newval, size_t newlen)
71951+{
71952+ if (newval && newlen && !capable(CAP_SYS_MODULE))
71953+ return -EPERM;
71954+
71955+ return sysctl_string(table, oldval, oldlenp, newval, newlen);
71956+}
71957+
71958 /*
71959 * This function makes sure that all of the integers in the vector
71960 * are between the minimum and maximum values given in the arrays
71961@@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
71962 return -ENOSYS;
71963 }
71964
71965+int sysctl_string_modpriv(struct ctl_table *table,
71966+ void __user *oldval, size_t __user *oldlenp,
71967+ void __user *newval, size_t newlen)
71968+{
71969+ return -ENOSYS;
71970+}
71971+
71972 int sysctl_intvec(struct ctl_table *table,
71973 void __user *oldval, size_t __user *oldlenp,
71974 void __user *newval, size_t newlen)
71975@@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
71976 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
71977 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
71978 EXPORT_SYMBOL(proc_dostring);
71979+EXPORT_SYMBOL(proc_dostring_modpriv);
71980 EXPORT_SYMBOL(proc_doulongvec_minmax);
71981 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
71982 EXPORT_SYMBOL(register_sysctl_table);
71983@@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
71984 EXPORT_SYMBOL(sysctl_jiffies);
71985 EXPORT_SYMBOL(sysctl_ms_jiffies);
71986 EXPORT_SYMBOL(sysctl_string);
71987+EXPORT_SYMBOL(sysctl_string_modpriv);
71988 EXPORT_SYMBOL(sysctl_data);
71989 EXPORT_SYMBOL(unregister_sysctl_table);
71990diff -urNp linux-2.6.32.48/kernel/sysctl_check.c linux-2.6.32.48/kernel/sysctl_check.c
71991--- linux-2.6.32.48/kernel/sysctl_check.c 2011-11-08 19:02:43.000000000 -0500
71992+++ linux-2.6.32.48/kernel/sysctl_check.c 2011-11-15 19:59:43.000000000 -0500
71993@@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
71994 } else {
71995 if ((table->strategy == sysctl_data) ||
71996 (table->strategy == sysctl_string) ||
71997+ (table->strategy == sysctl_string_modpriv) ||
71998 (table->strategy == sysctl_intvec) ||
71999 (table->strategy == sysctl_jiffies) ||
72000 (table->strategy == sysctl_ms_jiffies) ||
72001 (table->proc_handler == proc_dostring) ||
72002+ (table->proc_handler == proc_dostring_modpriv) ||
72003 (table->proc_handler == proc_dointvec) ||
72004 (table->proc_handler == proc_dointvec_minmax) ||
72005 (table->proc_handler == proc_dointvec_jiffies) ||
72006diff -urNp linux-2.6.32.48/kernel/taskstats.c linux-2.6.32.48/kernel/taskstats.c
72007--- linux-2.6.32.48/kernel/taskstats.c 2011-11-08 19:02:43.000000000 -0500
72008+++ linux-2.6.32.48/kernel/taskstats.c 2011-11-15 19:59:43.000000000 -0500
72009@@ -26,9 +26,12 @@
72010 #include <linux/cgroup.h>
72011 #include <linux/fs.h>
72012 #include <linux/file.h>
72013+#include <linux/grsecurity.h>
72014 #include <net/genetlink.h>
72015 #include <asm/atomic.h>
72016
72017+extern int gr_is_taskstats_denied(int pid);
72018+
72019 /*
72020 * Maximum length of a cpumask that can be specified in
72021 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
72022@@ -442,6 +445,9 @@ static int taskstats_user_cmd(struct sk_
72023 size_t size;
72024 cpumask_var_t mask;
72025
72026+ if (gr_is_taskstats_denied(current->pid))
72027+ return -EACCES;
72028+
72029 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
72030 return -ENOMEM;
72031
72032diff -urNp linux-2.6.32.48/kernel/time/tick-broadcast.c linux-2.6.32.48/kernel/time/tick-broadcast.c
72033--- linux-2.6.32.48/kernel/time/tick-broadcast.c 2011-11-08 19:02:43.000000000 -0500
72034+++ linux-2.6.32.48/kernel/time/tick-broadcast.c 2011-11-15 19:59:43.000000000 -0500
72035@@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
72036 * then clear the broadcast bit.
72037 */
72038 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
72039- int cpu = smp_processor_id();
72040+ cpu = smp_processor_id();
72041
72042 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
72043 tick_broadcast_clear_oneshot(cpu);
72044diff -urNp linux-2.6.32.48/kernel/time/timekeeping.c linux-2.6.32.48/kernel/time/timekeeping.c
72045--- linux-2.6.32.48/kernel/time/timekeeping.c 2011-11-08 19:02:43.000000000 -0500
72046+++ linux-2.6.32.48/kernel/time/timekeeping.c 2011-11-15 19:59:43.000000000 -0500
72047@@ -14,6 +14,7 @@
72048 #include <linux/init.h>
72049 #include <linux/mm.h>
72050 #include <linux/sched.h>
72051+#include <linux/grsecurity.h>
72052 #include <linux/sysdev.h>
72053 #include <linux/clocksource.h>
72054 #include <linux/jiffies.h>
72055@@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
72056 */
72057 struct timespec ts = xtime;
72058 timespec_add_ns(&ts, nsec);
72059- ACCESS_ONCE(xtime_cache) = ts;
72060+ ACCESS_ONCE_RW(xtime_cache) = ts;
72061 }
72062
72063 /* must hold xtime_lock */
72064@@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
72065 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
72066 return -EINVAL;
72067
72068+ gr_log_timechange();
72069+
72070 write_seqlock_irqsave(&xtime_lock, flags);
72071
72072 timekeeping_forward_now();
72073diff -urNp linux-2.6.32.48/kernel/time/timer_list.c linux-2.6.32.48/kernel/time/timer_list.c
72074--- linux-2.6.32.48/kernel/time/timer_list.c 2011-11-08 19:02:43.000000000 -0500
72075+++ linux-2.6.32.48/kernel/time/timer_list.c 2011-11-15 19:59:43.000000000 -0500
72076@@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
72077
72078 static void print_name_offset(struct seq_file *m, void *sym)
72079 {
72080+#ifdef CONFIG_GRKERNSEC_HIDESYM
72081+ SEQ_printf(m, "<%p>", NULL);
72082+#else
72083 char symname[KSYM_NAME_LEN];
72084
72085 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
72086 SEQ_printf(m, "<%p>", sym);
72087 else
72088 SEQ_printf(m, "%s", symname);
72089+#endif
72090 }
72091
72092 static void
72093@@ -112,7 +116,11 @@ next_one:
72094 static void
72095 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
72096 {
72097+#ifdef CONFIG_GRKERNSEC_HIDESYM
72098+ SEQ_printf(m, " .base: %p\n", NULL);
72099+#else
72100 SEQ_printf(m, " .base: %p\n", base);
72101+#endif
72102 SEQ_printf(m, " .index: %d\n",
72103 base->index);
72104 SEQ_printf(m, " .resolution: %Lu nsecs\n",
72105@@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
72106 {
72107 struct proc_dir_entry *pe;
72108
72109+#ifdef CONFIG_GRKERNSEC_PROC_ADD
72110+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
72111+#else
72112 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
72113+#endif
72114 if (!pe)
72115 return -ENOMEM;
72116 return 0;
72117diff -urNp linux-2.6.32.48/kernel/time/timer_stats.c linux-2.6.32.48/kernel/time/timer_stats.c
72118--- linux-2.6.32.48/kernel/time/timer_stats.c 2011-11-08 19:02:43.000000000 -0500
72119+++ linux-2.6.32.48/kernel/time/timer_stats.c 2011-11-15 19:59:43.000000000 -0500
72120@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
72121 static unsigned long nr_entries;
72122 static struct entry entries[MAX_ENTRIES];
72123
72124-static atomic_t overflow_count;
72125+static atomic_unchecked_t overflow_count;
72126
72127 /*
72128 * The entries are in a hash-table, for fast lookup:
72129@@ -140,7 +140,7 @@ static void reset_entries(void)
72130 nr_entries = 0;
72131 memset(entries, 0, sizeof(entries));
72132 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
72133- atomic_set(&overflow_count, 0);
72134+ atomic_set_unchecked(&overflow_count, 0);
72135 }
72136
72137 static struct entry *alloc_entry(void)
72138@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
72139 if (likely(entry))
72140 entry->count++;
72141 else
72142- atomic_inc(&overflow_count);
72143+ atomic_inc_unchecked(&overflow_count);
72144
72145 out_unlock:
72146 spin_unlock_irqrestore(lock, flags);
72147@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
72148
72149 static void print_name_offset(struct seq_file *m, unsigned long addr)
72150 {
72151+#ifdef CONFIG_GRKERNSEC_HIDESYM
72152+ seq_printf(m, "<%p>", NULL);
72153+#else
72154 char symname[KSYM_NAME_LEN];
72155
72156 if (lookup_symbol_name(addr, symname) < 0)
72157 seq_printf(m, "<%p>", (void *)addr);
72158 else
72159 seq_printf(m, "%s", symname);
72160+#endif
72161 }
72162
72163 static int tstats_show(struct seq_file *m, void *v)
72164@@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
72165
72166 seq_puts(m, "Timer Stats Version: v0.2\n");
72167 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
72168- if (atomic_read(&overflow_count))
72169+ if (atomic_read_unchecked(&overflow_count))
72170 seq_printf(m, "Overflow: %d entries\n",
72171- atomic_read(&overflow_count));
72172+ atomic_read_unchecked(&overflow_count));
72173
72174 for (i = 0; i < nr_entries; i++) {
72175 entry = entries + i;
72176@@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
72177 {
72178 struct proc_dir_entry *pe;
72179
72180+#ifdef CONFIG_GRKERNSEC_PROC_ADD
72181+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
72182+#else
72183 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
72184+#endif
72185 if (!pe)
72186 return -ENOMEM;
72187 return 0;
72188diff -urNp linux-2.6.32.48/kernel/time.c linux-2.6.32.48/kernel/time.c
72189--- linux-2.6.32.48/kernel/time.c 2011-11-08 19:02:43.000000000 -0500
72190+++ linux-2.6.32.48/kernel/time.c 2011-11-15 19:59:43.000000000 -0500
72191@@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
72192 return error;
72193
72194 if (tz) {
72195+ /* we log in do_settimeofday called below, so don't log twice
72196+ */
72197+ if (!tv)
72198+ gr_log_timechange();
72199+
72200 /* SMP safe, global irq locking makes it work. */
72201 sys_tz = *tz;
72202 update_vsyscall_tz();
72203@@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
72204 * Avoid unnecessary multiplications/divisions in the
72205 * two most common HZ cases:
72206 */
72207-unsigned int inline jiffies_to_msecs(const unsigned long j)
72208+inline unsigned int jiffies_to_msecs(const unsigned long j)
72209 {
72210 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
72211 return (MSEC_PER_SEC / HZ) * j;
72212@@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
72213 }
72214 EXPORT_SYMBOL(jiffies_to_msecs);
72215
72216-unsigned int inline jiffies_to_usecs(const unsigned long j)
72217+inline unsigned int jiffies_to_usecs(const unsigned long j)
72218 {
72219 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
72220 return (USEC_PER_SEC / HZ) * j;
72221diff -urNp linux-2.6.32.48/kernel/timer.c linux-2.6.32.48/kernel/timer.c
72222--- linux-2.6.32.48/kernel/timer.c 2011-11-08 19:02:43.000000000 -0500
72223+++ linux-2.6.32.48/kernel/timer.c 2011-11-15 19:59:43.000000000 -0500
72224@@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
72225 /*
72226 * This function runs timers and the timer-tq in bottom half context.
72227 */
72228-static void run_timer_softirq(struct softirq_action *h)
72229+static void run_timer_softirq(void)
72230 {
72231 struct tvec_base *base = __get_cpu_var(tvec_bases);
72232
72233diff -urNp linux-2.6.32.48/kernel/trace/blktrace.c linux-2.6.32.48/kernel/trace/blktrace.c
72234--- linux-2.6.32.48/kernel/trace/blktrace.c 2011-11-08 19:02:43.000000000 -0500
72235+++ linux-2.6.32.48/kernel/trace/blktrace.c 2011-11-15 19:59:43.000000000 -0500
72236@@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
72237 struct blk_trace *bt = filp->private_data;
72238 char buf[16];
72239
72240- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
72241+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
72242
72243 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
72244 }
72245@@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
72246 return 1;
72247
72248 bt = buf->chan->private_data;
72249- atomic_inc(&bt->dropped);
72250+ atomic_inc_unchecked(&bt->dropped);
72251 return 0;
72252 }
72253
72254@@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
72255
72256 bt->dir = dir;
72257 bt->dev = dev;
72258- atomic_set(&bt->dropped, 0);
72259+ atomic_set_unchecked(&bt->dropped, 0);
72260
72261 ret = -EIO;
72262 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
72263diff -urNp linux-2.6.32.48/kernel/trace/ftrace.c linux-2.6.32.48/kernel/trace/ftrace.c
72264--- linux-2.6.32.48/kernel/trace/ftrace.c 2011-11-08 19:02:43.000000000 -0500
72265+++ linux-2.6.32.48/kernel/trace/ftrace.c 2011-11-15 19:59:43.000000000 -0500
72266@@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
72267
72268 ip = rec->ip;
72269
72270+ ret = ftrace_arch_code_modify_prepare();
72271+ FTRACE_WARN_ON(ret);
72272+ if (ret)
72273+ return 0;
72274+
72275 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
72276+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
72277 if (ret) {
72278 ftrace_bug(ret, ip);
72279 rec->flags |= FTRACE_FL_FAILED;
72280- return 0;
72281 }
72282- return 1;
72283+ return ret ? 0 : 1;
72284 }
72285
72286 /*
72287diff -urNp linux-2.6.32.48/kernel/trace/ring_buffer.c linux-2.6.32.48/kernel/trace/ring_buffer.c
72288--- linux-2.6.32.48/kernel/trace/ring_buffer.c 2011-11-08 19:02:43.000000000 -0500
72289+++ linux-2.6.32.48/kernel/trace/ring_buffer.c 2011-11-15 19:59:43.000000000 -0500
72290@@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
72291 * the reader page). But if the next page is a header page,
72292 * its flags will be non zero.
72293 */
72294-static int inline
72295+static inline int
72296 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
72297 struct buffer_page *page, struct list_head *list)
72298 {
72299diff -urNp linux-2.6.32.48/kernel/trace/trace.c linux-2.6.32.48/kernel/trace/trace.c
72300--- linux-2.6.32.48/kernel/trace/trace.c 2011-11-08 19:02:43.000000000 -0500
72301+++ linux-2.6.32.48/kernel/trace/trace.c 2011-11-15 19:59:43.000000000 -0500
72302@@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
72303 size_t rem;
72304 unsigned int i;
72305
72306+ pax_track_stack();
72307+
72308 /* copy the tracer to avoid using a global lock all around */
72309 mutex_lock(&trace_types_lock);
72310 if (unlikely(old_tracer != current_trace && current_trace)) {
72311@@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
72312 int entries, size, i;
72313 size_t ret;
72314
72315+ pax_track_stack();
72316+
72317 if (*ppos & (PAGE_SIZE - 1)) {
72318 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
72319 return -EINVAL;
72320@@ -3816,10 +3820,9 @@ static const struct file_operations trac
72321 };
72322 #endif
72323
72324-static struct dentry *d_tracer;
72325-
72326 struct dentry *tracing_init_dentry(void)
72327 {
72328+ static struct dentry *d_tracer;
72329 static int once;
72330
72331 if (d_tracer)
72332@@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
72333 return d_tracer;
72334 }
72335
72336-static struct dentry *d_percpu;
72337-
72338 struct dentry *tracing_dentry_percpu(void)
72339 {
72340+ static struct dentry *d_percpu;
72341 static int once;
72342 struct dentry *d_tracer;
72343
72344diff -urNp linux-2.6.32.48/kernel/trace/trace_events.c linux-2.6.32.48/kernel/trace/trace_events.c
72345--- linux-2.6.32.48/kernel/trace/trace_events.c 2011-11-08 19:02:43.000000000 -0500
72346+++ linux-2.6.32.48/kernel/trace/trace_events.c 2011-11-15 19:59:43.000000000 -0500
72347@@ -951,13 +951,10 @@ static LIST_HEAD(ftrace_module_file_list
72348 * Modules must own their file_operations to keep up with
72349 * reference counting.
72350 */
72351+
72352 struct ftrace_module_file_ops {
72353 struct list_head list;
72354 struct module *mod;
72355- struct file_operations id;
72356- struct file_operations enable;
72357- struct file_operations format;
72358- struct file_operations filter;
72359 };
72360
72361 static void remove_subsystem_dir(const char *name)
72362@@ -1004,17 +1001,12 @@ trace_create_file_ops(struct module *mod
72363
72364 file_ops->mod = mod;
72365
72366- file_ops->id = ftrace_event_id_fops;
72367- file_ops->id.owner = mod;
72368-
72369- file_ops->enable = ftrace_enable_fops;
72370- file_ops->enable.owner = mod;
72371-
72372- file_ops->filter = ftrace_event_filter_fops;
72373- file_ops->filter.owner = mod;
72374-
72375- file_ops->format = ftrace_event_format_fops;
72376- file_ops->format.owner = mod;
72377+ pax_open_kernel();
72378+ *(void **)&mod->trace_id.owner = mod;
72379+ *(void **)&mod->trace_enable.owner = mod;
72380+ *(void **)&mod->trace_filter.owner = mod;
72381+ *(void **)&mod->trace_format.owner = mod;
72382+ pax_close_kernel();
72383
72384 list_add(&file_ops->list, &ftrace_module_file_list);
72385
72386@@ -1063,8 +1055,8 @@ static void trace_module_add_events(stru
72387 call->mod = mod;
72388 list_add(&call->list, &ftrace_events);
72389 event_create_dir(call, d_events,
72390- &file_ops->id, &file_ops->enable,
72391- &file_ops->filter, &file_ops->format);
72392+ &mod->trace_id, &mod->trace_enable,
72393+ &mod->trace_filter, &mod->trace_format);
72394 }
72395 }
72396
72397diff -urNp linux-2.6.32.48/kernel/trace/trace_mmiotrace.c linux-2.6.32.48/kernel/trace/trace_mmiotrace.c
72398--- linux-2.6.32.48/kernel/trace/trace_mmiotrace.c 2011-11-08 19:02:43.000000000 -0500
72399+++ linux-2.6.32.48/kernel/trace/trace_mmiotrace.c 2011-11-15 19:59:43.000000000 -0500
72400@@ -23,7 +23,7 @@ struct header_iter {
72401 static struct trace_array *mmio_trace_array;
72402 static bool overrun_detected;
72403 static unsigned long prev_overruns;
72404-static atomic_t dropped_count;
72405+static atomic_unchecked_t dropped_count;
72406
72407 static void mmio_reset_data(struct trace_array *tr)
72408 {
72409@@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
72410
72411 static unsigned long count_overruns(struct trace_iterator *iter)
72412 {
72413- unsigned long cnt = atomic_xchg(&dropped_count, 0);
72414+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
72415 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
72416
72417 if (over > prev_overruns)
72418@@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
72419 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
72420 sizeof(*entry), 0, pc);
72421 if (!event) {
72422- atomic_inc(&dropped_count);
72423+ atomic_inc_unchecked(&dropped_count);
72424 return;
72425 }
72426 entry = ring_buffer_event_data(event);
72427@@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
72428 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
72429 sizeof(*entry), 0, pc);
72430 if (!event) {
72431- atomic_inc(&dropped_count);
72432+ atomic_inc_unchecked(&dropped_count);
72433 return;
72434 }
72435 entry = ring_buffer_event_data(event);
72436diff -urNp linux-2.6.32.48/kernel/trace/trace_output.c linux-2.6.32.48/kernel/trace/trace_output.c
72437--- linux-2.6.32.48/kernel/trace/trace_output.c 2011-11-08 19:02:43.000000000 -0500
72438+++ linux-2.6.32.48/kernel/trace/trace_output.c 2011-11-15 19:59:43.000000000 -0500
72439@@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
72440 return 0;
72441 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
72442 if (!IS_ERR(p)) {
72443- p = mangle_path(s->buffer + s->len, p, "\n");
72444+ p = mangle_path(s->buffer + s->len, p, "\n\\");
72445 if (p) {
72446 s->len = p - s->buffer;
72447 return 1;
72448diff -urNp linux-2.6.32.48/kernel/trace/trace_stack.c linux-2.6.32.48/kernel/trace/trace_stack.c
72449--- linux-2.6.32.48/kernel/trace/trace_stack.c 2011-11-08 19:02:43.000000000 -0500
72450+++ linux-2.6.32.48/kernel/trace/trace_stack.c 2011-11-15 19:59:43.000000000 -0500
72451@@ -50,7 +50,7 @@ static inline void check_stack(void)
72452 return;
72453
72454 /* we do not handle interrupt stacks yet */
72455- if (!object_is_on_stack(&this_size))
72456+ if (!object_starts_on_stack(&this_size))
72457 return;
72458
72459 local_irq_save(flags);
72460diff -urNp linux-2.6.32.48/kernel/trace/trace_workqueue.c linux-2.6.32.48/kernel/trace/trace_workqueue.c
72461--- linux-2.6.32.48/kernel/trace/trace_workqueue.c 2011-11-08 19:02:43.000000000 -0500
72462+++ linux-2.6.32.48/kernel/trace/trace_workqueue.c 2011-11-15 19:59:43.000000000 -0500
72463@@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
72464 int cpu;
72465 pid_t pid;
72466 /* Can be inserted from interrupt or user context, need to be atomic */
72467- atomic_t inserted;
72468+ atomic_unchecked_t inserted;
72469 /*
72470 * Don't need to be atomic, works are serialized in a single workqueue thread
72471 * on a single CPU.
72472@@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
72473 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
72474 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
72475 if (node->pid == wq_thread->pid) {
72476- atomic_inc(&node->inserted);
72477+ atomic_inc_unchecked(&node->inserted);
72478 goto found;
72479 }
72480 }
72481@@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
72482 tsk = get_pid_task(pid, PIDTYPE_PID);
72483 if (tsk) {
72484 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
72485- atomic_read(&cws->inserted), cws->executed,
72486+ atomic_read_unchecked(&cws->inserted), cws->executed,
72487 tsk->comm);
72488 put_task_struct(tsk);
72489 }
72490diff -urNp linux-2.6.32.48/kernel/user.c linux-2.6.32.48/kernel/user.c
72491--- linux-2.6.32.48/kernel/user.c 2011-11-08 19:02:43.000000000 -0500
72492+++ linux-2.6.32.48/kernel/user.c 2011-11-15 19:59:43.000000000 -0500
72493@@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
72494 spin_lock_irq(&uidhash_lock);
72495 up = uid_hash_find(uid, hashent);
72496 if (up) {
72497+ put_user_ns(ns);
72498 key_put(new->uid_keyring);
72499 key_put(new->session_keyring);
72500 kmem_cache_free(uid_cachep, new);
72501diff -urNp linux-2.6.32.48/lib/bitmap.c linux-2.6.32.48/lib/bitmap.c
72502--- linux-2.6.32.48/lib/bitmap.c 2011-11-08 19:02:43.000000000 -0500
72503+++ linux-2.6.32.48/lib/bitmap.c 2011-11-15 19:59:43.000000000 -0500
72504@@ -341,7 +341,7 @@ int __bitmap_parse(const char *buf, unsi
72505 {
72506 int c, old_c, totaldigits, ndigits, nchunks, nbits;
72507 u32 chunk;
72508- const char __user *ubuf = buf;
72509+ const char __user *ubuf = (const char __force_user *)buf;
72510
72511 bitmap_zero(maskp, nmaskbits);
72512
72513@@ -426,7 +426,7 @@ int bitmap_parse_user(const char __user
72514 {
72515 if (!access_ok(VERIFY_READ, ubuf, ulen))
72516 return -EFAULT;
72517- return __bitmap_parse((const char *)ubuf, ulen, 1, maskp, nmaskbits);
72518+ return __bitmap_parse((const char __force_kernel *)ubuf, ulen, 1, maskp, nmaskbits);
72519 }
72520 EXPORT_SYMBOL(bitmap_parse_user);
72521
72522diff -urNp linux-2.6.32.48/lib/bug.c linux-2.6.32.48/lib/bug.c
72523--- linux-2.6.32.48/lib/bug.c 2011-11-08 19:02:43.000000000 -0500
72524+++ linux-2.6.32.48/lib/bug.c 2011-11-15 19:59:43.000000000 -0500
72525@@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
72526 return BUG_TRAP_TYPE_NONE;
72527
72528 bug = find_bug(bugaddr);
72529+ if (!bug)
72530+ return BUG_TRAP_TYPE_NONE;
72531
72532 printk(KERN_EMERG "------------[ cut here ]------------\n");
72533
72534diff -urNp linux-2.6.32.48/lib/debugobjects.c linux-2.6.32.48/lib/debugobjects.c
72535--- linux-2.6.32.48/lib/debugobjects.c 2011-11-08 19:02:43.000000000 -0500
72536+++ linux-2.6.32.48/lib/debugobjects.c 2011-11-15 19:59:43.000000000 -0500
72537@@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
72538 if (limit > 4)
72539 return;
72540
72541- is_on_stack = object_is_on_stack(addr);
72542+ is_on_stack = object_starts_on_stack(addr);
72543 if (is_on_stack == onstack)
72544 return;
72545
72546diff -urNp linux-2.6.32.48/lib/devres.c linux-2.6.32.48/lib/devres.c
72547--- linux-2.6.32.48/lib/devres.c 2011-11-08 19:02:43.000000000 -0500
72548+++ linux-2.6.32.48/lib/devres.c 2011-11-15 19:59:43.000000000 -0500
72549@@ -80,7 +80,7 @@ void devm_iounmap(struct device *dev, vo
72550 {
72551 iounmap(addr);
72552 WARN_ON(devres_destroy(dev, devm_ioremap_release, devm_ioremap_match,
72553- (void *)addr));
72554+ (void __force *)addr));
72555 }
72556 EXPORT_SYMBOL(devm_iounmap);
72557
72558@@ -140,7 +140,7 @@ void devm_ioport_unmap(struct device *de
72559 {
72560 ioport_unmap(addr);
72561 WARN_ON(devres_destroy(dev, devm_ioport_map_release,
72562- devm_ioport_map_match, (void *)addr));
72563+ devm_ioport_map_match, (void __force *)addr));
72564 }
72565 EXPORT_SYMBOL(devm_ioport_unmap);
72566
72567diff -urNp linux-2.6.32.48/lib/dma-debug.c linux-2.6.32.48/lib/dma-debug.c
72568--- linux-2.6.32.48/lib/dma-debug.c 2011-11-08 19:02:43.000000000 -0500
72569+++ linux-2.6.32.48/lib/dma-debug.c 2011-11-15 19:59:43.000000000 -0500
72570@@ -861,7 +861,7 @@ out:
72571
72572 static void check_for_stack(struct device *dev, void *addr)
72573 {
72574- if (object_is_on_stack(addr))
72575+ if (object_starts_on_stack(addr))
72576 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
72577 "stack [addr=%p]\n", addr);
72578 }
72579diff -urNp linux-2.6.32.48/lib/idr.c linux-2.6.32.48/lib/idr.c
72580--- linux-2.6.32.48/lib/idr.c 2011-11-08 19:02:43.000000000 -0500
72581+++ linux-2.6.32.48/lib/idr.c 2011-11-15 19:59:43.000000000 -0500
72582@@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
72583 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
72584
72585 /* if already at the top layer, we need to grow */
72586- if (id >= 1 << (idp->layers * IDR_BITS)) {
72587+ if (id >= (1 << (idp->layers * IDR_BITS))) {
72588 *starting_id = id;
72589 return IDR_NEED_TO_GROW;
72590 }
72591diff -urNp linux-2.6.32.48/lib/inflate.c linux-2.6.32.48/lib/inflate.c
72592--- linux-2.6.32.48/lib/inflate.c 2011-11-08 19:02:43.000000000 -0500
72593+++ linux-2.6.32.48/lib/inflate.c 2011-11-15 19:59:43.000000000 -0500
72594@@ -266,7 +266,7 @@ static void free(void *where)
72595 malloc_ptr = free_mem_ptr;
72596 }
72597 #else
72598-#define malloc(a) kmalloc(a, GFP_KERNEL)
72599+#define malloc(a) kmalloc((a), GFP_KERNEL)
72600 #define free(a) kfree(a)
72601 #endif
72602
72603diff -urNp linux-2.6.32.48/lib/Kconfig.debug linux-2.6.32.48/lib/Kconfig.debug
72604--- linux-2.6.32.48/lib/Kconfig.debug 2011-11-08 19:02:43.000000000 -0500
72605+++ linux-2.6.32.48/lib/Kconfig.debug 2011-11-15 19:59:43.000000000 -0500
72606@@ -905,7 +905,7 @@ config LATENCYTOP
72607 select STACKTRACE
72608 select SCHEDSTATS
72609 select SCHED_DEBUG
72610- depends on HAVE_LATENCYTOP_SUPPORT
72611+ depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
72612 help
72613 Enable this option if you want to use the LatencyTOP tool
72614 to find out which userspace is blocking on what kernel operations.
72615diff -urNp linux-2.6.32.48/lib/kobject.c linux-2.6.32.48/lib/kobject.c
72616--- linux-2.6.32.48/lib/kobject.c 2011-11-08 19:02:43.000000000 -0500
72617+++ linux-2.6.32.48/lib/kobject.c 2011-11-15 19:59:43.000000000 -0500
72618@@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
72619 return ret;
72620 }
72621
72622-struct sysfs_ops kobj_sysfs_ops = {
72623+const struct sysfs_ops kobj_sysfs_ops = {
72624 .show = kobj_attr_show,
72625 .store = kobj_attr_store,
72626 };
72627@@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
72628 * If the kset was not able to be created, NULL will be returned.
72629 */
72630 static struct kset *kset_create(const char *name,
72631- struct kset_uevent_ops *uevent_ops,
72632+ const struct kset_uevent_ops *uevent_ops,
72633 struct kobject *parent_kobj)
72634 {
72635 struct kset *kset;
72636@@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
72637 * If the kset was not able to be created, NULL will be returned.
72638 */
72639 struct kset *kset_create_and_add(const char *name,
72640- struct kset_uevent_ops *uevent_ops,
72641+ const struct kset_uevent_ops *uevent_ops,
72642 struct kobject *parent_kobj)
72643 {
72644 struct kset *kset;
72645diff -urNp linux-2.6.32.48/lib/kobject_uevent.c linux-2.6.32.48/lib/kobject_uevent.c
72646--- linux-2.6.32.48/lib/kobject_uevent.c 2011-11-08 19:02:43.000000000 -0500
72647+++ linux-2.6.32.48/lib/kobject_uevent.c 2011-11-15 19:59:43.000000000 -0500
72648@@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
72649 const char *subsystem;
72650 struct kobject *top_kobj;
72651 struct kset *kset;
72652- struct kset_uevent_ops *uevent_ops;
72653+ const struct kset_uevent_ops *uevent_ops;
72654 u64 seq;
72655 int i = 0;
72656 int retval = 0;
72657diff -urNp linux-2.6.32.48/lib/kref.c linux-2.6.32.48/lib/kref.c
72658--- linux-2.6.32.48/lib/kref.c 2011-11-08 19:02:43.000000000 -0500
72659+++ linux-2.6.32.48/lib/kref.c 2011-11-15 19:59:43.000000000 -0500
72660@@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
72661 */
72662 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
72663 {
72664- WARN_ON(release == NULL);
72665+ BUG_ON(release == NULL);
72666 WARN_ON(release == (void (*)(struct kref *))kfree);
72667
72668 if (atomic_dec_and_test(&kref->refcount)) {
72669diff -urNp linux-2.6.32.48/lib/parser.c linux-2.6.32.48/lib/parser.c
72670--- linux-2.6.32.48/lib/parser.c 2011-11-08 19:02:43.000000000 -0500
72671+++ linux-2.6.32.48/lib/parser.c 2011-11-15 19:59:43.000000000 -0500
72672@@ -126,7 +126,7 @@ static int match_number(substring_t *s,
72673 char *buf;
72674 int ret;
72675
72676- buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
72677+ buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
72678 if (!buf)
72679 return -ENOMEM;
72680 memcpy(buf, s->from, s->to - s->from);
72681diff -urNp linux-2.6.32.48/lib/radix-tree.c linux-2.6.32.48/lib/radix-tree.c
72682--- linux-2.6.32.48/lib/radix-tree.c 2011-11-08 19:02:43.000000000 -0500
72683+++ linux-2.6.32.48/lib/radix-tree.c 2011-11-15 19:59:43.000000000 -0500
72684@@ -81,7 +81,7 @@ struct radix_tree_preload {
72685 int nr;
72686 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
72687 };
72688-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
72689+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
72690
72691 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
72692 {
72693diff -urNp linux-2.6.32.48/lib/random32.c linux-2.6.32.48/lib/random32.c
72694--- linux-2.6.32.48/lib/random32.c 2011-11-08 19:02:43.000000000 -0500
72695+++ linux-2.6.32.48/lib/random32.c 2011-11-15 19:59:43.000000000 -0500
72696@@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
72697 */
72698 static inline u32 __seed(u32 x, u32 m)
72699 {
72700- return (x < m) ? x + m : x;
72701+ return (x <= m) ? x + m + 1 : x;
72702 }
72703
72704 /**
72705diff -urNp linux-2.6.32.48/lib/vsprintf.c linux-2.6.32.48/lib/vsprintf.c
72706--- linux-2.6.32.48/lib/vsprintf.c 2011-11-08 19:02:43.000000000 -0500
72707+++ linux-2.6.32.48/lib/vsprintf.c 2011-11-15 19:59:43.000000000 -0500
72708@@ -16,6 +16,9 @@
72709 * - scnprintf and vscnprintf
72710 */
72711
72712+#ifdef CONFIG_GRKERNSEC_HIDESYM
72713+#define __INCLUDED_BY_HIDESYM 1
72714+#endif
72715 #include <stdarg.h>
72716 #include <linux/module.h>
72717 #include <linux/types.h>
72718@@ -546,12 +549,12 @@ static char *number(char *buf, char *end
72719 return buf;
72720 }
72721
72722-static char *string(char *buf, char *end, char *s, struct printf_spec spec)
72723+static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
72724 {
72725 int len, i;
72726
72727 if ((unsigned long)s < PAGE_SIZE)
72728- s = "<NULL>";
72729+ s = "(null)";
72730
72731 len = strnlen(s, spec.precision);
72732
72733@@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
72734 unsigned long value = (unsigned long) ptr;
72735 #ifdef CONFIG_KALLSYMS
72736 char sym[KSYM_SYMBOL_LEN];
72737- if (ext != 'f' && ext != 's')
72738+ if (ext != 'f' && ext != 's' && ext != 'a')
72739 sprint_symbol(sym, value);
72740 else
72741 kallsyms_lookup(value, NULL, NULL, NULL, sym);
72742@@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
72743 * - 'f' For simple symbolic function names without offset
72744 * - 'S' For symbolic direct pointers with offset
72745 * - 's' For symbolic direct pointers without offset
72746+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
72747+ * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
72748 * - 'R' For a struct resource pointer, it prints the range of
72749 * addresses (not the name nor the flags)
72750 * - 'M' For a 6-byte MAC address, it prints the address in the
72751@@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
72752 struct printf_spec spec)
72753 {
72754 if (!ptr)
72755- return string(buf, end, "(null)", spec);
72756+ return string(buf, end, "(nil)", spec);
72757
72758 switch (*fmt) {
72759 case 'F':
72760@@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
72761 case 's':
72762 /* Fallthrough */
72763 case 'S':
72764+#ifdef CONFIG_GRKERNSEC_HIDESYM
72765+ break;
72766+#else
72767+ return symbol_string(buf, end, ptr, spec, *fmt);
72768+#endif
72769+ case 'a':
72770+ /* Fallthrough */
72771+ case 'A':
72772 return symbol_string(buf, end, ptr, spec, *fmt);
72773 case 'R':
72774 return resource_string(buf, end, ptr, spec);
72775@@ -1445,7 +1458,7 @@ do { \
72776 size_t len;
72777 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
72778 || (unsigned long)save_str < PAGE_SIZE)
72779- save_str = "<NULL>";
72780+ save_str = "(null)";
72781 len = strlen(save_str);
72782 if (str + len + 1 < end)
72783 memcpy(str, save_str, len + 1);
72784@@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
72785 typeof(type) value; \
72786 if (sizeof(type) == 8) { \
72787 args = PTR_ALIGN(args, sizeof(u32)); \
72788- *(u32 *)&value = *(u32 *)args; \
72789- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
72790+ *(u32 *)&value = *(const u32 *)args; \
72791+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
72792 } else { \
72793 args = PTR_ALIGN(args, sizeof(type)); \
72794- value = *(typeof(type) *)args; \
72795+ value = *(const typeof(type) *)args; \
72796 } \
72797 args += sizeof(type); \
72798 value; \
72799@@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
72800 const char *str_arg = args;
72801 size_t len = strlen(str_arg);
72802 args += len + 1;
72803- str = string(str, end, (char *)str_arg, spec);
72804+ str = string(str, end, str_arg, spec);
72805 break;
72806 }
72807
72808diff -urNp linux-2.6.32.48/localversion-grsec linux-2.6.32.48/localversion-grsec
72809--- linux-2.6.32.48/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
72810+++ linux-2.6.32.48/localversion-grsec 2011-11-15 19:59:43.000000000 -0500
72811@@ -0,0 +1 @@
72812+-grsec
72813diff -urNp linux-2.6.32.48/Makefile linux-2.6.32.48/Makefile
72814--- linux-2.6.32.48/Makefile 2011-11-08 19:02:43.000000000 -0500
72815+++ linux-2.6.32.48/Makefile 2011-11-18 18:07:45.000000000 -0500
72816@@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
72817
72818 HOSTCC = gcc
72819 HOSTCXX = g++
72820-HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
72821-HOSTCXXFLAGS = -O2
72822+HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
72823+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
72824+HOSTCXXFLAGS = -O2 -Wall -W -fno-delete-null-pointer-checks
72825
72826 # Decide whether to build built-in, modular, or both.
72827 # Normally, just do built-in.
72828@@ -376,8 +377,8 @@ export RCS_TAR_IGNORE := --exclude SCCS
72829 # Rules shared between *config targets and build targets
72830
72831 # Basic helpers built in scripts/
72832-PHONY += scripts_basic
72833-scripts_basic:
72834+PHONY += scripts_basic gcc-plugins
72835+scripts_basic: gcc-plugins
72836 $(Q)$(MAKE) $(build)=scripts/basic
72837
72838 # To avoid any implicit rule to kick in, define an empty command.
72839@@ -403,7 +404,7 @@ endif
72840 # of make so .config is not included in this case either (for *config).
72841
72842 no-dot-config-targets := clean mrproper distclean \
72843- cscope TAGS tags help %docs check% \
72844+ cscope gtags TAGS tags help %docs check% \
72845 include/linux/version.h headers_% \
72846 kernelrelease kernelversion
72847
72848@@ -526,6 +527,37 @@ else
72849 KBUILD_CFLAGS += -O2
72850 endif
72851
72852+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(CC)"), y)
72853+CONSTIFY_PLUGIN := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
72854+ifdef CONFIG_PAX_MEMORY_STACKLEAK
72855+STACKLEAK_PLUGIN := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
72856+STACKLEAK_PLUGIN += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
72857+endif
72858+ifdef CONFIG_KALLOCSTAT_PLUGIN
72859+KALLOCSTAT_PLUGIN := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
72860+endif
72861+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
72862+KERNEXEC_PLUGIN := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
72863+endif
72864+ifdef CONFIG_CHECKER_PLUGIN
72865+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
72866+CHECKER_PLUGIN := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
72867+endif
72868+endif
72869+GCC_PLUGINS := $(CONSTIFY_PLUGIN) $(STACKLEAK_PLUGIN) $(KALLOCSTAT_PLUGIN) $(KERNEXEC_PLUGIN) $(CHECKER_PLUGIN)
72870+export CONSTIFY_PLUGIN STACKLEAK_PLUGIN KERNEXEC_PLUGIN CHECKER_PLUGIN
72871+gcc-plugins:
72872+ $(Q)$(MAKE) $(build)=tools/gcc
72873+else
72874+gcc-plugins:
72875+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
72876+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev.))
72877+else
72878+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
72879+endif
72880+ $(Q)echo "PAX_MEMORY_STACKLEAK and constification will be less secure"
72881+endif
72882+
72883 include $(srctree)/arch/$(SRCARCH)/Makefile
72884
72885 ifneq ($(CONFIG_FRAME_WARN),0)
72886@@ -644,7 +676,7 @@ export mod_strip_cmd
72887
72888
72889 ifeq ($(KBUILD_EXTMOD),)
72890-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
72891+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
72892
72893 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
72894 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
72895@@ -865,6 +897,7 @@ vmlinux.o: $(modpost-init) $(vmlinux-mai
72896
72897 # The actual objects are generated when descending,
72898 # make sure no implicit rule kicks in
72899+$(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): KBUILD_CFLAGS += $(GCC_PLUGINS)
72900 $(sort $(vmlinux-init) $(vmlinux-main)) $(vmlinux-lds): $(vmlinux-dirs) ;
72901
72902 # Handle descending into subdirectories listed in $(vmlinux-dirs)
72903@@ -874,7 +907,7 @@ $(sort $(vmlinux-init) $(vmlinux-main))
72904 # Error messages still appears in the original language
72905
72906 PHONY += $(vmlinux-dirs)
72907-$(vmlinux-dirs): prepare scripts
72908+$(vmlinux-dirs): gcc-plugins prepare scripts
72909 $(Q)$(MAKE) $(build)=$@
72910
72911 # Build the kernel release string
72912@@ -983,6 +1016,7 @@ prepare0: archprepare FORCE
72913 $(Q)$(MAKE) $(build)=. missing-syscalls
72914
72915 # All the preparing..
72916+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS),$(KBUILD_CFLAGS))
72917 prepare: prepare0
72918
72919 # The asm symlink changes when $(ARCH) changes.
72920@@ -1124,6 +1158,7 @@ all: modules
72921 # using awk while concatenating to the final file.
72922
72923 PHONY += modules
72924+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
72925 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux)
72926 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
72927 @$(kecho) ' Building modules, stage 2.';
72928@@ -1133,7 +1168,7 @@ modules: $(vmlinux-dirs) $(if $(KBUILD_B
72929
72930 # Target to prepare building external modules
72931 PHONY += modules_prepare
72932-modules_prepare: prepare scripts
72933+modules_prepare: gcc-plugins prepare scripts
72934
72935 # Target to install modules
72936 PHONY += modules_install
72937@@ -1198,7 +1233,7 @@ MRPROPER_FILES += .config .config.old in
72938 include/linux/autoconf.h include/linux/version.h \
72939 include/linux/utsrelease.h \
72940 include/linux/bounds.h include/asm*/asm-offsets.h \
72941- Module.symvers Module.markers tags TAGS cscope*
72942+ Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
72943
72944 # clean - Delete most, but leave enough to build external modules
72945 #
72946@@ -1242,7 +1277,7 @@ distclean: mrproper
72947 @find $(srctree) $(RCS_FIND_IGNORE) \
72948 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
72949 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
72950- -o -name '.*.rej' -o -size 0 \
72951+ -o -name '.*.rej' -o -name '*.so' -o -size 0 \
72952 -o -name '*%' -o -name '.*.cmd' -o -name 'core' \) \
72953 -type f -print | xargs rm -f
72954
72955@@ -1289,6 +1324,7 @@ help:
72956 @echo ' modules_prepare - Set up for building external modules'
72957 @echo ' tags/TAGS - Generate tags file for editors'
72958 @echo ' cscope - Generate cscope index'
72959+ @echo ' gtags - Generate GNU GLOBAL index'
72960 @echo ' kernelrelease - Output the release version string'
72961 @echo ' kernelversion - Output the version stored in Makefile'
72962 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
72963@@ -1390,6 +1426,7 @@ PHONY += $(module-dirs) modules
72964 $(module-dirs): crmodverdir $(objtree)/Module.symvers
72965 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
72966
72967+modules: KBUILD_CFLAGS += $(GCC_PLUGINS)
72968 modules: $(module-dirs)
72969 @$(kecho) ' Building modules, stage 2.';
72970 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
72971@@ -1445,7 +1482,7 @@ endif # KBUILD_EXTMOD
72972 quiet_cmd_tags = GEN $@
72973 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
72974
72975-tags TAGS cscope: FORCE
72976+tags TAGS cscope gtags: FORCE
72977 $(call cmd,tags)
72978
72979 # Scripts to check various things for consistency
72980@@ -1510,17 +1547,19 @@ else
72981 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
72982 endif
72983
72984-%.s: %.c prepare scripts FORCE
72985+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS)
72986+%.s: %.c gcc-plugins prepare scripts FORCE
72987 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72988 %.i: %.c prepare scripts FORCE
72989 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72990-%.o: %.c prepare scripts FORCE
72991+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS)
72992+%.o: %.c gcc-plugins prepare scripts FORCE
72993 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72994 %.lst: %.c prepare scripts FORCE
72995 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72996-%.s: %.S prepare scripts FORCE
72997+%.s: %.S gcc-plugins prepare scripts FORCE
72998 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
72999-%.o: %.S prepare scripts FORCE
73000+%.o: %.S gcc-plugins prepare scripts FORCE
73001 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
73002 %.symtypes: %.c prepare scripts FORCE
73003 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
73004@@ -1530,11 +1569,13 @@ endif
73005 $(cmd_crmodverdir)
73006 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
73007 $(build)=$(build-dir)
73008-%/: prepare scripts FORCE
73009+%/: KBUILD_CFLAGS += $(GCC_PLUGINS)
73010+%/: gcc-plugins prepare scripts FORCE
73011 $(cmd_crmodverdir)
73012 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
73013 $(build)=$(build-dir)
73014-%.ko: prepare scripts FORCE
73015+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS)
73016+%.ko: gcc-plugins prepare scripts FORCE
73017 $(cmd_crmodverdir)
73018 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
73019 $(build)=$(build-dir) $(@:.ko=.o)
73020diff -urNp linux-2.6.32.48/mm/backing-dev.c linux-2.6.32.48/mm/backing-dev.c
73021--- linux-2.6.32.48/mm/backing-dev.c 2011-11-08 19:02:43.000000000 -0500
73022+++ linux-2.6.32.48/mm/backing-dev.c 2011-11-15 19:59:43.000000000 -0500
73023@@ -272,7 +272,7 @@ static void bdi_task_init(struct backing
73024 list_add_tail_rcu(&wb->list, &bdi->wb_list);
73025 spin_unlock(&bdi->wb_lock);
73026
73027- tsk->flags |= PF_FLUSHER | PF_SWAPWRITE;
73028+ tsk->flags |= PF_SWAPWRITE;
73029 set_freezable();
73030
73031 /*
73032@@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
73033 * Add the default flusher task that gets created for any bdi
73034 * that has dirty data pending writeout
73035 */
73036-void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
73037+static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
73038 {
73039 if (!bdi_cap_writeback_dirty(bdi))
73040 return;
73041diff -urNp linux-2.6.32.48/mm/filemap.c linux-2.6.32.48/mm/filemap.c
73042--- linux-2.6.32.48/mm/filemap.c 2011-11-08 19:02:43.000000000 -0500
73043+++ linux-2.6.32.48/mm/filemap.c 2011-11-15 19:59:43.000000000 -0500
73044@@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
73045 struct address_space *mapping = file->f_mapping;
73046
73047 if (!mapping->a_ops->readpage)
73048- return -ENOEXEC;
73049+ return -ENODEV;
73050 file_accessed(file);
73051 vma->vm_ops = &generic_file_vm_ops;
73052 vma->vm_flags |= VM_CAN_NONLINEAR;
73053@@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
73054 *pos = i_size_read(inode);
73055
73056 if (limit != RLIM_INFINITY) {
73057+ gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
73058 if (*pos >= limit) {
73059 send_sig(SIGXFSZ, current, 0);
73060 return -EFBIG;
73061diff -urNp linux-2.6.32.48/mm/fremap.c linux-2.6.32.48/mm/fremap.c
73062--- linux-2.6.32.48/mm/fremap.c 2011-11-08 19:02:43.000000000 -0500
73063+++ linux-2.6.32.48/mm/fremap.c 2011-11-15 19:59:43.000000000 -0500
73064@@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
73065 retry:
73066 vma = find_vma(mm, start);
73067
73068+#ifdef CONFIG_PAX_SEGMEXEC
73069+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
73070+ goto out;
73071+#endif
73072+
73073 /*
73074 * Make sure the vma is shared, that it supports prefaulting,
73075 * and that the remapped range is valid and fully within
73076@@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
73077 /*
73078 * drop PG_Mlocked flag for over-mapped range
73079 */
73080- unsigned int saved_flags = vma->vm_flags;
73081+ unsigned long saved_flags = vma->vm_flags;
73082 munlock_vma_pages_range(vma, start, start + size);
73083 vma->vm_flags = saved_flags;
73084 }
73085diff -urNp linux-2.6.32.48/mm/highmem.c linux-2.6.32.48/mm/highmem.c
73086--- linux-2.6.32.48/mm/highmem.c 2011-11-08 19:02:43.000000000 -0500
73087+++ linux-2.6.32.48/mm/highmem.c 2011-11-15 19:59:43.000000000 -0500
73088@@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
73089 * So no dangers, even with speculative execution.
73090 */
73091 page = pte_page(pkmap_page_table[i]);
73092+ pax_open_kernel();
73093 pte_clear(&init_mm, (unsigned long)page_address(page),
73094 &pkmap_page_table[i]);
73095-
73096+ pax_close_kernel();
73097 set_page_address(page, NULL);
73098 need_flush = 1;
73099 }
73100@@ -177,9 +178,11 @@ start:
73101 }
73102 }
73103 vaddr = PKMAP_ADDR(last_pkmap_nr);
73104+
73105+ pax_open_kernel();
73106 set_pte_at(&init_mm, vaddr,
73107 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
73108-
73109+ pax_close_kernel();
73110 pkmap_count[last_pkmap_nr] = 1;
73111 set_page_address(page, (void *)vaddr);
73112
73113diff -urNp linux-2.6.32.48/mm/hugetlb.c linux-2.6.32.48/mm/hugetlb.c
73114--- linux-2.6.32.48/mm/hugetlb.c 2011-11-08 19:02:43.000000000 -0500
73115+++ linux-2.6.32.48/mm/hugetlb.c 2011-11-15 19:59:43.000000000 -0500
73116@@ -1933,6 +1933,26 @@ static int unmap_ref_private(struct mm_s
73117 return 1;
73118 }
73119
73120+#ifdef CONFIG_PAX_SEGMEXEC
73121+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
73122+{
73123+ struct mm_struct *mm = vma->vm_mm;
73124+ struct vm_area_struct *vma_m;
73125+ unsigned long address_m;
73126+ pte_t *ptep_m;
73127+
73128+ vma_m = pax_find_mirror_vma(vma);
73129+ if (!vma_m)
73130+ return;
73131+
73132+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73133+ address_m = address + SEGMEXEC_TASK_SIZE;
73134+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
73135+ get_page(page_m);
73136+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
73137+}
73138+#endif
73139+
73140 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
73141 unsigned long address, pte_t *ptep, pte_t pte,
73142 struct page *pagecache_page)
73143@@ -2004,6 +2024,11 @@ retry_avoidcopy:
73144 huge_ptep_clear_flush(vma, address, ptep);
73145 set_huge_pte_at(mm, address, ptep,
73146 make_huge_pte(vma, new_page, 1));
73147+
73148+#ifdef CONFIG_PAX_SEGMEXEC
73149+ pax_mirror_huge_pte(vma, address, new_page);
73150+#endif
73151+
73152 /* Make the old page be freed below */
73153 new_page = old_page;
73154 }
73155@@ -2135,6 +2160,10 @@ retry:
73156 && (vma->vm_flags & VM_SHARED)));
73157 set_huge_pte_at(mm, address, ptep, new_pte);
73158
73159+#ifdef CONFIG_PAX_SEGMEXEC
73160+ pax_mirror_huge_pte(vma, address, page);
73161+#endif
73162+
73163 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
73164 /* Optimization, do the COW without a second fault */
73165 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
73166@@ -2163,6 +2192,28 @@ int hugetlb_fault(struct mm_struct *mm,
73167 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
73168 struct hstate *h = hstate_vma(vma);
73169
73170+#ifdef CONFIG_PAX_SEGMEXEC
73171+ struct vm_area_struct *vma_m;
73172+
73173+ vma_m = pax_find_mirror_vma(vma);
73174+ if (vma_m) {
73175+ unsigned long address_m;
73176+
73177+ if (vma->vm_start > vma_m->vm_start) {
73178+ address_m = address;
73179+ address -= SEGMEXEC_TASK_SIZE;
73180+ vma = vma_m;
73181+ h = hstate_vma(vma);
73182+ } else
73183+ address_m = address + SEGMEXEC_TASK_SIZE;
73184+
73185+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
73186+ return VM_FAULT_OOM;
73187+ address_m &= HPAGE_MASK;
73188+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
73189+ }
73190+#endif
73191+
73192 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
73193 if (!ptep)
73194 return VM_FAULT_OOM;
73195diff -urNp linux-2.6.32.48/mm/internal.h linux-2.6.32.48/mm/internal.h
73196--- linux-2.6.32.48/mm/internal.h 2011-11-08 19:02:43.000000000 -0500
73197+++ linux-2.6.32.48/mm/internal.h 2011-11-15 19:59:43.000000000 -0500
73198@@ -49,6 +49,7 @@ extern void putback_lru_page(struct page
73199 * in mm/page_alloc.c
73200 */
73201 extern void __free_pages_bootmem(struct page *page, unsigned int order);
73202+extern void free_compound_page(struct page *page);
73203 extern void prep_compound_page(struct page *page, unsigned long order);
73204
73205
73206diff -urNp linux-2.6.32.48/mm/Kconfig linux-2.6.32.48/mm/Kconfig
73207--- linux-2.6.32.48/mm/Kconfig 2011-11-08 19:02:43.000000000 -0500
73208+++ linux-2.6.32.48/mm/Kconfig 2011-11-15 19:59:43.000000000 -0500
73209@@ -228,7 +228,7 @@ config KSM
73210 config DEFAULT_MMAP_MIN_ADDR
73211 int "Low address space to protect from user allocation"
73212 depends on MMU
73213- default 4096
73214+ default 65536
73215 help
73216 This is the portion of low virtual memory which should be protected
73217 from userspace allocation. Keeping a user from writing to low pages
73218diff -urNp linux-2.6.32.48/mm/kmemleak.c linux-2.6.32.48/mm/kmemleak.c
73219--- linux-2.6.32.48/mm/kmemleak.c 2011-11-08 19:02:43.000000000 -0500
73220+++ linux-2.6.32.48/mm/kmemleak.c 2011-11-15 19:59:43.000000000 -0500
73221@@ -358,7 +358,7 @@ static void print_unreferenced(struct se
73222
73223 for (i = 0; i < object->trace_len; i++) {
73224 void *ptr = (void *)object->trace[i];
73225- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
73226+ seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
73227 }
73228 }
73229
73230diff -urNp linux-2.6.32.48/mm/maccess.c linux-2.6.32.48/mm/maccess.c
73231--- linux-2.6.32.48/mm/maccess.c 2011-11-08 19:02:43.000000000 -0500
73232+++ linux-2.6.32.48/mm/maccess.c 2011-11-15 19:59:43.000000000 -0500
73233@@ -14,7 +14,7 @@
73234 * Safely read from address @src to the buffer at @dst. If a kernel fault
73235 * happens, handle that and return -EFAULT.
73236 */
73237-long probe_kernel_read(void *dst, void *src, size_t size)
73238+long probe_kernel_read(void *dst, const void *src, size_t size)
73239 {
73240 long ret;
73241 mm_segment_t old_fs = get_fs();
73242@@ -22,7 +22,7 @@ long probe_kernel_read(void *dst, void *
73243 set_fs(KERNEL_DS);
73244 pagefault_disable();
73245 ret = __copy_from_user_inatomic(dst,
73246- (__force const void __user *)src, size);
73247+ (const void __force_user *)src, size);
73248 pagefault_enable();
73249 set_fs(old_fs);
73250
73251@@ -39,14 +39,14 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
73252 * Safely write to address @dst from the buffer at @src. If a kernel fault
73253 * happens, handle that and return -EFAULT.
73254 */
73255-long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
73256+long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
73257 {
73258 long ret;
73259 mm_segment_t old_fs = get_fs();
73260
73261 set_fs(KERNEL_DS);
73262 pagefault_disable();
73263- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
73264+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
73265 pagefault_enable();
73266 set_fs(old_fs);
73267
73268diff -urNp linux-2.6.32.48/mm/madvise.c linux-2.6.32.48/mm/madvise.c
73269--- linux-2.6.32.48/mm/madvise.c 2011-11-08 19:02:43.000000000 -0500
73270+++ linux-2.6.32.48/mm/madvise.c 2011-11-15 19:59:43.000000000 -0500
73271@@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
73272 pgoff_t pgoff;
73273 unsigned long new_flags = vma->vm_flags;
73274
73275+#ifdef CONFIG_PAX_SEGMEXEC
73276+ struct vm_area_struct *vma_m;
73277+#endif
73278+
73279 switch (behavior) {
73280 case MADV_NORMAL:
73281 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
73282@@ -103,6 +107,13 @@ success:
73283 /*
73284 * vm_flags is protected by the mmap_sem held in write mode.
73285 */
73286+
73287+#ifdef CONFIG_PAX_SEGMEXEC
73288+ vma_m = pax_find_mirror_vma(vma);
73289+ if (vma_m)
73290+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
73291+#endif
73292+
73293 vma->vm_flags = new_flags;
73294
73295 out:
73296@@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
73297 struct vm_area_struct ** prev,
73298 unsigned long start, unsigned long end)
73299 {
73300+
73301+#ifdef CONFIG_PAX_SEGMEXEC
73302+ struct vm_area_struct *vma_m;
73303+#endif
73304+
73305 *prev = vma;
73306 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
73307 return -EINVAL;
73308@@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
73309 zap_page_range(vma, start, end - start, &details);
73310 } else
73311 zap_page_range(vma, start, end - start, NULL);
73312+
73313+#ifdef CONFIG_PAX_SEGMEXEC
73314+ vma_m = pax_find_mirror_vma(vma);
73315+ if (vma_m) {
73316+ if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
73317+ struct zap_details details = {
73318+ .nonlinear_vma = vma_m,
73319+ .last_index = ULONG_MAX,
73320+ };
73321+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
73322+ } else
73323+ zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
73324+ }
73325+#endif
73326+
73327 return 0;
73328 }
73329
73330@@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
73331 if (end < start)
73332 goto out;
73333
73334+#ifdef CONFIG_PAX_SEGMEXEC
73335+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
73336+ if (end > SEGMEXEC_TASK_SIZE)
73337+ goto out;
73338+ } else
73339+#endif
73340+
73341+ if (end > TASK_SIZE)
73342+ goto out;
73343+
73344 error = 0;
73345 if (end == start)
73346 goto out;
73347diff -urNp linux-2.6.32.48/mm/memory.c linux-2.6.32.48/mm/memory.c
73348--- linux-2.6.32.48/mm/memory.c 2011-11-08 19:02:43.000000000 -0500
73349+++ linux-2.6.32.48/mm/memory.c 2011-11-15 19:59:43.000000000 -0500
73350@@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
73351 return;
73352
73353 pmd = pmd_offset(pud, start);
73354+
73355+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
73356 pud_clear(pud);
73357 pmd_free_tlb(tlb, pmd, start);
73358+#endif
73359+
73360 }
73361
73362 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
73363@@ -219,9 +223,12 @@ static inline void free_pud_range(struct
73364 if (end - 1 > ceiling - 1)
73365 return;
73366
73367+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
73368 pud = pud_offset(pgd, start);
73369 pgd_clear(pgd);
73370 pud_free_tlb(tlb, pud, start);
73371+#endif
73372+
73373 }
73374
73375 /*
73376@@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
73377 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
73378 i = 0;
73379
73380- do {
73381+ while (nr_pages) {
73382 struct vm_area_struct *vma;
73383
73384- vma = find_extend_vma(mm, start);
73385+ vma = find_vma(mm, start);
73386 if (!vma && in_gate_area(tsk, start)) {
73387 unsigned long pg = start & PAGE_MASK;
73388 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
73389@@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
73390 continue;
73391 }
73392
73393- if (!vma ||
73394+ if (!vma || start < vma->vm_start ||
73395 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
73396 !(vm_flags & vma->vm_flags))
73397 return i ? : -EFAULT;
73398@@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
73399 start += PAGE_SIZE;
73400 nr_pages--;
73401 } while (nr_pages && start < vma->vm_end);
73402- } while (nr_pages);
73403+ }
73404 return i;
73405 }
73406
73407@@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
73408 page_add_file_rmap(page);
73409 set_pte_at(mm, addr, pte, mk_pte(page, prot));
73410
73411+#ifdef CONFIG_PAX_SEGMEXEC
73412+ pax_mirror_file_pte(vma, addr, page, ptl);
73413+#endif
73414+
73415 retval = 0;
73416 pte_unmap_unlock(pte, ptl);
73417 return retval;
73418@@ -1560,10 +1571,22 @@ out:
73419 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
73420 struct page *page)
73421 {
73422+
73423+#ifdef CONFIG_PAX_SEGMEXEC
73424+ struct vm_area_struct *vma_m;
73425+#endif
73426+
73427 if (addr < vma->vm_start || addr >= vma->vm_end)
73428 return -EFAULT;
73429 if (!page_count(page))
73430 return -EINVAL;
73431+
73432+#ifdef CONFIG_PAX_SEGMEXEC
73433+ vma_m = pax_find_mirror_vma(vma);
73434+ if (vma_m)
73435+ vma_m->vm_flags |= VM_INSERTPAGE;
73436+#endif
73437+
73438 vma->vm_flags |= VM_INSERTPAGE;
73439 return insert_page(vma, addr, page, vma->vm_page_prot);
73440 }
73441@@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
73442 unsigned long pfn)
73443 {
73444 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
73445+ BUG_ON(vma->vm_mirror);
73446
73447 if (addr < vma->vm_start || addr >= vma->vm_end)
73448 return -EFAULT;
73449@@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
73450 copy_user_highpage(dst, src, va, vma);
73451 }
73452
73453+#ifdef CONFIG_PAX_SEGMEXEC
73454+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
73455+{
73456+ struct mm_struct *mm = vma->vm_mm;
73457+ spinlock_t *ptl;
73458+ pte_t *pte, entry;
73459+
73460+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
73461+ entry = *pte;
73462+ if (!pte_present(entry)) {
73463+ if (!pte_none(entry)) {
73464+ BUG_ON(pte_file(entry));
73465+ free_swap_and_cache(pte_to_swp_entry(entry));
73466+ pte_clear_not_present_full(mm, address, pte, 0);
73467+ }
73468+ } else {
73469+ struct page *page;
73470+
73471+ flush_cache_page(vma, address, pte_pfn(entry));
73472+ entry = ptep_clear_flush(vma, address, pte);
73473+ BUG_ON(pte_dirty(entry));
73474+ page = vm_normal_page(vma, address, entry);
73475+ if (page) {
73476+ update_hiwater_rss(mm);
73477+ if (PageAnon(page))
73478+ dec_mm_counter(mm, anon_rss);
73479+ else
73480+ dec_mm_counter(mm, file_rss);
73481+ page_remove_rmap(page);
73482+ page_cache_release(page);
73483+ }
73484+ }
73485+ pte_unmap_unlock(pte, ptl);
73486+}
73487+
73488+/* PaX: if vma is mirrored, synchronize the mirror's PTE
73489+ *
73490+ * the ptl of the lower mapped page is held on entry and is not released on exit
73491+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
73492+ */
73493+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
73494+{
73495+ struct mm_struct *mm = vma->vm_mm;
73496+ unsigned long address_m;
73497+ spinlock_t *ptl_m;
73498+ struct vm_area_struct *vma_m;
73499+ pmd_t *pmd_m;
73500+ pte_t *pte_m, entry_m;
73501+
73502+ BUG_ON(!page_m || !PageAnon(page_m));
73503+
73504+ vma_m = pax_find_mirror_vma(vma);
73505+ if (!vma_m)
73506+ return;
73507+
73508+ BUG_ON(!PageLocked(page_m));
73509+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73510+ address_m = address + SEGMEXEC_TASK_SIZE;
73511+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73512+ pte_m = pte_offset_map_nested(pmd_m, address_m);
73513+ ptl_m = pte_lockptr(mm, pmd_m);
73514+ if (ptl != ptl_m) {
73515+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73516+ if (!pte_none(*pte_m))
73517+ goto out;
73518+ }
73519+
73520+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
73521+ page_cache_get(page_m);
73522+ page_add_anon_rmap(page_m, vma_m, address_m);
73523+ inc_mm_counter(mm, anon_rss);
73524+ set_pte_at(mm, address_m, pte_m, entry_m);
73525+ update_mmu_cache(vma_m, address_m, entry_m);
73526+out:
73527+ if (ptl != ptl_m)
73528+ spin_unlock(ptl_m);
73529+ pte_unmap_nested(pte_m);
73530+ unlock_page(page_m);
73531+}
73532+
73533+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
73534+{
73535+ struct mm_struct *mm = vma->vm_mm;
73536+ unsigned long address_m;
73537+ spinlock_t *ptl_m;
73538+ struct vm_area_struct *vma_m;
73539+ pmd_t *pmd_m;
73540+ pte_t *pte_m, entry_m;
73541+
73542+ BUG_ON(!page_m || PageAnon(page_m));
73543+
73544+ vma_m = pax_find_mirror_vma(vma);
73545+ if (!vma_m)
73546+ return;
73547+
73548+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73549+ address_m = address + SEGMEXEC_TASK_SIZE;
73550+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73551+ pte_m = pte_offset_map_nested(pmd_m, address_m);
73552+ ptl_m = pte_lockptr(mm, pmd_m);
73553+ if (ptl != ptl_m) {
73554+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73555+ if (!pte_none(*pte_m))
73556+ goto out;
73557+ }
73558+
73559+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
73560+ page_cache_get(page_m);
73561+ page_add_file_rmap(page_m);
73562+ inc_mm_counter(mm, file_rss);
73563+ set_pte_at(mm, address_m, pte_m, entry_m);
73564+ update_mmu_cache(vma_m, address_m, entry_m);
73565+out:
73566+ if (ptl != ptl_m)
73567+ spin_unlock(ptl_m);
73568+ pte_unmap_nested(pte_m);
73569+}
73570+
73571+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
73572+{
73573+ struct mm_struct *mm = vma->vm_mm;
73574+ unsigned long address_m;
73575+ spinlock_t *ptl_m;
73576+ struct vm_area_struct *vma_m;
73577+ pmd_t *pmd_m;
73578+ pte_t *pte_m, entry_m;
73579+
73580+ vma_m = pax_find_mirror_vma(vma);
73581+ if (!vma_m)
73582+ return;
73583+
73584+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
73585+ address_m = address + SEGMEXEC_TASK_SIZE;
73586+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
73587+ pte_m = pte_offset_map_nested(pmd_m, address_m);
73588+ ptl_m = pte_lockptr(mm, pmd_m);
73589+ if (ptl != ptl_m) {
73590+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
73591+ if (!pte_none(*pte_m))
73592+ goto out;
73593+ }
73594+
73595+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
73596+ set_pte_at(mm, address_m, pte_m, entry_m);
73597+out:
73598+ if (ptl != ptl_m)
73599+ spin_unlock(ptl_m);
73600+ pte_unmap_nested(pte_m);
73601+}
73602+
73603+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
73604+{
73605+ struct page *page_m;
73606+ pte_t entry;
73607+
73608+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
73609+ goto out;
73610+
73611+ entry = *pte;
73612+ page_m = vm_normal_page(vma, address, entry);
73613+ if (!page_m)
73614+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
73615+ else if (PageAnon(page_m)) {
73616+ if (pax_find_mirror_vma(vma)) {
73617+ pte_unmap_unlock(pte, ptl);
73618+ lock_page(page_m);
73619+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
73620+ if (pte_same(entry, *pte))
73621+ pax_mirror_anon_pte(vma, address, page_m, ptl);
73622+ else
73623+ unlock_page(page_m);
73624+ }
73625+ } else
73626+ pax_mirror_file_pte(vma, address, page_m, ptl);
73627+
73628+out:
73629+ pte_unmap_unlock(pte, ptl);
73630+}
73631+#endif
73632+
73633 /*
73634 * This routine handles present pages, when users try to write
73635 * to a shared page. It is done by copying the page to a new address
73636@@ -2156,6 +2360,12 @@ gotten:
73637 */
73638 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
73639 if (likely(pte_same(*page_table, orig_pte))) {
73640+
73641+#ifdef CONFIG_PAX_SEGMEXEC
73642+ if (pax_find_mirror_vma(vma))
73643+ BUG_ON(!trylock_page(new_page));
73644+#endif
73645+
73646 if (old_page) {
73647 if (!PageAnon(old_page)) {
73648 dec_mm_counter(mm, file_rss);
73649@@ -2207,6 +2417,10 @@ gotten:
73650 page_remove_rmap(old_page);
73651 }
73652
73653+#ifdef CONFIG_PAX_SEGMEXEC
73654+ pax_mirror_anon_pte(vma, address, new_page, ptl);
73655+#endif
73656+
73657 /* Free the old page.. */
73658 new_page = old_page;
73659 ret |= VM_FAULT_WRITE;
73660@@ -2606,6 +2820,11 @@ static int do_swap_page(struct mm_struct
73661 swap_free(entry);
73662 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
73663 try_to_free_swap(page);
73664+
73665+#ifdef CONFIG_PAX_SEGMEXEC
73666+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
73667+#endif
73668+
73669 unlock_page(page);
73670
73671 if (flags & FAULT_FLAG_WRITE) {
73672@@ -2617,6 +2836,11 @@ static int do_swap_page(struct mm_struct
73673
73674 /* No need to invalidate - it was non-present before */
73675 update_mmu_cache(vma, address, pte);
73676+
73677+#ifdef CONFIG_PAX_SEGMEXEC
73678+ pax_mirror_anon_pte(vma, address, page, ptl);
73679+#endif
73680+
73681 unlock:
73682 pte_unmap_unlock(page_table, ptl);
73683 out:
73684@@ -2632,40 +2856,6 @@ out_release:
73685 }
73686
73687 /*
73688- * This is like a special single-page "expand_{down|up}wards()",
73689- * except we must first make sure that 'address{-|+}PAGE_SIZE'
73690- * doesn't hit another vma.
73691- */
73692-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
73693-{
73694- address &= PAGE_MASK;
73695- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
73696- struct vm_area_struct *prev = vma->vm_prev;
73697-
73698- /*
73699- * Is there a mapping abutting this one below?
73700- *
73701- * That's only ok if it's the same stack mapping
73702- * that has gotten split..
73703- */
73704- if (prev && prev->vm_end == address)
73705- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
73706-
73707- expand_stack(vma, address - PAGE_SIZE);
73708- }
73709- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
73710- struct vm_area_struct *next = vma->vm_next;
73711-
73712- /* As VM_GROWSDOWN but s/below/above/ */
73713- if (next && next->vm_start == address + PAGE_SIZE)
73714- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
73715-
73716- expand_upwards(vma, address + PAGE_SIZE);
73717- }
73718- return 0;
73719-}
73720-
73721-/*
73722 * We enter with non-exclusive mmap_sem (to exclude vma changes,
73723 * but allow concurrent faults), and pte mapped but not yet locked.
73724 * We return with mmap_sem still held, but pte unmapped and unlocked.
73725@@ -2674,27 +2864,23 @@ static int do_anonymous_page(struct mm_s
73726 unsigned long address, pte_t *page_table, pmd_t *pmd,
73727 unsigned int flags)
73728 {
73729- struct page *page;
73730+ struct page *page = NULL;
73731 spinlock_t *ptl;
73732 pte_t entry;
73733
73734- pte_unmap(page_table);
73735-
73736- /* Check if we need to add a guard page to the stack */
73737- if (check_stack_guard_page(vma, address) < 0)
73738- return VM_FAULT_SIGBUS;
73739-
73740- /* Use the zero-page for reads */
73741 if (!(flags & FAULT_FLAG_WRITE)) {
73742 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
73743 vma->vm_page_prot));
73744- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
73745+ ptl = pte_lockptr(mm, pmd);
73746+ spin_lock(ptl);
73747 if (!pte_none(*page_table))
73748 goto unlock;
73749 goto setpte;
73750 }
73751
73752 /* Allocate our own private page. */
73753+ pte_unmap(page_table);
73754+
73755 if (unlikely(anon_vma_prepare(vma)))
73756 goto oom;
73757 page = alloc_zeroed_user_highpage_movable(vma, address);
73758@@ -2713,6 +2899,11 @@ static int do_anonymous_page(struct mm_s
73759 if (!pte_none(*page_table))
73760 goto release;
73761
73762+#ifdef CONFIG_PAX_SEGMEXEC
73763+ if (pax_find_mirror_vma(vma))
73764+ BUG_ON(!trylock_page(page));
73765+#endif
73766+
73767 inc_mm_counter(mm, anon_rss);
73768 page_add_new_anon_rmap(page, vma, address);
73769 setpte:
73770@@ -2720,6 +2911,12 @@ setpte:
73771
73772 /* No need to invalidate - it was non-present before */
73773 update_mmu_cache(vma, address, entry);
73774+
73775+#ifdef CONFIG_PAX_SEGMEXEC
73776+ if (page)
73777+ pax_mirror_anon_pte(vma, address, page, ptl);
73778+#endif
73779+
73780 unlock:
73781 pte_unmap_unlock(page_table, ptl);
73782 return 0;
73783@@ -2862,6 +3059,12 @@ static int __do_fault(struct mm_struct *
73784 */
73785 /* Only go through if we didn't race with anybody else... */
73786 if (likely(pte_same(*page_table, orig_pte))) {
73787+
73788+#ifdef CONFIG_PAX_SEGMEXEC
73789+ if (anon && pax_find_mirror_vma(vma))
73790+ BUG_ON(!trylock_page(page));
73791+#endif
73792+
73793 flush_icache_page(vma, page);
73794 entry = mk_pte(page, vma->vm_page_prot);
73795 if (flags & FAULT_FLAG_WRITE)
73796@@ -2881,6 +3084,14 @@ static int __do_fault(struct mm_struct *
73797
73798 /* no need to invalidate: a not-present page won't be cached */
73799 update_mmu_cache(vma, address, entry);
73800+
73801+#ifdef CONFIG_PAX_SEGMEXEC
73802+ if (anon)
73803+ pax_mirror_anon_pte(vma, address, page, ptl);
73804+ else
73805+ pax_mirror_file_pte(vma, address, page, ptl);
73806+#endif
73807+
73808 } else {
73809 if (charged)
73810 mem_cgroup_uncharge_page(page);
73811@@ -3028,6 +3239,12 @@ static inline int handle_pte_fault(struc
73812 if (flags & FAULT_FLAG_WRITE)
73813 flush_tlb_page(vma, address);
73814 }
73815+
73816+#ifdef CONFIG_PAX_SEGMEXEC
73817+ pax_mirror_pte(vma, address, pte, pmd, ptl);
73818+ return 0;
73819+#endif
73820+
73821 unlock:
73822 pte_unmap_unlock(pte, ptl);
73823 return 0;
73824@@ -3044,6 +3261,10 @@ int handle_mm_fault(struct mm_struct *mm
73825 pmd_t *pmd;
73826 pte_t *pte;
73827
73828+#ifdef CONFIG_PAX_SEGMEXEC
73829+ struct vm_area_struct *vma_m;
73830+#endif
73831+
73832 __set_current_state(TASK_RUNNING);
73833
73834 count_vm_event(PGFAULT);
73835@@ -3051,6 +3272,34 @@ int handle_mm_fault(struct mm_struct *mm
73836 if (unlikely(is_vm_hugetlb_page(vma)))
73837 return hugetlb_fault(mm, vma, address, flags);
73838
73839+#ifdef CONFIG_PAX_SEGMEXEC
73840+ vma_m = pax_find_mirror_vma(vma);
73841+ if (vma_m) {
73842+ unsigned long address_m;
73843+ pgd_t *pgd_m;
73844+ pud_t *pud_m;
73845+ pmd_t *pmd_m;
73846+
73847+ if (vma->vm_start > vma_m->vm_start) {
73848+ address_m = address;
73849+ address -= SEGMEXEC_TASK_SIZE;
73850+ vma = vma_m;
73851+ } else
73852+ address_m = address + SEGMEXEC_TASK_SIZE;
73853+
73854+ pgd_m = pgd_offset(mm, address_m);
73855+ pud_m = pud_alloc(mm, pgd_m, address_m);
73856+ if (!pud_m)
73857+ return VM_FAULT_OOM;
73858+ pmd_m = pmd_alloc(mm, pud_m, address_m);
73859+ if (!pmd_m)
73860+ return VM_FAULT_OOM;
73861+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
73862+ return VM_FAULT_OOM;
73863+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
73864+ }
73865+#endif
73866+
73867 pgd = pgd_offset(mm, address);
73868 pud = pud_alloc(mm, pgd, address);
73869 if (!pud)
73870@@ -3148,7 +3397,7 @@ static int __init gate_vma_init(void)
73871 gate_vma.vm_start = FIXADDR_USER_START;
73872 gate_vma.vm_end = FIXADDR_USER_END;
73873 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
73874- gate_vma.vm_page_prot = __P101;
73875+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
73876 /*
73877 * Make sure the vDSO gets into every core dump.
73878 * Dumping its contents makes post-mortem fully interpretable later
73879diff -urNp linux-2.6.32.48/mm/memory-failure.c linux-2.6.32.48/mm/memory-failure.c
73880--- linux-2.6.32.48/mm/memory-failure.c 2011-11-08 19:02:43.000000000 -0500
73881+++ linux-2.6.32.48/mm/memory-failure.c 2011-11-15 19:59:43.000000000 -0500
73882@@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
73883
73884 int sysctl_memory_failure_recovery __read_mostly = 1;
73885
73886-atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
73887+atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
73888
73889 /*
73890 * Send all the processes who have the page mapped an ``action optional''
73891@@ -64,7 +64,7 @@ static int kill_proc_ao(struct task_stru
73892 si.si_signo = SIGBUS;
73893 si.si_errno = 0;
73894 si.si_code = BUS_MCEERR_AO;
73895- si.si_addr = (void *)addr;
73896+ si.si_addr = (void __user *)addr;
73897 #ifdef __ARCH_SI_TRAPNO
73898 si.si_trapno = trapno;
73899 #endif
73900@@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
73901 return 0;
73902 }
73903
73904- atomic_long_add(1, &mce_bad_pages);
73905+ atomic_long_add_unchecked(1, &mce_bad_pages);
73906
73907 /*
73908 * We need/can do nothing about count=0 pages.
73909diff -urNp linux-2.6.32.48/mm/mempolicy.c linux-2.6.32.48/mm/mempolicy.c
73910--- linux-2.6.32.48/mm/mempolicy.c 2011-11-08 19:02:43.000000000 -0500
73911+++ linux-2.6.32.48/mm/mempolicy.c 2011-11-15 19:59:43.000000000 -0500
73912@@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
73913 struct vm_area_struct *next;
73914 int err;
73915
73916+#ifdef CONFIG_PAX_SEGMEXEC
73917+ struct vm_area_struct *vma_m;
73918+#endif
73919+
73920 err = 0;
73921 for (; vma && vma->vm_start < end; vma = next) {
73922 next = vma->vm_next;
73923@@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
73924 err = policy_vma(vma, new);
73925 if (err)
73926 break;
73927+
73928+#ifdef CONFIG_PAX_SEGMEXEC
73929+ vma_m = pax_find_mirror_vma(vma);
73930+ if (vma_m) {
73931+ err = policy_vma(vma_m, new);
73932+ if (err)
73933+ break;
73934+ }
73935+#endif
73936+
73937 }
73938 return err;
73939 }
73940@@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
73941
73942 if (end < start)
73943 return -EINVAL;
73944+
73945+#ifdef CONFIG_PAX_SEGMEXEC
73946+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
73947+ if (end > SEGMEXEC_TASK_SIZE)
73948+ return -EINVAL;
73949+ } else
73950+#endif
73951+
73952+ if (end > TASK_SIZE)
73953+ return -EINVAL;
73954+
73955 if (end == start)
73956 return 0;
73957
73958@@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
73959 if (!mm)
73960 return -EINVAL;
73961
73962+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
73963+ if (mm != current->mm &&
73964+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
73965+ err = -EPERM;
73966+ goto out;
73967+ }
73968+#endif
73969+
73970 /*
73971 * Check if this process has the right to modify the specified
73972 * process. The right exists if the process has administrative
73973@@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
73974 rcu_read_lock();
73975 tcred = __task_cred(task);
73976 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
73977- cred->uid != tcred->suid && cred->uid != tcred->uid &&
73978- !capable(CAP_SYS_NICE)) {
73979+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
73980 rcu_read_unlock();
73981 err = -EPERM;
73982 goto out;
73983@@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
73984
73985 if (file) {
73986 seq_printf(m, " file=");
73987- seq_path(m, &file->f_path, "\n\t= ");
73988+ seq_path(m, &file->f_path, "\n\t\\= ");
73989 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
73990 seq_printf(m, " heap");
73991 } else if (vma->vm_start <= mm->start_stack &&
73992diff -urNp linux-2.6.32.48/mm/migrate.c linux-2.6.32.48/mm/migrate.c
73993--- linux-2.6.32.48/mm/migrate.c 2011-11-08 19:02:43.000000000 -0500
73994+++ linux-2.6.32.48/mm/migrate.c 2011-11-15 19:59:43.000000000 -0500
73995@@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
73996 unsigned long chunk_start;
73997 int err;
73998
73999+ pax_track_stack();
74000+
74001 task_nodes = cpuset_mems_allowed(task);
74002
74003 err = -ENOMEM;
74004@@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
74005 if (!mm)
74006 return -EINVAL;
74007
74008+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
74009+ if (mm != current->mm &&
74010+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
74011+ err = -EPERM;
74012+ goto out;
74013+ }
74014+#endif
74015+
74016 /*
74017 * Check if this process has the right to modify the specified
74018 * process. The right exists if the process has administrative
74019@@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
74020 rcu_read_lock();
74021 tcred = __task_cred(task);
74022 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
74023- cred->uid != tcred->suid && cred->uid != tcred->uid &&
74024- !capable(CAP_SYS_NICE)) {
74025+ cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
74026 rcu_read_unlock();
74027 err = -EPERM;
74028 goto out;
74029diff -urNp linux-2.6.32.48/mm/mlock.c linux-2.6.32.48/mm/mlock.c
74030--- linux-2.6.32.48/mm/mlock.c 2011-11-08 19:02:43.000000000 -0500
74031+++ linux-2.6.32.48/mm/mlock.c 2011-11-15 19:59:43.000000000 -0500
74032@@ -13,6 +13,7 @@
74033 #include <linux/pagemap.h>
74034 #include <linux/mempolicy.h>
74035 #include <linux/syscalls.h>
74036+#include <linux/security.h>
74037 #include <linux/sched.h>
74038 #include <linux/module.h>
74039 #include <linux/rmap.h>
74040@@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
74041 }
74042 }
74043
74044-static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
74045-{
74046- return (vma->vm_flags & VM_GROWSDOWN) &&
74047- (vma->vm_start == addr) &&
74048- !vma_stack_continue(vma->vm_prev, addr);
74049-}
74050-
74051 /**
74052 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
74053 * @vma: target vma
74054@@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
74055 if (vma->vm_flags & VM_WRITE)
74056 gup_flags |= FOLL_WRITE;
74057
74058- /* We don't try to access the guard page of a stack vma */
74059- if (stack_guard_page(vma, start)) {
74060- addr += PAGE_SIZE;
74061- nr_pages--;
74062- }
74063-
74064 while (nr_pages > 0) {
74065 int i;
74066
74067@@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
74068 {
74069 unsigned long nstart, end, tmp;
74070 struct vm_area_struct * vma, * prev;
74071- int error;
74072+ int error = -EINVAL;
74073
74074 len = PAGE_ALIGN(len);
74075 end = start + len;
74076@@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
74077 return -EINVAL;
74078 if (end == start)
74079 return 0;
74080+ if (end > TASK_SIZE)
74081+ return -EINVAL;
74082+
74083 vma = find_vma_prev(current->mm, start, &prev);
74084 if (!vma || vma->vm_start > start)
74085 return -ENOMEM;
74086@@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
74087 for (nstart = start ; ; ) {
74088 unsigned int newflags;
74089
74090+#ifdef CONFIG_PAX_SEGMEXEC
74091+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
74092+ break;
74093+#endif
74094+
74095 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
74096
74097 newflags = vma->vm_flags | VM_LOCKED;
74098@@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
74099 lock_limit >>= PAGE_SHIFT;
74100
74101 /* check against resource limits */
74102+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
74103 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
74104 error = do_mlock(start, len, 1);
74105 up_write(&current->mm->mmap_sem);
74106@@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
74107 static int do_mlockall(int flags)
74108 {
74109 struct vm_area_struct * vma, * prev = NULL;
74110- unsigned int def_flags = 0;
74111
74112 if (flags & MCL_FUTURE)
74113- def_flags = VM_LOCKED;
74114- current->mm->def_flags = def_flags;
74115+ current->mm->def_flags |= VM_LOCKED;
74116+ else
74117+ current->mm->def_flags &= ~VM_LOCKED;
74118 if (flags == MCL_FUTURE)
74119 goto out;
74120
74121 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
74122- unsigned int newflags;
74123+ unsigned long newflags;
74124+
74125+#ifdef CONFIG_PAX_SEGMEXEC
74126+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
74127+ break;
74128+#endif
74129
74130+ BUG_ON(vma->vm_end > TASK_SIZE);
74131 newflags = vma->vm_flags | VM_LOCKED;
74132 if (!(flags & MCL_CURRENT))
74133 newflags &= ~VM_LOCKED;
74134@@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
74135 lock_limit >>= PAGE_SHIFT;
74136
74137 ret = -ENOMEM;
74138+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
74139 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
74140 capable(CAP_IPC_LOCK))
74141 ret = do_mlockall(flags);
74142diff -urNp linux-2.6.32.48/mm/mmap.c linux-2.6.32.48/mm/mmap.c
74143--- linux-2.6.32.48/mm/mmap.c 2011-11-08 19:02:43.000000000 -0500
74144+++ linux-2.6.32.48/mm/mmap.c 2011-11-15 19:59:43.000000000 -0500
74145@@ -45,6 +45,16 @@
74146 #define arch_rebalance_pgtables(addr, len) (addr)
74147 #endif
74148
74149+static inline void verify_mm_writelocked(struct mm_struct *mm)
74150+{
74151+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
74152+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
74153+ up_read(&mm->mmap_sem);
74154+ BUG();
74155+ }
74156+#endif
74157+}
74158+
74159 static void unmap_region(struct mm_struct *mm,
74160 struct vm_area_struct *vma, struct vm_area_struct *prev,
74161 unsigned long start, unsigned long end);
74162@@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
74163 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
74164 *
74165 */
74166-pgprot_t protection_map[16] = {
74167+pgprot_t protection_map[16] __read_only = {
74168 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
74169 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
74170 };
74171
74172 pgprot_t vm_get_page_prot(unsigned long vm_flags)
74173 {
74174- return __pgprot(pgprot_val(protection_map[vm_flags &
74175+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
74176 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
74177 pgprot_val(arch_vm_get_page_prot(vm_flags)));
74178+
74179+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74180+ if (!nx_enabled &&
74181+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
74182+ (vm_flags & (VM_READ | VM_WRITE)))
74183+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
74184+#endif
74185+
74186+ return prot;
74187 }
74188 EXPORT_SYMBOL(vm_get_page_prot);
74189
74190 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
74191 int sysctl_overcommit_ratio = 50; /* default is 50% */
74192 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
74193+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
74194 struct percpu_counter vm_committed_as;
74195
74196 /*
74197@@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
74198 struct vm_area_struct *next = vma->vm_next;
74199
74200 might_sleep();
74201+ BUG_ON(vma->vm_mirror);
74202 if (vma->vm_ops && vma->vm_ops->close)
74203 vma->vm_ops->close(vma);
74204 if (vma->vm_file) {
74205@@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
74206 * not page aligned -Ram Gupta
74207 */
74208 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
74209+ gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
74210 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
74211 (mm->end_data - mm->start_data) > rlim)
74212 goto out;
74213@@ -704,6 +726,12 @@ static int
74214 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
74215 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
74216 {
74217+
74218+#ifdef CONFIG_PAX_SEGMEXEC
74219+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
74220+ return 0;
74221+#endif
74222+
74223 if (is_mergeable_vma(vma, file, vm_flags) &&
74224 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
74225 if (vma->vm_pgoff == vm_pgoff)
74226@@ -723,6 +751,12 @@ static int
74227 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
74228 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
74229 {
74230+
74231+#ifdef CONFIG_PAX_SEGMEXEC
74232+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
74233+ return 0;
74234+#endif
74235+
74236 if (is_mergeable_vma(vma, file, vm_flags) &&
74237 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
74238 pgoff_t vm_pglen;
74239@@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
74240 struct vm_area_struct *vma_merge(struct mm_struct *mm,
74241 struct vm_area_struct *prev, unsigned long addr,
74242 unsigned long end, unsigned long vm_flags,
74243- struct anon_vma *anon_vma, struct file *file,
74244+ struct anon_vma *anon_vma, struct file *file,
74245 pgoff_t pgoff, struct mempolicy *policy)
74246 {
74247 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
74248 struct vm_area_struct *area, *next;
74249
74250+#ifdef CONFIG_PAX_SEGMEXEC
74251+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
74252+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
74253+
74254+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
74255+#endif
74256+
74257 /*
74258 * We later require that vma->vm_flags == vm_flags,
74259 * so this tests vma->vm_flags & VM_SPECIAL, too.
74260@@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
74261 if (next && next->vm_end == end) /* cases 6, 7, 8 */
74262 next = next->vm_next;
74263
74264+#ifdef CONFIG_PAX_SEGMEXEC
74265+ if (prev)
74266+ prev_m = pax_find_mirror_vma(prev);
74267+ if (area)
74268+ area_m = pax_find_mirror_vma(area);
74269+ if (next)
74270+ next_m = pax_find_mirror_vma(next);
74271+#endif
74272+
74273 /*
74274 * Can it merge with the predecessor?
74275 */
74276@@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
74277 /* cases 1, 6 */
74278 vma_adjust(prev, prev->vm_start,
74279 next->vm_end, prev->vm_pgoff, NULL);
74280- } else /* cases 2, 5, 7 */
74281+
74282+#ifdef CONFIG_PAX_SEGMEXEC
74283+ if (prev_m)
74284+ vma_adjust(prev_m, prev_m->vm_start,
74285+ next_m->vm_end, prev_m->vm_pgoff, NULL);
74286+#endif
74287+
74288+ } else { /* cases 2, 5, 7 */
74289 vma_adjust(prev, prev->vm_start,
74290 end, prev->vm_pgoff, NULL);
74291+
74292+#ifdef CONFIG_PAX_SEGMEXEC
74293+ if (prev_m)
74294+ vma_adjust(prev_m, prev_m->vm_start,
74295+ end_m, prev_m->vm_pgoff, NULL);
74296+#endif
74297+
74298+ }
74299 return prev;
74300 }
74301
74302@@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
74303 mpol_equal(policy, vma_policy(next)) &&
74304 can_vma_merge_before(next, vm_flags,
74305 anon_vma, file, pgoff+pglen)) {
74306- if (prev && addr < prev->vm_end) /* case 4 */
74307+ if (prev && addr < prev->vm_end) { /* case 4 */
74308 vma_adjust(prev, prev->vm_start,
74309 addr, prev->vm_pgoff, NULL);
74310- else /* cases 3, 8 */
74311+
74312+#ifdef CONFIG_PAX_SEGMEXEC
74313+ if (prev_m)
74314+ vma_adjust(prev_m, prev_m->vm_start,
74315+ addr_m, prev_m->vm_pgoff, NULL);
74316+#endif
74317+
74318+ } else { /* cases 3, 8 */
74319 vma_adjust(area, addr, next->vm_end,
74320 next->vm_pgoff - pglen, NULL);
74321+
74322+#ifdef CONFIG_PAX_SEGMEXEC
74323+ if (area_m)
74324+ vma_adjust(area_m, addr_m, next_m->vm_end,
74325+ next_m->vm_pgoff - pglen, NULL);
74326+#endif
74327+
74328+ }
74329 return area;
74330 }
74331
74332@@ -898,14 +978,11 @@ none:
74333 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
74334 struct file *file, long pages)
74335 {
74336- const unsigned long stack_flags
74337- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
74338-
74339 if (file) {
74340 mm->shared_vm += pages;
74341 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
74342 mm->exec_vm += pages;
74343- } else if (flags & stack_flags)
74344+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
74345 mm->stack_vm += pages;
74346 if (flags & (VM_RESERVED|VM_IO))
74347 mm->reserved_vm += pages;
74348@@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
74349 * (the exception is when the underlying filesystem is noexec
74350 * mounted, in which case we dont add PROT_EXEC.)
74351 */
74352- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
74353+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
74354 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
74355 prot |= PROT_EXEC;
74356
74357@@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
74358 /* Obtain the address to map to. we verify (or select) it and ensure
74359 * that it represents a valid section of the address space.
74360 */
74361- addr = get_unmapped_area(file, addr, len, pgoff, flags);
74362+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
74363 if (addr & ~PAGE_MASK)
74364 return addr;
74365
74366@@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
74367 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
74368 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
74369
74370+#ifdef CONFIG_PAX_MPROTECT
74371+ if (mm->pax_flags & MF_PAX_MPROTECT) {
74372+#ifndef CONFIG_PAX_MPROTECT_COMPAT
74373+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
74374+ gr_log_rwxmmap(file);
74375+
74376+#ifdef CONFIG_PAX_EMUPLT
74377+ vm_flags &= ~VM_EXEC;
74378+#else
74379+ return -EPERM;
74380+#endif
74381+
74382+ }
74383+
74384+ if (!(vm_flags & VM_EXEC))
74385+ vm_flags &= ~VM_MAYEXEC;
74386+#else
74387+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
74388+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
74389+#endif
74390+ else
74391+ vm_flags &= ~VM_MAYWRITE;
74392+ }
74393+#endif
74394+
74395+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74396+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
74397+ vm_flags &= ~VM_PAGEEXEC;
74398+#endif
74399+
74400 if (flags & MAP_LOCKED)
74401 if (!can_do_mlock())
74402 return -EPERM;
74403@@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
74404 locked += mm->locked_vm;
74405 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
74406 lock_limit >>= PAGE_SHIFT;
74407+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
74408 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
74409 return -EAGAIN;
74410 }
74411@@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
74412 if (error)
74413 return error;
74414
74415+ if (!gr_acl_handle_mmap(file, prot))
74416+ return -EACCES;
74417+
74418 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
74419 }
74420 EXPORT_SYMBOL(do_mmap_pgoff);
74421@@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
74422 */
74423 int vma_wants_writenotify(struct vm_area_struct *vma)
74424 {
74425- unsigned int vm_flags = vma->vm_flags;
74426+ unsigned long vm_flags = vma->vm_flags;
74427
74428 /* If it was private or non-writable, the write bit is already clear */
74429- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
74430+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
74431 return 0;
74432
74433 /* The backer wishes to know when pages are first written to? */
74434@@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
74435 unsigned long charged = 0;
74436 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
74437
74438+#ifdef CONFIG_PAX_SEGMEXEC
74439+ struct vm_area_struct *vma_m = NULL;
74440+#endif
74441+
74442+ /*
74443+ * mm->mmap_sem is required to protect against another thread
74444+ * changing the mappings in case we sleep.
74445+ */
74446+ verify_mm_writelocked(mm);
74447+
74448 /* Clear old maps */
74449 error = -ENOMEM;
74450-munmap_back:
74451 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74452 if (vma && vma->vm_start < addr + len) {
74453 if (do_munmap(mm, addr, len))
74454 return -ENOMEM;
74455- goto munmap_back;
74456+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
74457+ BUG_ON(vma && vma->vm_start < addr + len);
74458 }
74459
74460 /* Check against address space limit. */
74461@@ -1173,6 +1294,16 @@ munmap_back:
74462 goto unacct_error;
74463 }
74464
74465+#ifdef CONFIG_PAX_SEGMEXEC
74466+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
74467+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
74468+ if (!vma_m) {
74469+ error = -ENOMEM;
74470+ goto free_vma;
74471+ }
74472+ }
74473+#endif
74474+
74475 vma->vm_mm = mm;
74476 vma->vm_start = addr;
74477 vma->vm_end = addr + len;
74478@@ -1195,6 +1326,19 @@ munmap_back:
74479 error = file->f_op->mmap(file, vma);
74480 if (error)
74481 goto unmap_and_free_vma;
74482+
74483+#ifdef CONFIG_PAX_SEGMEXEC
74484+ if (vma_m && (vm_flags & VM_EXECUTABLE))
74485+ added_exe_file_vma(mm);
74486+#endif
74487+
74488+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
74489+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
74490+ vma->vm_flags |= VM_PAGEEXEC;
74491+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
74492+ }
74493+#endif
74494+
74495 if (vm_flags & VM_EXECUTABLE)
74496 added_exe_file_vma(mm);
74497
74498@@ -1218,6 +1362,11 @@ munmap_back:
74499 vma_link(mm, vma, prev, rb_link, rb_parent);
74500 file = vma->vm_file;
74501
74502+#ifdef CONFIG_PAX_SEGMEXEC
74503+ if (vma_m)
74504+ pax_mirror_vma(vma_m, vma);
74505+#endif
74506+
74507 /* Once vma denies write, undo our temporary denial count */
74508 if (correct_wcount)
74509 atomic_inc(&inode->i_writecount);
74510@@ -1226,6 +1375,7 @@ out:
74511
74512 mm->total_vm += len >> PAGE_SHIFT;
74513 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
74514+ track_exec_limit(mm, addr, addr + len, vm_flags);
74515 if (vm_flags & VM_LOCKED) {
74516 /*
74517 * makes pages present; downgrades, drops, reacquires mmap_sem
74518@@ -1248,6 +1398,12 @@ unmap_and_free_vma:
74519 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
74520 charged = 0;
74521 free_vma:
74522+
74523+#ifdef CONFIG_PAX_SEGMEXEC
74524+ if (vma_m)
74525+ kmem_cache_free(vm_area_cachep, vma_m);
74526+#endif
74527+
74528 kmem_cache_free(vm_area_cachep, vma);
74529 unacct_error:
74530 if (charged)
74531@@ -1255,6 +1411,44 @@ unacct_error:
74532 return error;
74533 }
74534
74535+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
74536+{
74537+ if (!vma) {
74538+#ifdef CONFIG_STACK_GROWSUP
74539+ if (addr > sysctl_heap_stack_gap)
74540+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
74541+ else
74542+ vma = find_vma(current->mm, 0);
74543+ if (vma && (vma->vm_flags & VM_GROWSUP))
74544+ return false;
74545+#endif
74546+ return true;
74547+ }
74548+
74549+ if (addr + len > vma->vm_start)
74550+ return false;
74551+
74552+ if (vma->vm_flags & VM_GROWSDOWN)
74553+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
74554+#ifdef CONFIG_STACK_GROWSUP
74555+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
74556+ return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
74557+#endif
74558+
74559+ return true;
74560+}
74561+
74562+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
74563+{
74564+ if (vma->vm_start < len)
74565+ return -ENOMEM;
74566+ if (!(vma->vm_flags & VM_GROWSDOWN))
74567+ return vma->vm_start - len;
74568+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
74569+ return vma->vm_start - len - sysctl_heap_stack_gap;
74570+ return -ENOMEM;
74571+}
74572+
74573 /* Get an address range which is currently unmapped.
74574 * For shmat() with addr=0.
74575 *
74576@@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
74577 if (flags & MAP_FIXED)
74578 return addr;
74579
74580+#ifdef CONFIG_PAX_RANDMMAP
74581+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
74582+#endif
74583+
74584 if (addr) {
74585 addr = PAGE_ALIGN(addr);
74586- vma = find_vma(mm, addr);
74587- if (TASK_SIZE - len >= addr &&
74588- (!vma || addr + len <= vma->vm_start))
74589- return addr;
74590+ if (TASK_SIZE - len >= addr) {
74591+ vma = find_vma(mm, addr);
74592+ if (check_heap_stack_gap(vma, addr, len))
74593+ return addr;
74594+ }
74595 }
74596 if (len > mm->cached_hole_size) {
74597- start_addr = addr = mm->free_area_cache;
74598+ start_addr = addr = mm->free_area_cache;
74599 } else {
74600- start_addr = addr = TASK_UNMAPPED_BASE;
74601- mm->cached_hole_size = 0;
74602+ start_addr = addr = mm->mmap_base;
74603+ mm->cached_hole_size = 0;
74604 }
74605
74606 full_search:
74607@@ -1303,34 +1502,40 @@ full_search:
74608 * Start a new search - just in case we missed
74609 * some holes.
74610 */
74611- if (start_addr != TASK_UNMAPPED_BASE) {
74612- addr = TASK_UNMAPPED_BASE;
74613- start_addr = addr;
74614+ if (start_addr != mm->mmap_base) {
74615+ start_addr = addr = mm->mmap_base;
74616 mm->cached_hole_size = 0;
74617 goto full_search;
74618 }
74619 return -ENOMEM;
74620 }
74621- if (!vma || addr + len <= vma->vm_start) {
74622- /*
74623- * Remember the place where we stopped the search:
74624- */
74625- mm->free_area_cache = addr + len;
74626- return addr;
74627- }
74628+ if (check_heap_stack_gap(vma, addr, len))
74629+ break;
74630 if (addr + mm->cached_hole_size < vma->vm_start)
74631 mm->cached_hole_size = vma->vm_start - addr;
74632 addr = vma->vm_end;
74633 }
74634+
74635+ /*
74636+ * Remember the place where we stopped the search:
74637+ */
74638+ mm->free_area_cache = addr + len;
74639+ return addr;
74640 }
74641 #endif
74642
74643 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
74644 {
74645+
74646+#ifdef CONFIG_PAX_SEGMEXEC
74647+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
74648+ return;
74649+#endif
74650+
74651 /*
74652 * Is this a new hole at the lowest possible address?
74653 */
74654- if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
74655+ if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
74656 mm->free_area_cache = addr;
74657 mm->cached_hole_size = ~0UL;
74658 }
74659@@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
74660 {
74661 struct vm_area_struct *vma;
74662 struct mm_struct *mm = current->mm;
74663- unsigned long addr = addr0;
74664+ unsigned long base = mm->mmap_base, addr = addr0;
74665
74666 /* requested length too big for entire address space */
74667 if (len > TASK_SIZE)
74668@@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
74669 if (flags & MAP_FIXED)
74670 return addr;
74671
74672+#ifdef CONFIG_PAX_RANDMMAP
74673+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
74674+#endif
74675+
74676 /* requesting a specific address */
74677 if (addr) {
74678 addr = PAGE_ALIGN(addr);
74679- vma = find_vma(mm, addr);
74680- if (TASK_SIZE - len >= addr &&
74681- (!vma || addr + len <= vma->vm_start))
74682- return addr;
74683+ if (TASK_SIZE - len >= addr) {
74684+ vma = find_vma(mm, addr);
74685+ if (check_heap_stack_gap(vma, addr, len))
74686+ return addr;
74687+ }
74688 }
74689
74690 /* check if free_area_cache is useful for us */
74691@@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
74692 /* make sure it can fit in the remaining address space */
74693 if (addr > len) {
74694 vma = find_vma(mm, addr-len);
74695- if (!vma || addr <= vma->vm_start)
74696+ if (check_heap_stack_gap(vma, addr - len, len))
74697 /* remember the address as a hint for next time */
74698 return (mm->free_area_cache = addr-len);
74699 }
74700@@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
74701 * return with success:
74702 */
74703 vma = find_vma(mm, addr);
74704- if (!vma || addr+len <= vma->vm_start)
74705+ if (check_heap_stack_gap(vma, addr, len))
74706 /* remember the address as a hint for next time */
74707 return (mm->free_area_cache = addr);
74708
74709@@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
74710 mm->cached_hole_size = vma->vm_start - addr;
74711
74712 /* try just below the current vma->vm_start */
74713- addr = vma->vm_start-len;
74714- } while (len < vma->vm_start);
74715+ addr = skip_heap_stack_gap(vma, len);
74716+ } while (!IS_ERR_VALUE(addr));
74717
74718 bottomup:
74719 /*
74720@@ -1414,13 +1624,21 @@ bottomup:
74721 * can happen with large stack limits and large mmap()
74722 * allocations.
74723 */
74724+ mm->mmap_base = TASK_UNMAPPED_BASE;
74725+
74726+#ifdef CONFIG_PAX_RANDMMAP
74727+ if (mm->pax_flags & MF_PAX_RANDMMAP)
74728+ mm->mmap_base += mm->delta_mmap;
74729+#endif
74730+
74731+ mm->free_area_cache = mm->mmap_base;
74732 mm->cached_hole_size = ~0UL;
74733- mm->free_area_cache = TASK_UNMAPPED_BASE;
74734 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
74735 /*
74736 * Restore the topdown base:
74737 */
74738- mm->free_area_cache = mm->mmap_base;
74739+ mm->mmap_base = base;
74740+ mm->free_area_cache = base;
74741 mm->cached_hole_size = ~0UL;
74742
74743 return addr;
74744@@ -1429,6 +1647,12 @@ bottomup:
74745
74746 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
74747 {
74748+
74749+#ifdef CONFIG_PAX_SEGMEXEC
74750+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
74751+ return;
74752+#endif
74753+
74754 /*
74755 * Is this a new hole at the highest possible address?
74756 */
74757@@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
74758 mm->free_area_cache = addr;
74759
74760 /* dont allow allocations above current base */
74761- if (mm->free_area_cache > mm->mmap_base)
74762+ if (mm->free_area_cache > mm->mmap_base) {
74763 mm->free_area_cache = mm->mmap_base;
74764+ mm->cached_hole_size = ~0UL;
74765+ }
74766 }
74767
74768 unsigned long
74769@@ -1545,6 +1771,27 @@ out:
74770 return prev ? prev->vm_next : vma;
74771 }
74772
74773+#ifdef CONFIG_PAX_SEGMEXEC
74774+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
74775+{
74776+ struct vm_area_struct *vma_m;
74777+
74778+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
74779+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
74780+ BUG_ON(vma->vm_mirror);
74781+ return NULL;
74782+ }
74783+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
74784+ vma_m = vma->vm_mirror;
74785+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
74786+ BUG_ON(vma->vm_file != vma_m->vm_file);
74787+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
74788+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
74789+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
74790+ return vma_m;
74791+}
74792+#endif
74793+
74794 /*
74795 * Verify that the stack growth is acceptable and
74796 * update accounting. This is shared with both the
74797@@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
74798 return -ENOMEM;
74799
74800 /* Stack limit test */
74801+ gr_learn_resource(current, RLIMIT_STACK, size, 1);
74802 if (size > rlim[RLIMIT_STACK].rlim_cur)
74803 return -ENOMEM;
74804
74805@@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
74806 unsigned long limit;
74807 locked = mm->locked_vm + grow;
74808 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
74809+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
74810 if (locked > limit && !capable(CAP_IPC_LOCK))
74811 return -ENOMEM;
74812 }
74813@@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
74814 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
74815 * vma is the last one with address > vma->vm_end. Have to extend vma.
74816 */
74817+#ifndef CONFIG_IA64
74818+static
74819+#endif
74820 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
74821 {
74822 int error;
74823+ bool locknext;
74824
74825 if (!(vma->vm_flags & VM_GROWSUP))
74826 return -EFAULT;
74827
74828+ /* Also guard against wrapping around to address 0. */
74829+ if (address < PAGE_ALIGN(address+1))
74830+ address = PAGE_ALIGN(address+1);
74831+ else
74832+ return -ENOMEM;
74833+
74834 /*
74835 * We must make sure the anon_vma is allocated
74836 * so that the anon_vma locking is not a noop.
74837 */
74838 if (unlikely(anon_vma_prepare(vma)))
74839 return -ENOMEM;
74840+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
74841+ if (locknext && anon_vma_prepare(vma->vm_next))
74842+ return -ENOMEM;
74843 anon_vma_lock(vma);
74844+ if (locknext)
74845+ anon_vma_lock(vma->vm_next);
74846
74847 /*
74848 * vma->vm_start/vm_end cannot change under us because the caller
74849 * is required to hold the mmap_sem in read mode. We need the
74850- * anon_vma lock to serialize against concurrent expand_stacks.
74851- * Also guard against wrapping around to address 0.
74852+ * anon_vma locks to serialize against concurrent expand_stacks
74853+ * and expand_upwards.
74854 */
74855- if (address < PAGE_ALIGN(address+4))
74856- address = PAGE_ALIGN(address+4);
74857- else {
74858- anon_vma_unlock(vma);
74859- return -ENOMEM;
74860- }
74861 error = 0;
74862
74863 /* Somebody else might have raced and expanded it already */
74864- if (address > vma->vm_end) {
74865+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
74866+ error = -ENOMEM;
74867+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
74868 unsigned long size, grow;
74869
74870 size = address - vma->vm_start;
74871@@ -1643,6 +1903,8 @@ int expand_upwards(struct vm_area_struct
74872 vma->vm_end = address;
74873 }
74874 }
74875+ if (locknext)
74876+ anon_vma_unlock(vma->vm_next);
74877 anon_vma_unlock(vma);
74878 return error;
74879 }
74880@@ -1655,6 +1917,8 @@ static int expand_downwards(struct vm_ar
74881 unsigned long address)
74882 {
74883 int error;
74884+ bool lockprev = false;
74885+ struct vm_area_struct *prev;
74886
74887 /*
74888 * We must make sure the anon_vma is allocated
74889@@ -1668,6 +1932,15 @@ static int expand_downwards(struct vm_ar
74890 if (error)
74891 return error;
74892
74893+ prev = vma->vm_prev;
74894+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
74895+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
74896+#endif
74897+ if (lockprev && anon_vma_prepare(prev))
74898+ return -ENOMEM;
74899+ if (lockprev)
74900+ anon_vma_lock(prev);
74901+
74902 anon_vma_lock(vma);
74903
74904 /*
74905@@ -1677,9 +1950,17 @@ static int expand_downwards(struct vm_ar
74906 */
74907
74908 /* Somebody else might have raced and expanded it already */
74909- if (address < vma->vm_start) {
74910+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
74911+ error = -ENOMEM;
74912+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
74913 unsigned long size, grow;
74914
74915+#ifdef CONFIG_PAX_SEGMEXEC
74916+ struct vm_area_struct *vma_m;
74917+
74918+ vma_m = pax_find_mirror_vma(vma);
74919+#endif
74920+
74921 size = vma->vm_end - address;
74922 grow = (vma->vm_start - address) >> PAGE_SHIFT;
74923
74924@@ -1689,10 +1970,22 @@ static int expand_downwards(struct vm_ar
74925 if (!error) {
74926 vma->vm_start = address;
74927 vma->vm_pgoff -= grow;
74928+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
74929+
74930+#ifdef CONFIG_PAX_SEGMEXEC
74931+ if (vma_m) {
74932+ vma_m->vm_start -= grow << PAGE_SHIFT;
74933+ vma_m->vm_pgoff -= grow;
74934+ }
74935+#endif
74936+
74937+
74938 }
74939 }
74940 }
74941 anon_vma_unlock(vma);
74942+ if (lockprev)
74943+ anon_vma_unlock(prev);
74944 return error;
74945 }
74946
74947@@ -1768,6 +2061,13 @@ static void remove_vma_list(struct mm_st
74948 do {
74949 long nrpages = vma_pages(vma);
74950
74951+#ifdef CONFIG_PAX_SEGMEXEC
74952+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
74953+ vma = remove_vma(vma);
74954+ continue;
74955+ }
74956+#endif
74957+
74958 mm->total_vm -= nrpages;
74959 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
74960 vma = remove_vma(vma);
74961@@ -1813,6 +2113,16 @@ detach_vmas_to_be_unmapped(struct mm_str
74962 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
74963 vma->vm_prev = NULL;
74964 do {
74965+
74966+#ifdef CONFIG_PAX_SEGMEXEC
74967+ if (vma->vm_mirror) {
74968+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
74969+ vma->vm_mirror->vm_mirror = NULL;
74970+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
74971+ vma->vm_mirror = NULL;
74972+ }
74973+#endif
74974+
74975 rb_erase(&vma->vm_rb, &mm->mm_rb);
74976 mm->map_count--;
74977 tail_vma = vma;
74978@@ -1840,10 +2150,25 @@ int split_vma(struct mm_struct * mm, str
74979 struct mempolicy *pol;
74980 struct vm_area_struct *new;
74981
74982+#ifdef CONFIG_PAX_SEGMEXEC
74983+ struct vm_area_struct *vma_m, *new_m = NULL;
74984+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
74985+#endif
74986+
74987 if (is_vm_hugetlb_page(vma) && (addr &
74988 ~(huge_page_mask(hstate_vma(vma)))))
74989 return -EINVAL;
74990
74991+#ifdef CONFIG_PAX_SEGMEXEC
74992+ vma_m = pax_find_mirror_vma(vma);
74993+
74994+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
74995+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
74996+ if (mm->map_count >= sysctl_max_map_count-1)
74997+ return -ENOMEM;
74998+ } else
74999+#endif
75000+
75001 if (mm->map_count >= sysctl_max_map_count)
75002 return -ENOMEM;
75003
75004@@ -1851,6 +2176,16 @@ int split_vma(struct mm_struct * mm, str
75005 if (!new)
75006 return -ENOMEM;
75007
75008+#ifdef CONFIG_PAX_SEGMEXEC
75009+ if (vma_m) {
75010+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
75011+ if (!new_m) {
75012+ kmem_cache_free(vm_area_cachep, new);
75013+ return -ENOMEM;
75014+ }
75015+ }
75016+#endif
75017+
75018 /* most fields are the same, copy all, and then fixup */
75019 *new = *vma;
75020
75021@@ -1861,8 +2196,29 @@ int split_vma(struct mm_struct * mm, str
75022 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
75023 }
75024
75025+#ifdef CONFIG_PAX_SEGMEXEC
75026+ if (vma_m) {
75027+ *new_m = *vma_m;
75028+ new_m->vm_mirror = new;
75029+ new->vm_mirror = new_m;
75030+
75031+ if (new_below)
75032+ new_m->vm_end = addr_m;
75033+ else {
75034+ new_m->vm_start = addr_m;
75035+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
75036+ }
75037+ }
75038+#endif
75039+
75040 pol = mpol_dup(vma_policy(vma));
75041 if (IS_ERR(pol)) {
75042+
75043+#ifdef CONFIG_PAX_SEGMEXEC
75044+ if (new_m)
75045+ kmem_cache_free(vm_area_cachep, new_m);
75046+#endif
75047+
75048 kmem_cache_free(vm_area_cachep, new);
75049 return PTR_ERR(pol);
75050 }
75051@@ -1883,6 +2239,28 @@ int split_vma(struct mm_struct * mm, str
75052 else
75053 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
75054
75055+#ifdef CONFIG_PAX_SEGMEXEC
75056+ if (vma_m) {
75057+ mpol_get(pol);
75058+ vma_set_policy(new_m, pol);
75059+
75060+ if (new_m->vm_file) {
75061+ get_file(new_m->vm_file);
75062+ if (vma_m->vm_flags & VM_EXECUTABLE)
75063+ added_exe_file_vma(mm);
75064+ }
75065+
75066+ if (new_m->vm_ops && new_m->vm_ops->open)
75067+ new_m->vm_ops->open(new_m);
75068+
75069+ if (new_below)
75070+ vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
75071+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
75072+ else
75073+ vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
75074+ }
75075+#endif
75076+
75077 return 0;
75078 }
75079
75080@@ -1891,11 +2269,30 @@ int split_vma(struct mm_struct * mm, str
75081 * work. This now handles partial unmappings.
75082 * Jeremy Fitzhardinge <jeremy@goop.org>
75083 */
75084+#ifdef CONFIG_PAX_SEGMEXEC
75085+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75086+{
75087+ int ret = __do_munmap(mm, start, len);
75088+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
75089+ return ret;
75090+
75091+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
75092+}
75093+
75094+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75095+#else
75096 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
75097+#endif
75098 {
75099 unsigned long end;
75100 struct vm_area_struct *vma, *prev, *last;
75101
75102+ /*
75103+ * mm->mmap_sem is required to protect against another thread
75104+ * changing the mappings in case we sleep.
75105+ */
75106+ verify_mm_writelocked(mm);
75107+
75108 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
75109 return -EINVAL;
75110
75111@@ -1959,6 +2356,8 @@ int do_munmap(struct mm_struct *mm, unsi
75112 /* Fix up all other VM information */
75113 remove_vma_list(mm, vma);
75114
75115+ track_exec_limit(mm, start, end, 0UL);
75116+
75117 return 0;
75118 }
75119
75120@@ -1971,22 +2370,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
75121
75122 profile_munmap(addr);
75123
75124+#ifdef CONFIG_PAX_SEGMEXEC
75125+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
75126+ (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
75127+ return -EINVAL;
75128+#endif
75129+
75130 down_write(&mm->mmap_sem);
75131 ret = do_munmap(mm, addr, len);
75132 up_write(&mm->mmap_sem);
75133 return ret;
75134 }
75135
75136-static inline void verify_mm_writelocked(struct mm_struct *mm)
75137-{
75138-#ifdef CONFIG_DEBUG_VM
75139- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
75140- WARN_ON(1);
75141- up_read(&mm->mmap_sem);
75142- }
75143-#endif
75144-}
75145-
75146 /*
75147 * this is really a simplified "do_mmap". it only handles
75148 * anonymous maps. eventually we may be able to do some
75149@@ -2000,6 +2395,7 @@ unsigned long do_brk(unsigned long addr,
75150 struct rb_node ** rb_link, * rb_parent;
75151 pgoff_t pgoff = addr >> PAGE_SHIFT;
75152 int error;
75153+ unsigned long charged;
75154
75155 len = PAGE_ALIGN(len);
75156 if (!len)
75157@@ -2011,16 +2407,30 @@ unsigned long do_brk(unsigned long addr,
75158
75159 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
75160
75161+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
75162+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75163+ flags &= ~VM_EXEC;
75164+
75165+#ifdef CONFIG_PAX_MPROTECT
75166+ if (mm->pax_flags & MF_PAX_MPROTECT)
75167+ flags &= ~VM_MAYEXEC;
75168+#endif
75169+
75170+ }
75171+#endif
75172+
75173 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
75174 if (error & ~PAGE_MASK)
75175 return error;
75176
75177+ charged = len >> PAGE_SHIFT;
75178+
75179 /*
75180 * mlock MCL_FUTURE?
75181 */
75182 if (mm->def_flags & VM_LOCKED) {
75183 unsigned long locked, lock_limit;
75184- locked = len >> PAGE_SHIFT;
75185+ locked = charged;
75186 locked += mm->locked_vm;
75187 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
75188 lock_limit >>= PAGE_SHIFT;
75189@@ -2037,22 +2447,22 @@ unsigned long do_brk(unsigned long addr,
75190 /*
75191 * Clear old maps. this also does some error checking for us
75192 */
75193- munmap_back:
75194 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
75195 if (vma && vma->vm_start < addr + len) {
75196 if (do_munmap(mm, addr, len))
75197 return -ENOMEM;
75198- goto munmap_back;
75199+ vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
75200+ BUG_ON(vma && vma->vm_start < addr + len);
75201 }
75202
75203 /* Check against address space limits *after* clearing old maps... */
75204- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
75205+ if (!may_expand_vm(mm, charged))
75206 return -ENOMEM;
75207
75208 if (mm->map_count > sysctl_max_map_count)
75209 return -ENOMEM;
75210
75211- if (security_vm_enough_memory(len >> PAGE_SHIFT))
75212+ if (security_vm_enough_memory(charged))
75213 return -ENOMEM;
75214
75215 /* Can we just expand an old private anonymous mapping? */
75216@@ -2066,7 +2476,7 @@ unsigned long do_brk(unsigned long addr,
75217 */
75218 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75219 if (!vma) {
75220- vm_unacct_memory(len >> PAGE_SHIFT);
75221+ vm_unacct_memory(charged);
75222 return -ENOMEM;
75223 }
75224
75225@@ -2078,11 +2488,12 @@ unsigned long do_brk(unsigned long addr,
75226 vma->vm_page_prot = vm_get_page_prot(flags);
75227 vma_link(mm, vma, prev, rb_link, rb_parent);
75228 out:
75229- mm->total_vm += len >> PAGE_SHIFT;
75230+ mm->total_vm += charged;
75231 if (flags & VM_LOCKED) {
75232 if (!mlock_vma_pages_range(vma, addr, addr + len))
75233- mm->locked_vm += (len >> PAGE_SHIFT);
75234+ mm->locked_vm += charged;
75235 }
75236+ track_exec_limit(mm, addr, addr + len, flags);
75237 return addr;
75238 }
75239
75240@@ -2129,8 +2540,10 @@ void exit_mmap(struct mm_struct *mm)
75241 * Walk the list again, actually closing and freeing it,
75242 * with preemption enabled, without holding any MM locks.
75243 */
75244- while (vma)
75245+ while (vma) {
75246+ vma->vm_mirror = NULL;
75247 vma = remove_vma(vma);
75248+ }
75249
75250 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
75251 }
75252@@ -2144,6 +2557,10 @@ int insert_vm_struct(struct mm_struct *
75253 struct vm_area_struct * __vma, * prev;
75254 struct rb_node ** rb_link, * rb_parent;
75255
75256+#ifdef CONFIG_PAX_SEGMEXEC
75257+ struct vm_area_struct *vma_m = NULL;
75258+#endif
75259+
75260 /*
75261 * The vm_pgoff of a purely anonymous vma should be irrelevant
75262 * until its first write fault, when page's anon_vma and index
75263@@ -2166,7 +2583,22 @@ int insert_vm_struct(struct mm_struct *
75264 if ((vma->vm_flags & VM_ACCOUNT) &&
75265 security_vm_enough_memory_mm(mm, vma_pages(vma)))
75266 return -ENOMEM;
75267+
75268+#ifdef CONFIG_PAX_SEGMEXEC
75269+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
75270+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75271+ if (!vma_m)
75272+ return -ENOMEM;
75273+ }
75274+#endif
75275+
75276 vma_link(mm, vma, prev, rb_link, rb_parent);
75277+
75278+#ifdef CONFIG_PAX_SEGMEXEC
75279+ if (vma_m)
75280+ pax_mirror_vma(vma_m, vma);
75281+#endif
75282+
75283 return 0;
75284 }
75285
75286@@ -2184,6 +2616,8 @@ struct vm_area_struct *copy_vma(struct v
75287 struct rb_node **rb_link, *rb_parent;
75288 struct mempolicy *pol;
75289
75290+ BUG_ON(vma->vm_mirror);
75291+
75292 /*
75293 * If anonymous vma has not yet been faulted, update new pgoff
75294 * to match new location, to increase its chance of merging.
75295@@ -2227,6 +2661,35 @@ struct vm_area_struct *copy_vma(struct v
75296 return new_vma;
75297 }
75298
75299+#ifdef CONFIG_PAX_SEGMEXEC
75300+void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
75301+{
75302+ struct vm_area_struct *prev_m;
75303+ struct rb_node **rb_link_m, *rb_parent_m;
75304+ struct mempolicy *pol_m;
75305+
75306+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
75307+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
75308+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
75309+ *vma_m = *vma;
75310+ pol_m = vma_policy(vma_m);
75311+ mpol_get(pol_m);
75312+ vma_set_policy(vma_m, pol_m);
75313+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
75314+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
75315+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
75316+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
75317+ if (vma_m->vm_file)
75318+ get_file(vma_m->vm_file);
75319+ if (vma_m->vm_ops && vma_m->vm_ops->open)
75320+ vma_m->vm_ops->open(vma_m);
75321+ find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
75322+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
75323+ vma_m->vm_mirror = vma;
75324+ vma->vm_mirror = vma_m;
75325+}
75326+#endif
75327+
75328 /*
75329 * Return true if the calling process may expand its vm space by the passed
75330 * number of pages
75331@@ -2237,7 +2700,7 @@ int may_expand_vm(struct mm_struct *mm,
75332 unsigned long lim;
75333
75334 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
75335-
75336+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
75337 if (cur + npages > lim)
75338 return 0;
75339 return 1;
75340@@ -2307,6 +2770,22 @@ int install_special_mapping(struct mm_st
75341 vma->vm_start = addr;
75342 vma->vm_end = addr + len;
75343
75344+#ifdef CONFIG_PAX_MPROTECT
75345+ if (mm->pax_flags & MF_PAX_MPROTECT) {
75346+#ifndef CONFIG_PAX_MPROTECT_COMPAT
75347+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
75348+ return -EPERM;
75349+ if (!(vm_flags & VM_EXEC))
75350+ vm_flags &= ~VM_MAYEXEC;
75351+#else
75352+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
75353+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
75354+#endif
75355+ else
75356+ vm_flags &= ~VM_MAYWRITE;
75357+ }
75358+#endif
75359+
75360 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
75361 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
75362
75363diff -urNp linux-2.6.32.48/mm/mprotect.c linux-2.6.32.48/mm/mprotect.c
75364--- linux-2.6.32.48/mm/mprotect.c 2011-11-08 19:02:43.000000000 -0500
75365+++ linux-2.6.32.48/mm/mprotect.c 2011-11-15 19:59:43.000000000 -0500
75366@@ -24,10 +24,16 @@
75367 #include <linux/mmu_notifier.h>
75368 #include <linux/migrate.h>
75369 #include <linux/perf_event.h>
75370+
75371+#ifdef CONFIG_PAX_MPROTECT
75372+#include <linux/elf.h>
75373+#endif
75374+
75375 #include <asm/uaccess.h>
75376 #include <asm/pgtable.h>
75377 #include <asm/cacheflush.h>
75378 #include <asm/tlbflush.h>
75379+#include <asm/mmu_context.h>
75380
75381 #ifndef pgprot_modify
75382 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
75383@@ -132,6 +138,48 @@ static void change_protection(struct vm_
75384 flush_tlb_range(vma, start, end);
75385 }
75386
75387+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75388+/* called while holding the mmap semaphor for writing except stack expansion */
75389+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
75390+{
75391+ unsigned long oldlimit, newlimit = 0UL;
75392+
75393+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
75394+ return;
75395+
75396+ spin_lock(&mm->page_table_lock);
75397+ oldlimit = mm->context.user_cs_limit;
75398+ if ((prot & VM_EXEC) && oldlimit < end)
75399+ /* USER_CS limit moved up */
75400+ newlimit = end;
75401+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
75402+ /* USER_CS limit moved down */
75403+ newlimit = start;
75404+
75405+ if (newlimit) {
75406+ mm->context.user_cs_limit = newlimit;
75407+
75408+#ifdef CONFIG_SMP
75409+ wmb();
75410+ cpus_clear(mm->context.cpu_user_cs_mask);
75411+ cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
75412+#endif
75413+
75414+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
75415+ }
75416+ spin_unlock(&mm->page_table_lock);
75417+ if (newlimit == end) {
75418+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
75419+
75420+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
75421+ if (is_vm_hugetlb_page(vma))
75422+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
75423+ else
75424+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
75425+ }
75426+}
75427+#endif
75428+
75429 int
75430 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
75431 unsigned long start, unsigned long end, unsigned long newflags)
75432@@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
75433 int error;
75434 int dirty_accountable = 0;
75435
75436+#ifdef CONFIG_PAX_SEGMEXEC
75437+ struct vm_area_struct *vma_m = NULL;
75438+ unsigned long start_m, end_m;
75439+
75440+ start_m = start + SEGMEXEC_TASK_SIZE;
75441+ end_m = end + SEGMEXEC_TASK_SIZE;
75442+#endif
75443+
75444 if (newflags == oldflags) {
75445 *pprev = vma;
75446 return 0;
75447 }
75448
75449+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
75450+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
75451+
75452+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
75453+ return -ENOMEM;
75454+
75455+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
75456+ return -ENOMEM;
75457+ }
75458+
75459 /*
75460 * If we make a private mapping writable we increase our commit;
75461 * but (without finer accounting) cannot reduce our commit if we
75462@@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
75463 }
75464 }
75465
75466+#ifdef CONFIG_PAX_SEGMEXEC
75467+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
75468+ if (start != vma->vm_start) {
75469+ error = split_vma(mm, vma, start, 1);
75470+ if (error)
75471+ goto fail;
75472+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
75473+ *pprev = (*pprev)->vm_next;
75474+ }
75475+
75476+ if (end != vma->vm_end) {
75477+ error = split_vma(mm, vma, end, 0);
75478+ if (error)
75479+ goto fail;
75480+ }
75481+
75482+ if (pax_find_mirror_vma(vma)) {
75483+ error = __do_munmap(mm, start_m, end_m - start_m);
75484+ if (error)
75485+ goto fail;
75486+ } else {
75487+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
75488+ if (!vma_m) {
75489+ error = -ENOMEM;
75490+ goto fail;
75491+ }
75492+ vma->vm_flags = newflags;
75493+ pax_mirror_vma(vma_m, vma);
75494+ }
75495+ }
75496+#endif
75497+
75498 /*
75499 * First try to merge with previous and/or next vma.
75500 */
75501@@ -195,9 +293,21 @@ success:
75502 * vm_flags and vm_page_prot are protected by the mmap_sem
75503 * held in write mode.
75504 */
75505+
75506+#ifdef CONFIG_PAX_SEGMEXEC
75507+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
75508+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
75509+#endif
75510+
75511 vma->vm_flags = newflags;
75512+
75513+#ifdef CONFIG_PAX_MPROTECT
75514+ if (mm->binfmt && mm->binfmt->handle_mprotect)
75515+ mm->binfmt->handle_mprotect(vma, newflags);
75516+#endif
75517+
75518 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
75519- vm_get_page_prot(newflags));
75520+ vm_get_page_prot(vma->vm_flags));
75521
75522 if (vma_wants_writenotify(vma)) {
75523 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
75524@@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75525 end = start + len;
75526 if (end <= start)
75527 return -ENOMEM;
75528+
75529+#ifdef CONFIG_PAX_SEGMEXEC
75530+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
75531+ if (end > SEGMEXEC_TASK_SIZE)
75532+ return -EINVAL;
75533+ } else
75534+#endif
75535+
75536+ if (end > TASK_SIZE)
75537+ return -EINVAL;
75538+
75539 if (!arch_validate_prot(prot))
75540 return -EINVAL;
75541
75542@@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75543 /*
75544 * Does the application expect PROT_READ to imply PROT_EXEC:
75545 */
75546- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
75547+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
75548 prot |= PROT_EXEC;
75549
75550 vm_flags = calc_vm_prot_bits(prot);
75551@@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75552 if (start > vma->vm_start)
75553 prev = vma;
75554
75555+#ifdef CONFIG_PAX_MPROTECT
75556+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
75557+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
75558+#endif
75559+
75560 for (nstart = start ; ; ) {
75561 unsigned long newflags;
75562
75563@@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75564
75565 /* newflags >> 4 shift VM_MAY% in place of VM_% */
75566 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
75567+ if (prot & (PROT_WRITE | PROT_EXEC))
75568+ gr_log_rwxmprotect(vma->vm_file);
75569+
75570+ error = -EACCES;
75571+ goto out;
75572+ }
75573+
75574+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
75575 error = -EACCES;
75576 goto out;
75577 }
75578@@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
75579 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
75580 if (error)
75581 goto out;
75582+
75583+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
75584+
75585 nstart = tmp;
75586
75587 if (nstart < prev->vm_end)
75588diff -urNp linux-2.6.32.48/mm/mremap.c linux-2.6.32.48/mm/mremap.c
75589--- linux-2.6.32.48/mm/mremap.c 2011-11-08 19:02:43.000000000 -0500
75590+++ linux-2.6.32.48/mm/mremap.c 2011-11-15 19:59:43.000000000 -0500
75591@@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
75592 continue;
75593 pte = ptep_clear_flush(vma, old_addr, old_pte);
75594 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
75595+
75596+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75597+ if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
75598+ pte = pte_exprotect(pte);
75599+#endif
75600+
75601 set_pte_at(mm, new_addr, new_pte, pte);
75602 }
75603
75604@@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
75605 if (is_vm_hugetlb_page(vma))
75606 goto Einval;
75607
75608+#ifdef CONFIG_PAX_SEGMEXEC
75609+ if (pax_find_mirror_vma(vma))
75610+ goto Einval;
75611+#endif
75612+
75613 /* We can't remap across vm area boundaries */
75614 if (old_len > vma->vm_end - addr)
75615 goto Efault;
75616@@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
75617 unsigned long ret = -EINVAL;
75618 unsigned long charged = 0;
75619 unsigned long map_flags;
75620+ unsigned long pax_task_size = TASK_SIZE;
75621
75622 if (new_addr & ~PAGE_MASK)
75623 goto out;
75624
75625- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
75626+#ifdef CONFIG_PAX_SEGMEXEC
75627+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
75628+ pax_task_size = SEGMEXEC_TASK_SIZE;
75629+#endif
75630+
75631+ pax_task_size -= PAGE_SIZE;
75632+
75633+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
75634 goto out;
75635
75636 /* Check if the location we're moving into overlaps the
75637 * old location at all, and fail if it does.
75638 */
75639- if ((new_addr <= addr) && (new_addr+new_len) > addr)
75640- goto out;
75641-
75642- if ((addr <= new_addr) && (addr+old_len) > new_addr)
75643+ if (addr + old_len > new_addr && new_addr + new_len > addr)
75644 goto out;
75645
75646 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
75647@@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
75648 struct vm_area_struct *vma;
75649 unsigned long ret = -EINVAL;
75650 unsigned long charged = 0;
75651+ unsigned long pax_task_size = TASK_SIZE;
75652
75653 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
75654 goto out;
75655@@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
75656 if (!new_len)
75657 goto out;
75658
75659+#ifdef CONFIG_PAX_SEGMEXEC
75660+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
75661+ pax_task_size = SEGMEXEC_TASK_SIZE;
75662+#endif
75663+
75664+ pax_task_size -= PAGE_SIZE;
75665+
75666+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
75667+ old_len > pax_task_size || addr > pax_task_size-old_len)
75668+ goto out;
75669+
75670 if (flags & MREMAP_FIXED) {
75671 if (flags & MREMAP_MAYMOVE)
75672 ret = mremap_to(addr, old_len, new_addr, new_len);
75673@@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
75674 addr + new_len);
75675 }
75676 ret = addr;
75677+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
75678 goto out;
75679 }
75680 }
75681@@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
75682 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
75683 if (ret)
75684 goto out;
75685+
75686+ map_flags = vma->vm_flags;
75687 ret = move_vma(vma, addr, old_len, new_len, new_addr);
75688+ if (!(ret & ~PAGE_MASK)) {
75689+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
75690+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
75691+ }
75692 }
75693 out:
75694 if (ret & ~PAGE_MASK)
75695diff -urNp linux-2.6.32.48/mm/nommu.c linux-2.6.32.48/mm/nommu.c
75696--- linux-2.6.32.48/mm/nommu.c 2011-11-08 19:02:43.000000000 -0500
75697+++ linux-2.6.32.48/mm/nommu.c 2011-11-15 19:59:43.000000000 -0500
75698@@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
75699 int sysctl_overcommit_ratio = 50; /* default is 50% */
75700 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
75701 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
75702-int heap_stack_gap = 0;
75703
75704 atomic_long_t mmap_pages_allocated;
75705
75706@@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
75707 EXPORT_SYMBOL(find_vma);
75708
75709 /*
75710- * find a VMA
75711- * - we don't extend stack VMAs under NOMMU conditions
75712- */
75713-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
75714-{
75715- return find_vma(mm, addr);
75716-}
75717-
75718-/*
75719 * expand a stack to a given address
75720 * - not supported under NOMMU conditions
75721 */
75722diff -urNp linux-2.6.32.48/mm/page_alloc.c linux-2.6.32.48/mm/page_alloc.c
75723--- linux-2.6.32.48/mm/page_alloc.c 2011-11-08 19:02:43.000000000 -0500
75724+++ linux-2.6.32.48/mm/page_alloc.c 2011-11-15 19:59:43.000000000 -0500
75725@@ -289,7 +289,7 @@ out:
75726 * This usage means that zero-order pages may not be compound.
75727 */
75728
75729-static void free_compound_page(struct page *page)
75730+void free_compound_page(struct page *page)
75731 {
75732 __free_pages_ok(page, compound_order(page));
75733 }
75734@@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
75735 int bad = 0;
75736 int wasMlocked = __TestClearPageMlocked(page);
75737
75738+#ifdef CONFIG_PAX_MEMORY_SANITIZE
75739+ unsigned long index = 1UL << order;
75740+#endif
75741+
75742 kmemcheck_free_shadow(page, order);
75743
75744 for (i = 0 ; i < (1 << order) ; ++i)
75745@@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
75746 debug_check_no_obj_freed(page_address(page),
75747 PAGE_SIZE << order);
75748 }
75749+
75750+#ifdef CONFIG_PAX_MEMORY_SANITIZE
75751+ for (; index; --index)
75752+ sanitize_highpage(page + index - 1);
75753+#endif
75754+
75755 arch_free_page(page, order);
75756 kernel_map_pages(page, 1 << order, 0);
75757
75758@@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
75759 arch_alloc_page(page, order);
75760 kernel_map_pages(page, 1 << order, 1);
75761
75762+#ifndef CONFIG_PAX_MEMORY_SANITIZE
75763 if (gfp_flags & __GFP_ZERO)
75764 prep_zero_page(page, order, gfp_flags);
75765+#endif
75766
75767 if (order && (gfp_flags & __GFP_COMP))
75768 prep_compound_page(page, order);
75769@@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
75770 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
75771 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
75772 }
75773+
75774+#ifdef CONFIG_PAX_MEMORY_SANITIZE
75775+ sanitize_highpage(page);
75776+#endif
75777+
75778 arch_free_page(page, 0);
75779 kernel_map_pages(page, 1, 0);
75780
75781@@ -2179,6 +2196,8 @@ void show_free_areas(void)
75782 int cpu;
75783 struct zone *zone;
75784
75785+ pax_track_stack();
75786+
75787 for_each_populated_zone(zone) {
75788 show_node(zone);
75789 printk("%s per-cpu:\n", zone->name);
75790@@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
75791 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
75792 }
75793 #else
75794-static void inline setup_usemap(struct pglist_data *pgdat,
75795+static inline void setup_usemap(struct pglist_data *pgdat,
75796 struct zone *zone, unsigned long zonesize) {}
75797 #endif /* CONFIG_SPARSEMEM */
75798
75799diff -urNp linux-2.6.32.48/mm/percpu.c linux-2.6.32.48/mm/percpu.c
75800--- linux-2.6.32.48/mm/percpu.c 2011-11-08 19:02:43.000000000 -0500
75801+++ linux-2.6.32.48/mm/percpu.c 2011-11-15 19:59:43.000000000 -0500
75802@@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
75803 static unsigned int pcpu_last_unit_cpu __read_mostly;
75804
75805 /* the address of the first chunk which starts with the kernel static area */
75806-void *pcpu_base_addr __read_mostly;
75807+void *pcpu_base_addr __read_only;
75808 EXPORT_SYMBOL_GPL(pcpu_base_addr);
75809
75810 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
75811diff -urNp linux-2.6.32.48/mm/rmap.c linux-2.6.32.48/mm/rmap.c
75812--- linux-2.6.32.48/mm/rmap.c 2011-11-08 19:02:43.000000000 -0500
75813+++ linux-2.6.32.48/mm/rmap.c 2011-11-15 19:59:43.000000000 -0500
75814@@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
75815 /* page_table_lock to protect against threads */
75816 spin_lock(&mm->page_table_lock);
75817 if (likely(!vma->anon_vma)) {
75818+
75819+#ifdef CONFIG_PAX_SEGMEXEC
75820+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
75821+
75822+ if (vma_m) {
75823+ BUG_ON(vma_m->anon_vma);
75824+ vma_m->anon_vma = anon_vma;
75825+ list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
75826+ }
75827+#endif
75828+
75829 vma->anon_vma = anon_vma;
75830 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
75831 allocated = NULL;
75832diff -urNp linux-2.6.32.48/mm/shmem.c linux-2.6.32.48/mm/shmem.c
75833--- linux-2.6.32.48/mm/shmem.c 2011-11-08 19:02:43.000000000 -0500
75834+++ linux-2.6.32.48/mm/shmem.c 2011-11-15 19:59:43.000000000 -0500
75835@@ -31,7 +31,7 @@
75836 #include <linux/swap.h>
75837 #include <linux/ima.h>
75838
75839-static struct vfsmount *shm_mnt;
75840+struct vfsmount *shm_mnt;
75841
75842 #ifdef CONFIG_SHMEM
75843 /*
75844@@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
75845 goto unlock;
75846 }
75847 entry = shmem_swp_entry(info, index, NULL);
75848+ if (!entry)
75849+ goto unlock;
75850 if (entry->val) {
75851 /*
75852 * The more uptodate page coming down from a stacked
75853@@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
75854 struct vm_area_struct pvma;
75855 struct page *page;
75856
75857+ pax_track_stack();
75858+
75859 spol = mpol_cond_copy(&mpol,
75860 mpol_shared_policy_lookup(&info->policy, idx));
75861
75862@@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
75863
75864 info = SHMEM_I(inode);
75865 inode->i_size = len-1;
75866- if (len <= (char *)inode - (char *)info) {
75867+ if (len <= (char *)inode - (char *)info && len <= 64) {
75868 /* do it inline */
75869 memcpy(info, symname, len);
75870 inode->i_op = &shmem_symlink_inline_operations;
75871@@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
75872 int err = -ENOMEM;
75873
75874 /* Round up to L1_CACHE_BYTES to resist false sharing */
75875- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
75876- L1_CACHE_BYTES), GFP_KERNEL);
75877+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
75878 if (!sbinfo)
75879 return -ENOMEM;
75880
75881diff -urNp linux-2.6.32.48/mm/slab.c linux-2.6.32.48/mm/slab.c
75882--- linux-2.6.32.48/mm/slab.c 2011-11-08 19:02:43.000000000 -0500
75883+++ linux-2.6.32.48/mm/slab.c 2011-11-18 18:01:52.000000000 -0500
75884@@ -174,7 +174,7 @@
75885
75886 /* Legal flag mask for kmem_cache_create(). */
75887 #if DEBUG
75888-# define CREATE_MASK (SLAB_RED_ZONE | \
75889+# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
75890 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
75891 SLAB_CACHE_DMA | \
75892 SLAB_STORE_USER | \
75893@@ -182,7 +182,7 @@
75894 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
75895 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
75896 #else
75897-# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
75898+# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
75899 SLAB_CACHE_DMA | \
75900 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
75901 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
75902@@ -308,7 +308,7 @@ struct kmem_list3 {
75903 * Need this for bootstrapping a per node allocator.
75904 */
75905 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
75906-struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
75907+struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
75908 #define CACHE_CACHE 0
75909 #define SIZE_AC MAX_NUMNODES
75910 #define SIZE_L3 (2 * MAX_NUMNODES)
75911@@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
75912 if ((x)->max_freeable < i) \
75913 (x)->max_freeable = i; \
75914 } while (0)
75915-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
75916-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
75917-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
75918-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
75919+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
75920+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
75921+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
75922+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
75923 #else
75924 #define STATS_INC_ACTIVE(x) do { } while (0)
75925 #define STATS_DEC_ACTIVE(x) do { } while (0)
75926@@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
75927 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
75928 */
75929 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
75930- const struct slab *slab, void *obj)
75931+ const struct slab *slab, const void *obj)
75932 {
75933 u32 offset = (obj - slab->s_mem);
75934 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
75935@@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
75936 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
75937 sizes[INDEX_AC].cs_size,
75938 ARCH_KMALLOC_MINALIGN,
75939- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75940+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75941 NULL);
75942
75943 if (INDEX_AC != INDEX_L3) {
75944@@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
75945 kmem_cache_create(names[INDEX_L3].name,
75946 sizes[INDEX_L3].cs_size,
75947 ARCH_KMALLOC_MINALIGN,
75948- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75949+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75950 NULL);
75951 }
75952
75953@@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
75954 sizes->cs_cachep = kmem_cache_create(names->name,
75955 sizes->cs_size,
75956 ARCH_KMALLOC_MINALIGN,
75957- ARCH_KMALLOC_FLAGS|SLAB_PANIC,
75958+ ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
75959 NULL);
75960 }
75961 #ifdef CONFIG_ZONE_DMA
75962@@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
75963 }
75964 /* cpu stats */
75965 {
75966- unsigned long allochit = atomic_read(&cachep->allochit);
75967- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
75968- unsigned long freehit = atomic_read(&cachep->freehit);
75969- unsigned long freemiss = atomic_read(&cachep->freemiss);
75970+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
75971+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
75972+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
75973+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
75974
75975 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
75976 allochit, allocmiss, freehit, freemiss);
75977@@ -4471,15 +4471,70 @@ static const struct file_operations proc
75978
75979 static int __init slab_proc_init(void)
75980 {
75981- proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
75982+ mode_t gr_mode = S_IRUGO;
75983+
75984+#ifdef CONFIG_GRKERNSEC_PROC_ADD
75985+ gr_mode = S_IRUSR;
75986+#endif
75987+
75988+ proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
75989 #ifdef CONFIG_DEBUG_SLAB_LEAK
75990- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
75991+ proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
75992 #endif
75993 return 0;
75994 }
75995 module_init(slab_proc_init);
75996 #endif
75997
75998+void check_object_size(const void *ptr, unsigned long n, bool to)
75999+{
76000+
76001+#ifdef CONFIG_PAX_USERCOPY
76002+ struct page *page;
76003+ struct kmem_cache *cachep = NULL;
76004+ struct slab *slabp;
76005+ unsigned int objnr;
76006+ unsigned long offset;
76007+ const char *type;
76008+
76009+ if (!n)
76010+ return;
76011+
76012+ type = "<null>";
76013+ if (ZERO_OR_NULL_PTR(ptr))
76014+ goto report;
76015+
76016+ if (!virt_addr_valid(ptr))
76017+ return;
76018+
76019+ page = virt_to_head_page(ptr);
76020+
76021+ type = "<process stack>";
76022+ if (!PageSlab(page)) {
76023+ if (object_is_on_stack(ptr, n) == -1)
76024+ goto report;
76025+ return;
76026+ }
76027+
76028+ cachep = page_get_cache(page);
76029+ type = cachep->name;
76030+ if (!(cachep->flags & SLAB_USERCOPY))
76031+ goto report;
76032+
76033+ slabp = page_get_slab(page);
76034+ objnr = obj_to_index(cachep, slabp, ptr);
76035+ BUG_ON(objnr >= cachep->num);
76036+ offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
76037+ if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
76038+ return;
76039+
76040+report:
76041+ pax_report_usercopy(ptr, n, to, type);
76042+#endif
76043+
76044+}
76045+EXPORT_SYMBOL(check_object_size);
76046+
76047 /**
76048 * ksize - get the actual amount of memory allocated for a given object
76049 * @objp: Pointer to the object
76050diff -urNp linux-2.6.32.48/mm/slob.c linux-2.6.32.48/mm/slob.c
76051--- linux-2.6.32.48/mm/slob.c 2011-11-08 19:02:43.000000000 -0500
76052+++ linux-2.6.32.48/mm/slob.c 2011-11-18 18:01:52.000000000 -0500
76053@@ -29,7 +29,7 @@
76054 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
76055 * alloc_pages() directly, allocating compound pages so the page order
76056 * does not have to be separately tracked, and also stores the exact
76057- * allocation size in page->private so that it can be used to accurately
76058+ * allocation size in slob_page->size so that it can be used to accurately
76059 * provide ksize(). These objects are detected in kfree() because slob_page()
76060 * is false for them.
76061 *
76062@@ -58,6 +58,7 @@
76063 */
76064
76065 #include <linux/kernel.h>
76066+#include <linux/sched.h>
76067 #include <linux/slab.h>
76068 #include <linux/mm.h>
76069 #include <linux/swap.h> /* struct reclaim_state */
76070@@ -100,7 +101,8 @@ struct slob_page {
76071 unsigned long flags; /* mandatory */
76072 atomic_t _count; /* mandatory */
76073 slobidx_t units; /* free units left in page */
76074- unsigned long pad[2];
76075+ unsigned long pad[1];
76076+ unsigned long size; /* size when >=PAGE_SIZE */
76077 slob_t *free; /* first free slob_t in page */
76078 struct list_head list; /* linked list of free pages */
76079 };
76080@@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
76081 */
76082 static inline int is_slob_page(struct slob_page *sp)
76083 {
76084- return PageSlab((struct page *)sp);
76085+ return PageSlab((struct page *)sp) && !sp->size;
76086 }
76087
76088 static inline void set_slob_page(struct slob_page *sp)
76089@@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
76090
76091 static inline struct slob_page *slob_page(const void *addr)
76092 {
76093- return (struct slob_page *)virt_to_page(addr);
76094+ return (struct slob_page *)virt_to_head_page(addr);
76095 }
76096
76097 /*
76098@@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
76099 /*
76100 * Return the size of a slob block.
76101 */
76102-static slobidx_t slob_units(slob_t *s)
76103+static slobidx_t slob_units(const slob_t *s)
76104 {
76105 if (s->units > 0)
76106 return s->units;
76107@@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
76108 /*
76109 * Return the next free slob block pointer after this one.
76110 */
76111-static slob_t *slob_next(slob_t *s)
76112+static slob_t *slob_next(const slob_t *s)
76113 {
76114 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
76115 slobidx_t next;
76116@@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
76117 /*
76118 * Returns true if s is the last free block in its page.
76119 */
76120-static int slob_last(slob_t *s)
76121+static int slob_last(const slob_t *s)
76122 {
76123 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
76124 }
76125@@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
76126 if (!page)
76127 return NULL;
76128
76129+ set_slob_page(page);
76130 return page_address(page);
76131 }
76132
76133@@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
76134 if (!b)
76135 return NULL;
76136 sp = slob_page(b);
76137- set_slob_page(sp);
76138
76139 spin_lock_irqsave(&slob_lock, flags);
76140 sp->units = SLOB_UNITS(PAGE_SIZE);
76141 sp->free = b;
76142+ sp->size = 0;
76143 INIT_LIST_HEAD(&sp->list);
76144 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
76145 set_slob_page_free(sp, slob_list);
76146@@ -475,10 +478,9 @@ out:
76147 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
76148 #endif
76149
76150-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
76151+static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
76152 {
76153- unsigned int *m;
76154- int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76155+ slob_t *m;
76156 void *ret;
76157
76158 lockdep_trace_alloc(gfp);
76159@@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
76160
76161 if (!m)
76162 return NULL;
76163- *m = size;
76164+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
76165+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
76166+ m[0].units = size;
76167+ m[1].units = align;
76168 ret = (void *)m + align;
76169
76170 trace_kmalloc_node(_RET_IP_, ret,
76171@@ -501,16 +506,25 @@ void *__kmalloc_node(size_t size, gfp_t
76172
76173 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
76174 if (ret) {
76175- struct page *page;
76176- page = virt_to_page(ret);
76177- page->private = size;
76178+ struct slob_page *sp;
76179+ sp = slob_page(ret);
76180+ sp->size = size;
76181 }
76182
76183 trace_kmalloc_node(_RET_IP_, ret,
76184 size, PAGE_SIZE << order, gfp, node);
76185 }
76186
76187- kmemleak_alloc(ret, size, 1, gfp);
76188+ return ret;
76189+}
76190+
76191+void *__kmalloc_node(size_t size, gfp_t gfp, int node)
76192+{
76193+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76194+ void *ret = __kmalloc_node_align(size, gfp, node, align);
76195+
76196+ if (!ZERO_OR_NULL_PTR(ret))
76197+ kmemleak_alloc(ret, size, 1, gfp);
76198 return ret;
76199 }
76200 EXPORT_SYMBOL(__kmalloc_node);
76201@@ -528,13 +542,92 @@ void kfree(const void *block)
76202 sp = slob_page(block);
76203 if (is_slob_page(sp)) {
76204 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76205- unsigned int *m = (unsigned int *)(block - align);
76206- slob_free(m, *m + align);
76207- } else
76208+ slob_t *m = (slob_t *)(block - align);
76209+ slob_free(m, m[0].units + align);
76210+ } else {
76211+ clear_slob_page(sp);
76212+ free_slob_page(sp);
76213+ sp->size = 0;
76214 put_page(&sp->page);
76215+ }
76216 }
76217 EXPORT_SYMBOL(kfree);
76218
76219+void check_object_size(const void *ptr, unsigned long n, bool to)
76220+{
76221+
76222+#ifdef CONFIG_PAX_USERCOPY
76223+ struct slob_page *sp;
76224+ const slob_t *free;
76225+ const void *base;
76226+ unsigned long flags;
76227+ const char *type;
76228+
76229+ if (!n)
76230+ return;
76231+
76232+ type = "<null>";
76233+ if (ZERO_OR_NULL_PTR(ptr))
76234+ goto report;
76235+
76236+ if (!virt_addr_valid(ptr))
76237+ return;
76238+
76239+ type = "<process stack>";
76240+ sp = slob_page(ptr);
76241+ if (!PageSlab((struct page*)sp)) {
76242+ if (object_is_on_stack(ptr, n) == -1)
76243+ goto report;
76244+ return;
76245+ }
76246+
76247+ type = "<slob>";
76248+ if (sp->size) {
76249+ base = page_address(&sp->page);
76250+ if (base <= ptr && n <= sp->size - (ptr - base))
76251+ return;
76252+ goto report;
76253+ }
76254+
76255+ /* some tricky double walking to find the chunk */
76256+ spin_lock_irqsave(&slob_lock, flags);
76257+ base = (void *)((unsigned long)ptr & PAGE_MASK);
76258+ free = sp->free;
76259+
76260+ while (!slob_last(free) && (void *)free <= ptr) {
76261+ base = free + slob_units(free);
76262+ free = slob_next(free);
76263+ }
76264+
76265+ while (base < (void *)free) {
76266+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
76267+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
76268+ int offset;
76269+
76270+ if (ptr < base + align)
76271+ break;
76272+
76273+ offset = ptr - base - align;
76274+ if (offset >= m) {
76275+ base += size;
76276+ continue;
76277+ }
76278+
76279+ if (n > m - offset)
76280+ break;
76281+
76282+ spin_unlock_irqrestore(&slob_lock, flags);
76283+ return;
76284+ }
76285+
76286+ spin_unlock_irqrestore(&slob_lock, flags);
76287+report:
76288+ pax_report_usercopy(ptr, n, to, type);
76289+#endif
76290+
76291+}
76292+EXPORT_SYMBOL(check_object_size);
76293+
76294 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
76295 size_t ksize(const void *block)
76296 {
76297@@ -547,10 +640,10 @@ size_t ksize(const void *block)
76298 sp = slob_page(block);
76299 if (is_slob_page(sp)) {
76300 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
76301- unsigned int *m = (unsigned int *)(block - align);
76302- return SLOB_UNITS(*m) * SLOB_UNIT;
76303+ slob_t *m = (slob_t *)(block - align);
76304+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
76305 } else
76306- return sp->page.private;
76307+ return sp->size;
76308 }
76309 EXPORT_SYMBOL(ksize);
76310
76311@@ -566,8 +659,13 @@ struct kmem_cache *kmem_cache_create(con
76312 {
76313 struct kmem_cache *c;
76314
76315+#ifdef CONFIG_PAX_USERCOPY
76316+ c = __kmalloc_node_align(sizeof(struct kmem_cache),
76317+ GFP_KERNEL, -1, ARCH_KMALLOC_MINALIGN);
76318+#else
76319 c = slob_alloc(sizeof(struct kmem_cache),
76320 GFP_KERNEL, ARCH_KMALLOC_MINALIGN, -1);
76321+#endif
76322
76323 if (c) {
76324 c->name = name;
76325@@ -605,17 +703,25 @@ void *kmem_cache_alloc_node(struct kmem_
76326 {
76327 void *b;
76328
76329+#ifdef CONFIG_PAX_USERCOPY
76330+ b = __kmalloc_node_align(c->size, flags, node, c->align);
76331+#else
76332 if (c->size < PAGE_SIZE) {
76333 b = slob_alloc(c->size, flags, c->align, node);
76334 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
76335 SLOB_UNITS(c->size) * SLOB_UNIT,
76336 flags, node);
76337 } else {
76338+ struct slob_page *sp;
76339+
76340 b = slob_new_pages(flags, get_order(c->size), node);
76341+ sp = slob_page(b);
76342+ sp->size = c->size;
76343 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
76344 PAGE_SIZE << get_order(c->size),
76345 flags, node);
76346 }
76347+#endif
76348
76349 if (c->ctor)
76350 c->ctor(b);
76351@@ -627,10 +733,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
76352
76353 static void __kmem_cache_free(void *b, int size)
76354 {
76355- if (size < PAGE_SIZE)
76356+ struct slob_page *sp = slob_page(b);
76357+
76358+ if (is_slob_page(sp))
76359 slob_free(b, size);
76360- else
76361+ else {
76362+ clear_slob_page(sp);
76363+ free_slob_page(sp);
76364+ sp->size = 0;
76365 slob_free_pages(b, get_order(size));
76366+ }
76367 }
76368
76369 static void kmem_rcu_free(struct rcu_head *head)
76370@@ -643,18 +755,32 @@ static void kmem_rcu_free(struct rcu_hea
76371
76372 void kmem_cache_free(struct kmem_cache *c, void *b)
76373 {
76374+ int size = c->size;
76375+
76376+#ifdef CONFIG_PAX_USERCOPY
76377+ if (size + c->align < PAGE_SIZE) {
76378+ size += c->align;
76379+ b -= c->align;
76380+ }
76381+#endif
76382+
76383 kmemleak_free_recursive(b, c->flags);
76384 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
76385 struct slob_rcu *slob_rcu;
76386- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
76387+ slob_rcu = b + (size - sizeof(struct slob_rcu));
76388 INIT_RCU_HEAD(&slob_rcu->head);
76389- slob_rcu->size = c->size;
76390+ slob_rcu->size = size;
76391 call_rcu(&slob_rcu->head, kmem_rcu_free);
76392 } else {
76393- __kmem_cache_free(b, c->size);
76394+ __kmem_cache_free(b, size);
76395 }
76396
76397+#ifdef CONFIG_PAX_USERCOPY
76398+ trace_kfree(_RET_IP_, b);
76399+#else
76400 trace_kmem_cache_free(_RET_IP_, b);
76401+#endif
76402+
76403 }
76404 EXPORT_SYMBOL(kmem_cache_free);
76405
76406diff -urNp linux-2.6.32.48/mm/slub.c linux-2.6.32.48/mm/slub.c
76407--- linux-2.6.32.48/mm/slub.c 2011-11-08 19:02:43.000000000 -0500
76408+++ linux-2.6.32.48/mm/slub.c 2011-11-18 18:01:52.000000000 -0500
76409@@ -201,7 +201,7 @@ struct track {
76410
76411 enum track_item { TRACK_ALLOC, TRACK_FREE };
76412
76413-#ifdef CONFIG_SLUB_DEBUG
76414+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76415 static int sysfs_slab_add(struct kmem_cache *);
76416 static int sysfs_slab_alias(struct kmem_cache *, const char *);
76417 static void sysfs_slab_remove(struct kmem_cache *);
76418@@ -410,7 +410,7 @@ static void print_track(const char *s, s
76419 if (!t->addr)
76420 return;
76421
76422- printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
76423+ printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
76424 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
76425 }
76426
76427@@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
76428
76429 page = virt_to_head_page(x);
76430
76431+ BUG_ON(!PageSlab(page));
76432+
76433 slab_free(s, page, x, _RET_IP_);
76434
76435 trace_kmem_cache_free(_RET_IP_, x);
76436@@ -1937,7 +1939,7 @@ static int slub_min_objects;
76437 * Merge control. If this is set then no merging of slab caches will occur.
76438 * (Could be removed. This was introduced to pacify the merge skeptics.)
76439 */
76440-static int slub_nomerge;
76441+static int slub_nomerge = 1;
76442
76443 /*
76444 * Calculate the order of allocation given an slab object size.
76445@@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
76446 * list to avoid pounding the page allocator excessively.
76447 */
76448 set_min_partial(s, ilog2(s->size));
76449- s->refcount = 1;
76450+ atomic_set(&s->refcount, 1);
76451 #ifdef CONFIG_NUMA
76452 s->remote_node_defrag_ratio = 1000;
76453 #endif
76454@@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
76455 void kmem_cache_destroy(struct kmem_cache *s)
76456 {
76457 down_write(&slub_lock);
76458- s->refcount--;
76459- if (!s->refcount) {
76460+ if (atomic_dec_and_test(&s->refcount)) {
76461 list_del(&s->list);
76462 up_write(&slub_lock);
76463 if (kmem_cache_close(s)) {
76464@@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
76465 __setup("slub_nomerge", setup_slub_nomerge);
76466
76467 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
76468- const char *name, int size, gfp_t gfp_flags)
76469+ const char *name, int size, gfp_t gfp_flags, unsigned int flags)
76470 {
76471- unsigned int flags = 0;
76472-
76473 if (gfp_flags & SLUB_DMA)
76474- flags = SLAB_CACHE_DMA;
76475+ flags |= SLAB_CACHE_DMA;
76476
76477 /*
76478 * This function is called with IRQs disabled during early-boot on
76479@@ -2915,6 +2914,50 @@ void *__kmalloc_node(size_t size, gfp_t
76480 EXPORT_SYMBOL(__kmalloc_node);
76481 #endif
76482
76483+void check_object_size(const void *ptr, unsigned long n, bool to)
76484+{
76485+
76486+#ifdef CONFIG_PAX_USERCOPY
76487+ struct page *page;
76488+ struct kmem_cache *s = NULL;
76489+ unsigned long offset;
76490+ const char *type;
76491+
76492+ if (!n)
76493+ return;
76494+
76495+ type = "<null>";
76496+ if (ZERO_OR_NULL_PTR(ptr))
76497+ goto report;
76498+
76499+ if (!virt_addr_valid(ptr))
76500+ return;
76501+
76502+ page = get_object_page(ptr);
76503+
76504+ type = "<process stack>";
76505+ if (!page) {
76506+ if (object_is_on_stack(ptr, n) == -1)
76507+ goto report;
76508+ return;
76509+ }
76510+
76511+ s = page->slab;
76512+ type = s->name;
76513+ if (!(s->flags & SLAB_USERCOPY))
76514+ goto report;
76515+
76516+ offset = (ptr - page_address(page)) % s->size;
76517+ if (offset <= s->objsize && n <= s->objsize - offset)
76518+ return;
76519+
76520+report:
76521+ pax_report_usercopy(ptr, n, to, type);
76522+#endif
76523+
76524+}
76525+EXPORT_SYMBOL(check_object_size);
76526+
76527 size_t ksize(const void *object)
76528 {
76529 struct page *page;
76530@@ -3185,8 +3228,8 @@ void __init kmem_cache_init(void)
76531 * kmem_cache_open for slab_state == DOWN.
76532 */
76533 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
76534- sizeof(struct kmem_cache_node), GFP_NOWAIT);
76535- kmalloc_caches[0].refcount = -1;
76536+ sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
76537+ atomic_set(&kmalloc_caches[0].refcount, -1);
76538 caches++;
76539
76540 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
76541@@ -3198,18 +3241,18 @@ void __init kmem_cache_init(void)
76542 /* Caches that are not of the two-to-the-power-of size */
76543 if (KMALLOC_MIN_SIZE <= 32) {
76544 create_kmalloc_cache(&kmalloc_caches[1],
76545- "kmalloc-96", 96, GFP_NOWAIT);
76546+ "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
76547 caches++;
76548 }
76549 if (KMALLOC_MIN_SIZE <= 64) {
76550 create_kmalloc_cache(&kmalloc_caches[2],
76551- "kmalloc-192", 192, GFP_NOWAIT);
76552+ "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
76553 caches++;
76554 }
76555
76556 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
76557 create_kmalloc_cache(&kmalloc_caches[i],
76558- "kmalloc", 1 << i, GFP_NOWAIT);
76559+ "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
76560 caches++;
76561 }
76562
76563@@ -3293,7 +3336,7 @@ static int slab_unmergeable(struct kmem_
76564 /*
76565 * We may have set a slab to be unmergeable during bootstrap.
76566 */
76567- if (s->refcount < 0)
76568+ if (atomic_read(&s->refcount) < 0)
76569 return 1;
76570
76571 return 0;
76572@@ -3353,7 +3396,7 @@ struct kmem_cache *kmem_cache_create(con
76573 if (s) {
76574 int cpu;
76575
76576- s->refcount++;
76577+ atomic_inc(&s->refcount);
76578 /*
76579 * Adjust the object sizes so that we clear
76580 * the complete object on kzalloc.
76581@@ -3372,7 +3415,7 @@ struct kmem_cache *kmem_cache_create(con
76582
76583 if (sysfs_slab_alias(s, name)) {
76584 down_write(&slub_lock);
76585- s->refcount--;
76586+ atomic_dec(&s->refcount);
76587 up_write(&slub_lock);
76588 goto err;
76589 }
76590@@ -4101,7 +4144,7 @@ SLAB_ATTR_RO(ctor);
76591
76592 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
76593 {
76594- return sprintf(buf, "%d\n", s->refcount - 1);
76595+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
76596 }
76597 SLAB_ATTR_RO(aliases);
76598
76599@@ -4503,7 +4546,7 @@ static void kmem_cache_release(struct ko
76600 kfree(s);
76601 }
76602
76603-static struct sysfs_ops slab_sysfs_ops = {
76604+static const struct sysfs_ops slab_sysfs_ops = {
76605 .show = slab_attr_show,
76606 .store = slab_attr_store,
76607 };
76608@@ -4522,7 +4565,7 @@ static int uevent_filter(struct kset *ks
76609 return 0;
76610 }
76611
76612-static struct kset_uevent_ops slab_uevent_ops = {
76613+static const struct kset_uevent_ops slab_uevent_ops = {
76614 .filter = uevent_filter,
76615 };
76616
76617@@ -4564,6 +4607,7 @@ static char *create_unique_id(struct kme
76618 return name;
76619 }
76620
76621+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76622 static int sysfs_slab_add(struct kmem_cache *s)
76623 {
76624 int err;
76625@@ -4619,6 +4663,7 @@ static void sysfs_slab_remove(struct kme
76626 kobject_del(&s->kobj);
76627 kobject_put(&s->kobj);
76628 }
76629+#endif
76630
76631 /*
76632 * Need to buffer aliases during bootup until sysfs becomes
76633@@ -4632,6 +4677,7 @@ struct saved_alias {
76634
76635 static struct saved_alias *alias_list;
76636
76637+#if defined(CONFIG_SLUB_DEBUG) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
76638 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
76639 {
76640 struct saved_alias *al;
76641@@ -4654,6 +4700,7 @@ static int sysfs_slab_alias(struct kmem_
76642 alias_list = al;
76643 return 0;
76644 }
76645+#endif
76646
76647 static int __init slab_sysfs_init(void)
76648 {
76649@@ -4785,7 +4832,13 @@ static const struct file_operations proc
76650
76651 static int __init slab_proc_init(void)
76652 {
76653- proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
76654+ mode_t gr_mode = S_IRUGO;
76655+
76656+#ifdef CONFIG_GRKERNSEC_PROC_ADD
76657+ gr_mode = S_IRUSR;
76658+#endif
76659+
76660+ proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
76661 return 0;
76662 }
76663 module_init(slab_proc_init);
76664diff -urNp linux-2.6.32.48/mm/swap.c linux-2.6.32.48/mm/swap.c
76665--- linux-2.6.32.48/mm/swap.c 2011-11-08 19:02:43.000000000 -0500
76666+++ linux-2.6.32.48/mm/swap.c 2011-11-15 19:59:43.000000000 -0500
76667@@ -30,6 +30,7 @@
76668 #include <linux/notifier.h>
76669 #include <linux/backing-dev.h>
76670 #include <linux/memcontrol.h>
76671+#include <linux/hugetlb.h>
76672
76673 #include "internal.h"
76674
76675@@ -65,6 +66,8 @@ static void put_compound_page(struct pag
76676 compound_page_dtor *dtor;
76677
76678 dtor = get_compound_page_dtor(page);
76679+ if (!PageHuge(page))
76680+ BUG_ON(dtor != free_compound_page);
76681 (*dtor)(page);
76682 }
76683 }
76684diff -urNp linux-2.6.32.48/mm/util.c linux-2.6.32.48/mm/util.c
76685--- linux-2.6.32.48/mm/util.c 2011-11-08 19:02:43.000000000 -0500
76686+++ linux-2.6.32.48/mm/util.c 2011-11-15 19:59:43.000000000 -0500
76687@@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
76688 void arch_pick_mmap_layout(struct mm_struct *mm)
76689 {
76690 mm->mmap_base = TASK_UNMAPPED_BASE;
76691+
76692+#ifdef CONFIG_PAX_RANDMMAP
76693+ if (mm->pax_flags & MF_PAX_RANDMMAP)
76694+ mm->mmap_base += mm->delta_mmap;
76695+#endif
76696+
76697 mm->get_unmapped_area = arch_get_unmapped_area;
76698 mm->unmap_area = arch_unmap_area;
76699 }
76700diff -urNp linux-2.6.32.48/mm/vmalloc.c linux-2.6.32.48/mm/vmalloc.c
76701--- linux-2.6.32.48/mm/vmalloc.c 2011-11-08 19:02:43.000000000 -0500
76702+++ linux-2.6.32.48/mm/vmalloc.c 2011-11-15 19:59:43.000000000 -0500
76703@@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
76704
76705 pte = pte_offset_kernel(pmd, addr);
76706 do {
76707- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
76708- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
76709+
76710+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76711+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
76712+ BUG_ON(!pte_exec(*pte));
76713+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
76714+ continue;
76715+ }
76716+#endif
76717+
76718+ {
76719+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
76720+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
76721+ }
76722 } while (pte++, addr += PAGE_SIZE, addr != end);
76723 }
76724
76725@@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
76726 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
76727 {
76728 pte_t *pte;
76729+ int ret = -ENOMEM;
76730
76731 /*
76732 * nr is a running index into the array which helps higher level
76733@@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
76734 pte = pte_alloc_kernel(pmd, addr);
76735 if (!pte)
76736 return -ENOMEM;
76737+
76738+ pax_open_kernel();
76739 do {
76740 struct page *page = pages[*nr];
76741
76742- if (WARN_ON(!pte_none(*pte)))
76743- return -EBUSY;
76744- if (WARN_ON(!page))
76745- return -ENOMEM;
76746+#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76747+ if (!(pgprot_val(prot) & _PAGE_NX))
76748+ BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
76749+ else
76750+#endif
76751+
76752+ if (WARN_ON(!pte_none(*pte))) {
76753+ ret = -EBUSY;
76754+ goto out;
76755+ }
76756+ if (WARN_ON(!page)) {
76757+ ret = -ENOMEM;
76758+ goto out;
76759+ }
76760 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
76761 (*nr)++;
76762 } while (pte++, addr += PAGE_SIZE, addr != end);
76763- return 0;
76764+ ret = 0;
76765+out:
76766+ pax_close_kernel();
76767+ return ret;
76768 }
76769
76770 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
76771@@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
76772 * and fall back on vmalloc() if that fails. Others
76773 * just put it in the vmalloc space.
76774 */
76775-#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
76776+#ifdef CONFIG_MODULES
76777+#ifdef MODULES_VADDR
76778 unsigned long addr = (unsigned long)x;
76779 if (addr >= MODULES_VADDR && addr < MODULES_END)
76780 return 1;
76781 #endif
76782+
76783+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
76784+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
76785+ return 1;
76786+#endif
76787+
76788+#endif
76789+
76790 return is_vmalloc_addr(x);
76791 }
76792
76793@@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
76794
76795 if (!pgd_none(*pgd)) {
76796 pud_t *pud = pud_offset(pgd, addr);
76797+#ifdef CONFIG_X86
76798+ if (!pud_large(*pud))
76799+#endif
76800 if (!pud_none(*pud)) {
76801 pmd_t *pmd = pmd_offset(pud, addr);
76802+#ifdef CONFIG_X86
76803+ if (!pmd_large(*pmd))
76804+#endif
76805 if (!pmd_none(*pmd)) {
76806 pte_t *ptep, pte;
76807
76808@@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
76809 struct rb_node *tmp;
76810
76811 while (*p) {
76812- struct vmap_area *tmp;
76813+ struct vmap_area *varea;
76814
76815 parent = *p;
76816- tmp = rb_entry(parent, struct vmap_area, rb_node);
76817- if (va->va_start < tmp->va_end)
76818+ varea = rb_entry(parent, struct vmap_area, rb_node);
76819+ if (va->va_start < varea->va_end)
76820 p = &(*p)->rb_left;
76821- else if (va->va_end > tmp->va_start)
76822+ else if (va->va_end > varea->va_start)
76823 p = &(*p)->rb_right;
76824 else
76825 BUG();
76826@@ -1233,6 +1275,16 @@ static struct vm_struct *__get_vm_area_n
76827 struct vm_struct *area;
76828
76829 BUG_ON(in_interrupt());
76830+
76831+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76832+ if (flags & VM_KERNEXEC) {
76833+ if (start != VMALLOC_START || end != VMALLOC_END)
76834+ return NULL;
76835+ start = (unsigned long)MODULES_EXEC_VADDR;
76836+ end = (unsigned long)MODULES_EXEC_END;
76837+ }
76838+#endif
76839+
76840 if (flags & VM_IOREMAP) {
76841 int bit = fls(size);
76842
76843@@ -1458,6 +1510,11 @@ void *vmap(struct page **pages, unsigned
76844 if (count > totalram_pages)
76845 return NULL;
76846
76847+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76848+ if (!(pgprot_val(prot) & _PAGE_NX))
76849+ flags |= VM_KERNEXEC;
76850+#endif
76851+
76852 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
76853 __builtin_return_address(0));
76854 if (!area)
76855@@ -1568,6 +1625,13 @@ static void *__vmalloc_node(unsigned lon
76856 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
76857 return NULL;
76858
76859+#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
76860+ if (!(pgprot_val(prot) & _PAGE_NX))
76861+ area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
76862+ node, gfp_mask, caller);
76863+ else
76864+#endif
76865+
76866 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
76867 VMALLOC_END, node, gfp_mask, caller);
76868
76869@@ -1586,6 +1650,7 @@ static void *__vmalloc_node(unsigned lon
76870 return addr;
76871 }
76872
76873+#undef __vmalloc
76874 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
76875 {
76876 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
76877@@ -1602,6 +1667,7 @@ EXPORT_SYMBOL(__vmalloc);
76878 * For tight control over page level allocator and protection flags
76879 * use __vmalloc() instead.
76880 */
76881+#undef vmalloc
76882 void *vmalloc(unsigned long size)
76883 {
76884 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
76885@@ -1616,6 +1682,7 @@ EXPORT_SYMBOL(vmalloc);
76886 * The resulting memory area is zeroed so it can be mapped to userspace
76887 * without leaking data.
76888 */
76889+#undef vmalloc_user
76890 void *vmalloc_user(unsigned long size)
76891 {
76892 struct vm_struct *area;
76893@@ -1643,6 +1710,7 @@ EXPORT_SYMBOL(vmalloc_user);
76894 * For tight control over page level allocator and protection flags
76895 * use __vmalloc() instead.
76896 */
76897+#undef vmalloc_node
76898 void *vmalloc_node(unsigned long size, int node)
76899 {
76900 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
76901@@ -1665,10 +1733,10 @@ EXPORT_SYMBOL(vmalloc_node);
76902 * For tight control over page level allocator and protection flags
76903 * use __vmalloc() instead.
76904 */
76905-
76906+#undef vmalloc_exec
76907 void *vmalloc_exec(unsigned long size)
76908 {
76909- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
76910+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
76911 -1, __builtin_return_address(0));
76912 }
76913
76914@@ -1687,6 +1755,7 @@ void *vmalloc_exec(unsigned long size)
76915 * Allocate enough 32bit PA addressable pages to cover @size from the
76916 * page level allocator and map them into contiguous kernel virtual space.
76917 */
76918+#undef vmalloc_32
76919 void *vmalloc_32(unsigned long size)
76920 {
76921 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
76922@@ -1701,6 +1770,7 @@ EXPORT_SYMBOL(vmalloc_32);
76923 * The resulting memory area is 32bit addressable and zeroed so it can be
76924 * mapped to userspace without leaking data.
76925 */
76926+#undef vmalloc_32_user
76927 void *vmalloc_32_user(unsigned long size)
76928 {
76929 struct vm_struct *area;
76930@@ -1965,6 +2035,8 @@ int remap_vmalloc_range(struct vm_area_s
76931 unsigned long uaddr = vma->vm_start;
76932 unsigned long usize = vma->vm_end - vma->vm_start;
76933
76934+ BUG_ON(vma->vm_mirror);
76935+
76936 if ((PAGE_SIZE-1) & (unsigned long)addr)
76937 return -EINVAL;
76938
76939diff -urNp linux-2.6.32.48/mm/vmstat.c linux-2.6.32.48/mm/vmstat.c
76940--- linux-2.6.32.48/mm/vmstat.c 2011-11-08 19:02:43.000000000 -0500
76941+++ linux-2.6.32.48/mm/vmstat.c 2011-11-15 19:59:43.000000000 -0500
76942@@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
76943 *
76944 * vm_stat contains the global counters
76945 */
76946-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
76947+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
76948 EXPORT_SYMBOL(vm_stat);
76949
76950 #ifdef CONFIG_SMP
76951@@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
76952 v = p->vm_stat_diff[i];
76953 p->vm_stat_diff[i] = 0;
76954 local_irq_restore(flags);
76955- atomic_long_add(v, &zone->vm_stat[i]);
76956+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
76957 global_diff[i] += v;
76958 #ifdef CONFIG_NUMA
76959 /* 3 seconds idle till flush */
76960@@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
76961
76962 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
76963 if (global_diff[i])
76964- atomic_long_add(global_diff[i], &vm_stat[i]);
76965+ atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
76966 }
76967
76968 #endif
76969@@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
76970 start_cpu_timer(cpu);
76971 #endif
76972 #ifdef CONFIG_PROC_FS
76973- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
76974- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
76975- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
76976- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
76977+ {
76978+ mode_t gr_mode = S_IRUGO;
76979+#ifdef CONFIG_GRKERNSEC_PROC_ADD
76980+ gr_mode = S_IRUSR;
76981+#endif
76982+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
76983+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
76984+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
76985+ proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
76986+#else
76987+ proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
76988+#endif
76989+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
76990+ }
76991 #endif
76992 return 0;
76993 }
76994diff -urNp linux-2.6.32.48/net/8021q/vlan.c linux-2.6.32.48/net/8021q/vlan.c
76995--- linux-2.6.32.48/net/8021q/vlan.c 2011-11-08 19:02:43.000000000 -0500
76996+++ linux-2.6.32.48/net/8021q/vlan.c 2011-11-15 19:59:43.000000000 -0500
76997@@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
76998 err = -EPERM;
76999 if (!capable(CAP_NET_ADMIN))
77000 break;
77001- if ((args.u.name_type >= 0) &&
77002- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
77003+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
77004 struct vlan_net *vn;
77005
77006 vn = net_generic(net, vlan_net_id);
77007diff -urNp linux-2.6.32.48/net/9p/trans_fd.c linux-2.6.32.48/net/9p/trans_fd.c
77008--- linux-2.6.32.48/net/9p/trans_fd.c 2011-11-08 19:02:43.000000000 -0500
77009+++ linux-2.6.32.48/net/9p/trans_fd.c 2011-11-15 19:59:43.000000000 -0500
77010@@ -419,7 +419,7 @@ static int p9_fd_write(struct p9_client
77011 oldfs = get_fs();
77012 set_fs(get_ds());
77013 /* The cast to a user pointer is valid due to the set_fs() */
77014- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
77015+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
77016 set_fs(oldfs);
77017
77018 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
77019diff -urNp linux-2.6.32.48/net/atm/atm_misc.c linux-2.6.32.48/net/atm/atm_misc.c
77020--- linux-2.6.32.48/net/atm/atm_misc.c 2011-11-08 19:02:43.000000000 -0500
77021+++ linux-2.6.32.48/net/atm/atm_misc.c 2011-11-15 19:59:43.000000000 -0500
77022@@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
77023 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
77024 return 1;
77025 atm_return(vcc,truesize);
77026- atomic_inc(&vcc->stats->rx_drop);
77027+ atomic_inc_unchecked(&vcc->stats->rx_drop);
77028 return 0;
77029 }
77030
77031@@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
77032 }
77033 }
77034 atm_return(vcc,guess);
77035- atomic_inc(&vcc->stats->rx_drop);
77036+ atomic_inc_unchecked(&vcc->stats->rx_drop);
77037 return NULL;
77038 }
77039
77040@@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
77041
77042 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
77043 {
77044-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
77045+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
77046 __SONET_ITEMS
77047 #undef __HANDLE_ITEM
77048 }
77049@@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
77050
77051 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
77052 {
77053-#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
77054+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
77055 __SONET_ITEMS
77056 #undef __HANDLE_ITEM
77057 }
77058diff -urNp linux-2.6.32.48/net/atm/lec.h linux-2.6.32.48/net/atm/lec.h
77059--- linux-2.6.32.48/net/atm/lec.h 2011-11-08 19:02:43.000000000 -0500
77060+++ linux-2.6.32.48/net/atm/lec.h 2011-11-15 19:59:43.000000000 -0500
77061@@ -48,7 +48,7 @@ struct lane2_ops {
77062 const u8 *tlvs, u32 sizeoftlvs);
77063 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
77064 const u8 *tlvs, u32 sizeoftlvs);
77065-};
77066+} __no_const;
77067
77068 /*
77069 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
77070diff -urNp linux-2.6.32.48/net/atm/mpc.h linux-2.6.32.48/net/atm/mpc.h
77071--- linux-2.6.32.48/net/atm/mpc.h 2011-11-08 19:02:43.000000000 -0500
77072+++ linux-2.6.32.48/net/atm/mpc.h 2011-11-15 19:59:43.000000000 -0500
77073@@ -33,7 +33,7 @@ struct mpoa_client {
77074 struct mpc_parameters parameters; /* parameters for this client */
77075
77076 const struct net_device_ops *old_ops;
77077- struct net_device_ops new_ops;
77078+ net_device_ops_no_const new_ops;
77079 };
77080
77081
77082diff -urNp linux-2.6.32.48/net/atm/mpoa_caches.c linux-2.6.32.48/net/atm/mpoa_caches.c
77083--- linux-2.6.32.48/net/atm/mpoa_caches.c 2011-11-08 19:02:43.000000000 -0500
77084+++ linux-2.6.32.48/net/atm/mpoa_caches.c 2011-11-15 19:59:43.000000000 -0500
77085@@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
77086 struct timeval now;
77087 struct k_message msg;
77088
77089+ pax_track_stack();
77090+
77091 do_gettimeofday(&now);
77092
77093 write_lock_irq(&client->egress_lock);
77094diff -urNp linux-2.6.32.48/net/atm/proc.c linux-2.6.32.48/net/atm/proc.c
77095--- linux-2.6.32.48/net/atm/proc.c 2011-11-08 19:02:43.000000000 -0500
77096+++ linux-2.6.32.48/net/atm/proc.c 2011-11-15 19:59:43.000000000 -0500
77097@@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
77098 const struct k_atm_aal_stats *stats)
77099 {
77100 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
77101- atomic_read(&stats->tx),atomic_read(&stats->tx_err),
77102- atomic_read(&stats->rx),atomic_read(&stats->rx_err),
77103- atomic_read(&stats->rx_drop));
77104+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
77105+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
77106+ atomic_read_unchecked(&stats->rx_drop));
77107 }
77108
77109 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
77110@@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
77111 {
77112 struct sock *sk = sk_atm(vcc);
77113
77114+#ifdef CONFIG_GRKERNSEC_HIDESYM
77115+ seq_printf(seq, "%p ", NULL);
77116+#else
77117 seq_printf(seq, "%p ", vcc);
77118+#endif
77119+
77120 if (!vcc->dev)
77121 seq_printf(seq, "Unassigned ");
77122 else
77123@@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
77124 {
77125 if (!vcc->dev)
77126 seq_printf(seq, sizeof(void *) == 4 ?
77127+#ifdef CONFIG_GRKERNSEC_HIDESYM
77128+ "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
77129+#else
77130 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
77131+#endif
77132 else
77133 seq_printf(seq, "%3d %3d %5d ",
77134 vcc->dev->number, vcc->vpi, vcc->vci);
77135diff -urNp linux-2.6.32.48/net/atm/resources.c linux-2.6.32.48/net/atm/resources.c
77136--- linux-2.6.32.48/net/atm/resources.c 2011-11-08 19:02:43.000000000 -0500
77137+++ linux-2.6.32.48/net/atm/resources.c 2011-11-15 19:59:43.000000000 -0500
77138@@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
77139 static void copy_aal_stats(struct k_atm_aal_stats *from,
77140 struct atm_aal_stats *to)
77141 {
77142-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
77143+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
77144 __AAL_STAT_ITEMS
77145 #undef __HANDLE_ITEM
77146 }
77147@@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
77148 static void subtract_aal_stats(struct k_atm_aal_stats *from,
77149 struct atm_aal_stats *to)
77150 {
77151-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
77152+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
77153 __AAL_STAT_ITEMS
77154 #undef __HANDLE_ITEM
77155 }
77156diff -urNp linux-2.6.32.48/net/bridge/br_private.h linux-2.6.32.48/net/bridge/br_private.h
77157--- linux-2.6.32.48/net/bridge/br_private.h 2011-11-08 19:02:43.000000000 -0500
77158+++ linux-2.6.32.48/net/bridge/br_private.h 2011-11-15 19:59:43.000000000 -0500
77159@@ -255,7 +255,7 @@ extern void br_ifinfo_notify(int event,
77160
77161 #ifdef CONFIG_SYSFS
77162 /* br_sysfs_if.c */
77163-extern struct sysfs_ops brport_sysfs_ops;
77164+extern const struct sysfs_ops brport_sysfs_ops;
77165 extern int br_sysfs_addif(struct net_bridge_port *p);
77166
77167 /* br_sysfs_br.c */
77168diff -urNp linux-2.6.32.48/net/bridge/br_stp_if.c linux-2.6.32.48/net/bridge/br_stp_if.c
77169--- linux-2.6.32.48/net/bridge/br_stp_if.c 2011-11-08 19:02:43.000000000 -0500
77170+++ linux-2.6.32.48/net/bridge/br_stp_if.c 2011-11-15 19:59:43.000000000 -0500
77171@@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
77172 char *envp[] = { NULL };
77173
77174 if (br->stp_enabled == BR_USER_STP) {
77175- r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
77176+ r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
77177 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
77178 br->dev->name, r);
77179
77180diff -urNp linux-2.6.32.48/net/bridge/br_sysfs_if.c linux-2.6.32.48/net/bridge/br_sysfs_if.c
77181--- linux-2.6.32.48/net/bridge/br_sysfs_if.c 2011-11-08 19:02:43.000000000 -0500
77182+++ linux-2.6.32.48/net/bridge/br_sysfs_if.c 2011-11-15 19:59:43.000000000 -0500
77183@@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
77184 return ret;
77185 }
77186
77187-struct sysfs_ops brport_sysfs_ops = {
77188+const struct sysfs_ops brport_sysfs_ops = {
77189 .show = brport_show,
77190 .store = brport_store,
77191 };
77192diff -urNp linux-2.6.32.48/net/bridge/netfilter/ebtables.c linux-2.6.32.48/net/bridge/netfilter/ebtables.c
77193--- linux-2.6.32.48/net/bridge/netfilter/ebtables.c 2011-11-08 19:02:43.000000000 -0500
77194+++ linux-2.6.32.48/net/bridge/netfilter/ebtables.c 2011-11-15 19:59:43.000000000 -0500
77195@@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
77196 unsigned int entries_size, nentries;
77197 char *entries;
77198
77199+ pax_track_stack();
77200+
77201 if (cmd == EBT_SO_GET_ENTRIES) {
77202 entries_size = t->private->entries_size;
77203 nentries = t->private->nentries;
77204diff -urNp linux-2.6.32.48/net/can/bcm.c linux-2.6.32.48/net/can/bcm.c
77205--- linux-2.6.32.48/net/can/bcm.c 2011-11-08 19:02:43.000000000 -0500
77206+++ linux-2.6.32.48/net/can/bcm.c 2011-11-15 19:59:43.000000000 -0500
77207@@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
77208 struct bcm_sock *bo = bcm_sk(sk);
77209 struct bcm_op *op;
77210
77211+#ifdef CONFIG_GRKERNSEC_HIDESYM
77212+ seq_printf(m, ">>> socket %p", NULL);
77213+ seq_printf(m, " / sk %p", NULL);
77214+ seq_printf(m, " / bo %p", NULL);
77215+#else
77216 seq_printf(m, ">>> socket %p", sk->sk_socket);
77217 seq_printf(m, " / sk %p", sk);
77218 seq_printf(m, " / bo %p", bo);
77219+#endif
77220 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
77221 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
77222 seq_printf(m, " <<<\n");
77223diff -urNp linux-2.6.32.48/net/compat.c linux-2.6.32.48/net/compat.c
77224--- linux-2.6.32.48/net/compat.c 2011-11-08 19:02:43.000000000 -0500
77225+++ linux-2.6.32.48/net/compat.c 2011-11-15 19:59:43.000000000 -0500
77226@@ -69,9 +69,9 @@ int get_compat_msghdr(struct msghdr *kms
77227 __get_user(kmsg->msg_controllen, &umsg->msg_controllen) ||
77228 __get_user(kmsg->msg_flags, &umsg->msg_flags))
77229 return -EFAULT;
77230- kmsg->msg_name = compat_ptr(tmp1);
77231- kmsg->msg_iov = compat_ptr(tmp2);
77232- kmsg->msg_control = compat_ptr(tmp3);
77233+ kmsg->msg_name = (void __force_kernel *)compat_ptr(tmp1);
77234+ kmsg->msg_iov = (void __force_kernel *)compat_ptr(tmp2);
77235+ kmsg->msg_control = (void __force_kernel *)compat_ptr(tmp3);
77236 return 0;
77237 }
77238
77239@@ -94,7 +94,7 @@ int verify_compat_iovec(struct msghdr *k
77240 kern_msg->msg_name = NULL;
77241
77242 tot_len = iov_from_user_compat_to_kern(kern_iov,
77243- (struct compat_iovec __user *)kern_msg->msg_iov,
77244+ (struct compat_iovec __force_user *)kern_msg->msg_iov,
77245 kern_msg->msg_iovlen);
77246 if (tot_len >= 0)
77247 kern_msg->msg_iov = kern_iov;
77248@@ -114,20 +114,20 @@ int verify_compat_iovec(struct msghdr *k
77249
77250 #define CMSG_COMPAT_FIRSTHDR(msg) \
77251 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
77252- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
77253+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
77254 (struct compat_cmsghdr __user *)NULL)
77255
77256 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
77257 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
77258 (ucmlen) <= (unsigned long) \
77259 ((mhdr)->msg_controllen - \
77260- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
77261+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
77262
77263 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
77264 struct compat_cmsghdr __user *cmsg, int cmsg_len)
77265 {
77266 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
77267- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
77268+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
77269 msg->msg_controllen)
77270 return NULL;
77271 return (struct compat_cmsghdr __user *)ptr;
77272@@ -219,7 +219,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
77273 {
77274 struct compat_timeval ctv;
77275 struct compat_timespec cts[3];
77276- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
77277+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
77278 struct compat_cmsghdr cmhdr;
77279 int cmlen;
77280
77281@@ -271,7 +271,7 @@ int put_cmsg_compat(struct msghdr *kmsg,
77282
77283 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
77284 {
77285- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
77286+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
77287 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
77288 int fdnum = scm->fp->count;
77289 struct file **fp = scm->fp->fp;
77290@@ -433,7 +433,7 @@ static int do_get_sock_timeout(struct so
77291 len = sizeof(ktime);
77292 old_fs = get_fs();
77293 set_fs(KERNEL_DS);
77294- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
77295+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
77296 set_fs(old_fs);
77297
77298 if (!err) {
77299@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *so
77300 case MCAST_JOIN_GROUP:
77301 case MCAST_LEAVE_GROUP:
77302 {
77303- struct compat_group_req __user *gr32 = (void *)optval;
77304+ struct compat_group_req __user *gr32 = (void __user *)optval;
77305 struct group_req __user *kgr =
77306 compat_alloc_user_space(sizeof(struct group_req));
77307 u32 interface;
77308@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *so
77309 case MCAST_BLOCK_SOURCE:
77310 case MCAST_UNBLOCK_SOURCE:
77311 {
77312- struct compat_group_source_req __user *gsr32 = (void *)optval;
77313+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
77314 struct group_source_req __user *kgsr = compat_alloc_user_space(
77315 sizeof(struct group_source_req));
77316 u32 interface;
77317@@ -612,7 +612,7 @@ int compat_mc_setsockopt(struct sock *so
77318 }
77319 case MCAST_MSFILTER:
77320 {
77321- struct compat_group_filter __user *gf32 = (void *)optval;
77322+ struct compat_group_filter __user *gf32 = (void __user *)optval;
77323 struct group_filter __user *kgf;
77324 u32 interface, fmode, numsrc;
77325
77326diff -urNp linux-2.6.32.48/net/core/dev.c linux-2.6.32.48/net/core/dev.c
77327--- linux-2.6.32.48/net/core/dev.c 2011-11-08 19:02:43.000000000 -0500
77328+++ linux-2.6.32.48/net/core/dev.c 2011-11-15 19:59:43.000000000 -0500
77329@@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
77330 if (no_module && capable(CAP_NET_ADMIN))
77331 no_module = request_module("netdev-%s", name);
77332 if (no_module && capable(CAP_SYS_MODULE)) {
77333+#ifdef CONFIG_GRKERNSEC_MODHARDEN
77334+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
77335+#else
77336 if (!request_module("%s", name))
77337 pr_err("Loading kernel module for a network device "
77338 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
77339 "instead\n", name);
77340+#endif
77341 }
77342 }
77343 EXPORT_SYMBOL(dev_load);
77344@@ -1654,7 +1658,7 @@ static inline int illegal_highdma(struct
77345
77346 struct dev_gso_cb {
77347 void (*destructor)(struct sk_buff *skb);
77348-};
77349+} __no_const;
77350
77351 #define DEV_GSO_CB(skb) ((struct dev_gso_cb *)(skb)->cb)
77352
77353@@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
77354 }
77355 EXPORT_SYMBOL(netif_rx_ni);
77356
77357-static void net_tx_action(struct softirq_action *h)
77358+static void net_tx_action(void)
77359 {
77360 struct softnet_data *sd = &__get_cpu_var(softnet_data);
77361
77362@@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
77363 EXPORT_SYMBOL(netif_napi_del);
77364
77365
77366-static void net_rx_action(struct softirq_action *h)
77367+static void net_rx_action(void)
77368 {
77369 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
77370 unsigned long time_limit = jiffies + 2;
77371diff -urNp linux-2.6.32.48/net/core/flow.c linux-2.6.32.48/net/core/flow.c
77372--- linux-2.6.32.48/net/core/flow.c 2011-11-08 19:02:43.000000000 -0500
77373+++ linux-2.6.32.48/net/core/flow.c 2011-11-15 19:59:43.000000000 -0500
77374@@ -35,11 +35,11 @@ struct flow_cache_entry {
77375 atomic_t *object_ref;
77376 };
77377
77378-atomic_t flow_cache_genid = ATOMIC_INIT(0);
77379+atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
77380
77381 static u32 flow_hash_shift;
77382 #define flow_hash_size (1 << flow_hash_shift)
77383-static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
77384+static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
77385
77386 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
77387
77388@@ -52,7 +52,7 @@ struct flow_percpu_info {
77389 u32 hash_rnd;
77390 int count;
77391 };
77392-static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
77393+static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
77394
77395 #define flow_hash_rnd_recalc(cpu) \
77396 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
77397@@ -69,7 +69,7 @@ struct flow_flush_info {
77398 atomic_t cpuleft;
77399 struct completion completion;
77400 };
77401-static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
77402+static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
77403
77404 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
77405
77406@@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
77407 if (fle->family == family &&
77408 fle->dir == dir &&
77409 flow_key_compare(key, &fle->key) == 0) {
77410- if (fle->genid == atomic_read(&flow_cache_genid)) {
77411+ if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
77412 void *ret = fle->object;
77413
77414 if (ret)
77415@@ -228,7 +228,7 @@ nocache:
77416 err = resolver(net, key, family, dir, &obj, &obj_ref);
77417
77418 if (fle && !err) {
77419- fle->genid = atomic_read(&flow_cache_genid);
77420+ fle->genid = atomic_read_unchecked(&flow_cache_genid);
77421
77422 if (fle->object)
77423 atomic_dec(fle->object_ref);
77424@@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
77425
77426 fle = flow_table(cpu)[i];
77427 for (; fle; fle = fle->next) {
77428- unsigned genid = atomic_read(&flow_cache_genid);
77429+ unsigned genid = atomic_read_unchecked(&flow_cache_genid);
77430
77431 if (!fle->object || fle->genid == genid)
77432 continue;
77433diff -urNp linux-2.6.32.48/net/core/rtnetlink.c linux-2.6.32.48/net/core/rtnetlink.c
77434--- linux-2.6.32.48/net/core/rtnetlink.c 2011-11-08 19:02:43.000000000 -0500
77435+++ linux-2.6.32.48/net/core/rtnetlink.c 2011-11-15 19:59:43.000000000 -0500
77436@@ -57,7 +57,7 @@ struct rtnl_link
77437 {
77438 rtnl_doit_func doit;
77439 rtnl_dumpit_func dumpit;
77440-};
77441+} __no_const;
77442
77443 static DEFINE_MUTEX(rtnl_mutex);
77444
77445diff -urNp linux-2.6.32.48/net/core/scm.c linux-2.6.32.48/net/core/scm.c
77446--- linux-2.6.32.48/net/core/scm.c 2011-11-08 19:02:43.000000000 -0500
77447+++ linux-2.6.32.48/net/core/scm.c 2011-11-15 19:59:43.000000000 -0500
77448@@ -191,7 +191,7 @@ error:
77449 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
77450 {
77451 struct cmsghdr __user *cm
77452- = (__force struct cmsghdr __user *)msg->msg_control;
77453+ = (struct cmsghdr __force_user *)msg->msg_control;
77454 struct cmsghdr cmhdr;
77455 int cmlen = CMSG_LEN(len);
77456 int err;
77457@@ -214,7 +214,7 @@ int put_cmsg(struct msghdr * msg, int le
77458 err = -EFAULT;
77459 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
77460 goto out;
77461- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
77462+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
77463 goto out;
77464 cmlen = CMSG_SPACE(len);
77465 if (msg->msg_controllen < cmlen)
77466@@ -229,7 +229,7 @@ out:
77467 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
77468 {
77469 struct cmsghdr __user *cm
77470- = (__force struct cmsghdr __user*)msg->msg_control;
77471+ = (struct cmsghdr __force_user *)msg->msg_control;
77472
77473 int fdmax = 0;
77474 int fdnum = scm->fp->count;
77475@@ -249,7 +249,7 @@ void scm_detach_fds(struct msghdr *msg,
77476 if (fdnum < fdmax)
77477 fdmax = fdnum;
77478
77479- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
77480+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
77481 i++, cmfptr++)
77482 {
77483 int new_fd;
77484diff -urNp linux-2.6.32.48/net/core/secure_seq.c linux-2.6.32.48/net/core/secure_seq.c
77485--- linux-2.6.32.48/net/core/secure_seq.c 2011-11-08 19:02:43.000000000 -0500
77486+++ linux-2.6.32.48/net/core/secure_seq.c 2011-11-15 19:59:43.000000000 -0500
77487@@ -57,7 +57,7 @@ __u32 secure_tcpv6_sequence_number(__be3
77488 EXPORT_SYMBOL(secure_tcpv6_sequence_number);
77489
77490 u32 secure_ipv6_port_ephemeral(const __be32 *saddr, const __be32 *daddr,
77491- __be16 dport)
77492+ __be16 dport)
77493 {
77494 u32 secret[MD5_MESSAGE_BYTES / 4];
77495 u32 hash[MD5_DIGEST_WORDS];
77496@@ -71,7 +71,6 @@ u32 secure_ipv6_port_ephemeral(const __b
77497 secret[i] = net_secret[i];
77498
77499 md5_transform(hash, secret);
77500-
77501 return hash[0];
77502 }
77503 #endif
77504diff -urNp linux-2.6.32.48/net/core/skbuff.c linux-2.6.32.48/net/core/skbuff.c
77505--- linux-2.6.32.48/net/core/skbuff.c 2011-11-08 19:02:43.000000000 -0500
77506+++ linux-2.6.32.48/net/core/skbuff.c 2011-11-15 19:59:43.000000000 -0500
77507@@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
77508 struct sk_buff *frag_iter;
77509 struct sock *sk = skb->sk;
77510
77511+ pax_track_stack();
77512+
77513 /*
77514 * __skb_splice_bits() only fails if the output has no room left,
77515 * so no point in going over the frag_list for the error case.
77516diff -urNp linux-2.6.32.48/net/core/sock.c linux-2.6.32.48/net/core/sock.c
77517--- linux-2.6.32.48/net/core/sock.c 2011-11-08 19:02:43.000000000 -0500
77518+++ linux-2.6.32.48/net/core/sock.c 2011-11-15 19:59:43.000000000 -0500
77519@@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
77520 break;
77521
77522 case SO_PEERCRED:
77523+ {
77524+ struct ucred peercred;
77525 if (len > sizeof(sk->sk_peercred))
77526 len = sizeof(sk->sk_peercred);
77527- if (copy_to_user(optval, &sk->sk_peercred, len))
77528+ peercred = sk->sk_peercred;
77529+ if (copy_to_user(optval, &peercred, len))
77530 return -EFAULT;
77531 goto lenout;
77532+ }
77533
77534 case SO_PEERNAME:
77535 {
77536@@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
77537 */
77538 smp_wmb();
77539 atomic_set(&sk->sk_refcnt, 1);
77540- atomic_set(&sk->sk_drops, 0);
77541+ atomic_set_unchecked(&sk->sk_drops, 0);
77542 }
77543 EXPORT_SYMBOL(sock_init_data);
77544
77545diff -urNp linux-2.6.32.48/net/decnet/sysctl_net_decnet.c linux-2.6.32.48/net/decnet/sysctl_net_decnet.c
77546--- linux-2.6.32.48/net/decnet/sysctl_net_decnet.c 2011-11-08 19:02:43.000000000 -0500
77547+++ linux-2.6.32.48/net/decnet/sysctl_net_decnet.c 2011-11-15 19:59:43.000000000 -0500
77548@@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
77549
77550 if (len > *lenp) len = *lenp;
77551
77552- if (copy_to_user(buffer, addr, len))
77553+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
77554 return -EFAULT;
77555
77556 *lenp = len;
77557@@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
77558
77559 if (len > *lenp) len = *lenp;
77560
77561- if (copy_to_user(buffer, devname, len))
77562+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
77563 return -EFAULT;
77564
77565 *lenp = len;
77566diff -urNp linux-2.6.32.48/net/econet/Kconfig linux-2.6.32.48/net/econet/Kconfig
77567--- linux-2.6.32.48/net/econet/Kconfig 2011-11-08 19:02:43.000000000 -0500
77568+++ linux-2.6.32.48/net/econet/Kconfig 2011-11-15 19:59:43.000000000 -0500
77569@@ -4,7 +4,7 @@
77570
77571 config ECONET
77572 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
77573- depends on EXPERIMENTAL && INET
77574+ depends on EXPERIMENTAL && INET && BROKEN
77575 ---help---
77576 Econet is a fairly old and slow networking protocol mainly used by
77577 Acorn computers to access file and print servers. It uses native
77578diff -urNp linux-2.6.32.48/net/ieee802154/dgram.c linux-2.6.32.48/net/ieee802154/dgram.c
77579--- linux-2.6.32.48/net/ieee802154/dgram.c 2011-11-08 19:02:43.000000000 -0500
77580+++ linux-2.6.32.48/net/ieee802154/dgram.c 2011-11-15 19:59:43.000000000 -0500
77581@@ -318,7 +318,7 @@ out:
77582 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
77583 {
77584 if (sock_queue_rcv_skb(sk, skb) < 0) {
77585- atomic_inc(&sk->sk_drops);
77586+ atomic_inc_unchecked(&sk->sk_drops);
77587 kfree_skb(skb);
77588 return NET_RX_DROP;
77589 }
77590diff -urNp linux-2.6.32.48/net/ieee802154/raw.c linux-2.6.32.48/net/ieee802154/raw.c
77591--- linux-2.6.32.48/net/ieee802154/raw.c 2011-11-08 19:02:43.000000000 -0500
77592+++ linux-2.6.32.48/net/ieee802154/raw.c 2011-11-15 19:59:43.000000000 -0500
77593@@ -206,7 +206,7 @@ out:
77594 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
77595 {
77596 if (sock_queue_rcv_skb(sk, skb) < 0) {
77597- atomic_inc(&sk->sk_drops);
77598+ atomic_inc_unchecked(&sk->sk_drops);
77599 kfree_skb(skb);
77600 return NET_RX_DROP;
77601 }
77602diff -urNp linux-2.6.32.48/net/ipv4/inet_diag.c linux-2.6.32.48/net/ipv4/inet_diag.c
77603--- linux-2.6.32.48/net/ipv4/inet_diag.c 2011-11-08 19:02:43.000000000 -0500
77604+++ linux-2.6.32.48/net/ipv4/inet_diag.c 2011-11-15 19:59:43.000000000 -0500
77605@@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
77606 r->idiag_retrans = 0;
77607
77608 r->id.idiag_if = sk->sk_bound_dev_if;
77609+#ifdef CONFIG_GRKERNSEC_HIDESYM
77610+ r->id.idiag_cookie[0] = 0;
77611+ r->id.idiag_cookie[1] = 0;
77612+#else
77613 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
77614 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
77615+#endif
77616
77617 r->id.idiag_sport = inet->sport;
77618 r->id.idiag_dport = inet->dport;
77619@@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
77620 r->idiag_family = tw->tw_family;
77621 r->idiag_retrans = 0;
77622 r->id.idiag_if = tw->tw_bound_dev_if;
77623+
77624+#ifdef CONFIG_GRKERNSEC_HIDESYM
77625+ r->id.idiag_cookie[0] = 0;
77626+ r->id.idiag_cookie[1] = 0;
77627+#else
77628 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
77629 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
77630+#endif
77631+
77632 r->id.idiag_sport = tw->tw_sport;
77633 r->id.idiag_dport = tw->tw_dport;
77634 r->id.idiag_src[0] = tw->tw_rcv_saddr;
77635@@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
77636 if (sk == NULL)
77637 goto unlock;
77638
77639+#ifndef CONFIG_GRKERNSEC_HIDESYM
77640 err = -ESTALE;
77641 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
77642 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
77643 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
77644 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
77645 goto out;
77646+#endif
77647
77648 err = -ENOMEM;
77649 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
77650@@ -579,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
77651 r->idiag_retrans = req->retrans;
77652
77653 r->id.idiag_if = sk->sk_bound_dev_if;
77654+
77655+#ifdef CONFIG_GRKERNSEC_HIDESYM
77656+ r->id.idiag_cookie[0] = 0;
77657+ r->id.idiag_cookie[1] = 0;
77658+#else
77659 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
77660 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
77661+#endif
77662
77663 tmo = req->expires - jiffies;
77664 if (tmo < 0)
77665diff -urNp linux-2.6.32.48/net/ipv4/inet_hashtables.c linux-2.6.32.48/net/ipv4/inet_hashtables.c
77666--- linux-2.6.32.48/net/ipv4/inet_hashtables.c 2011-11-08 19:02:43.000000000 -0500
77667+++ linux-2.6.32.48/net/ipv4/inet_hashtables.c 2011-11-15 19:59:43.000000000 -0500
77668@@ -18,12 +18,15 @@
77669 #include <linux/sched.h>
77670 #include <linux/slab.h>
77671 #include <linux/wait.h>
77672+#include <linux/security.h>
77673
77674 #include <net/inet_connection_sock.h>
77675 #include <net/inet_hashtables.h>
77676 #include <net/secure_seq.h>
77677 #include <net/ip.h>
77678
77679+extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
77680+
77681 /*
77682 * Allocate and initialize a new local port bind bucket.
77683 * The bindhash mutex for snum's hash chain must be held here.
77684@@ -491,6 +494,8 @@ ok:
77685 }
77686 spin_unlock(&head->lock);
77687
77688+ gr_update_task_in_ip_table(current, inet_sk(sk));
77689+
77690 if (tw) {
77691 inet_twsk_deschedule(tw, death_row);
77692 inet_twsk_put(tw);
77693diff -urNp linux-2.6.32.48/net/ipv4/inetpeer.c linux-2.6.32.48/net/ipv4/inetpeer.c
77694--- linux-2.6.32.48/net/ipv4/inetpeer.c 2011-11-08 19:02:43.000000000 -0500
77695+++ linux-2.6.32.48/net/ipv4/inetpeer.c 2011-11-15 19:59:43.000000000 -0500
77696@@ -367,6 +367,8 @@ struct inet_peer *inet_getpeer(__be32 da
77697 struct inet_peer *p, *n;
77698 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
77699
77700+ pax_track_stack();
77701+
77702 /* Look up for the address quickly. */
77703 read_lock_bh(&peer_pool_lock);
77704 p = lookup(daddr, NULL);
77705@@ -390,7 +392,7 @@ struct inet_peer *inet_getpeer(__be32 da
77706 return NULL;
77707 n->v4daddr = daddr;
77708 atomic_set(&n->refcnt, 1);
77709- atomic_set(&n->rid, 0);
77710+ atomic_set_unchecked(&n->rid, 0);
77711 n->ip_id_count = secure_ip_id(daddr);
77712 n->tcp_ts_stamp = 0;
77713
77714diff -urNp linux-2.6.32.48/net/ipv4/ipconfig.c linux-2.6.32.48/net/ipv4/ipconfig.c
77715--- linux-2.6.32.48/net/ipv4/ipconfig.c 2011-11-08 19:02:43.000000000 -0500
77716+++ linux-2.6.32.48/net/ipv4/ipconfig.c 2011-11-15 19:59:43.000000000 -0500
77717@@ -295,7 +295,7 @@ static int __init ic_devinet_ioctl(unsig
77718
77719 mm_segment_t oldfs = get_fs();
77720 set_fs(get_ds());
77721- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
77722+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
77723 set_fs(oldfs);
77724 return res;
77725 }
77726@@ -306,7 +306,7 @@ static int __init ic_dev_ioctl(unsigned
77727
77728 mm_segment_t oldfs = get_fs();
77729 set_fs(get_ds());
77730- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
77731+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
77732 set_fs(oldfs);
77733 return res;
77734 }
77735@@ -317,7 +317,7 @@ static int __init ic_route_ioctl(unsigne
77736
77737 mm_segment_t oldfs = get_fs();
77738 set_fs(get_ds());
77739- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
77740+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
77741 set_fs(oldfs);
77742 return res;
77743 }
77744diff -urNp linux-2.6.32.48/net/ipv4/ip_fragment.c linux-2.6.32.48/net/ipv4/ip_fragment.c
77745--- linux-2.6.32.48/net/ipv4/ip_fragment.c 2011-11-08 19:02:43.000000000 -0500
77746+++ linux-2.6.32.48/net/ipv4/ip_fragment.c 2011-11-15 19:59:43.000000000 -0500
77747@@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
77748 return 0;
77749
77750 start = qp->rid;
77751- end = atomic_inc_return(&peer->rid);
77752+ end = atomic_inc_return_unchecked(&peer->rid);
77753 qp->rid = end;
77754
77755 rc = qp->q.fragments && (end - start) > max;
77756diff -urNp linux-2.6.32.48/net/ipv4/ip_sockglue.c linux-2.6.32.48/net/ipv4/ip_sockglue.c
77757--- linux-2.6.32.48/net/ipv4/ip_sockglue.c 2011-11-08 19:02:43.000000000 -0500
77758+++ linux-2.6.32.48/net/ipv4/ip_sockglue.c 2011-11-15 19:59:43.000000000 -0500
77759@@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
77760 int val;
77761 int len;
77762
77763+ pax_track_stack();
77764+
77765 if (level != SOL_IP)
77766 return -EOPNOTSUPP;
77767
77768@@ -1173,7 +1175,7 @@ static int do_ip_getsockopt(struct sock
77769 if (sk->sk_type != SOCK_STREAM)
77770 return -ENOPROTOOPT;
77771
77772- msg.msg_control = optval;
77773+ msg.msg_control = (void __force_kernel *)optval;
77774 msg.msg_controllen = len;
77775 msg.msg_flags = 0;
77776
77777diff -urNp linux-2.6.32.48/net/ipv4/netfilter/arp_tables.c linux-2.6.32.48/net/ipv4/netfilter/arp_tables.c
77778--- linux-2.6.32.48/net/ipv4/netfilter/arp_tables.c 2011-11-08 19:02:43.000000000 -0500
77779+++ linux-2.6.32.48/net/ipv4/netfilter/arp_tables.c 2011-11-15 19:59:43.000000000 -0500
77780@@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
77781 private = &tmp;
77782 }
77783 #endif
77784+ memset(&info, 0, sizeof(info));
77785 info.valid_hooks = t->valid_hooks;
77786 memcpy(info.hook_entry, private->hook_entry,
77787 sizeof(info.hook_entry));
77788diff -urNp linux-2.6.32.48/net/ipv4/netfilter/ip_queue.c linux-2.6.32.48/net/ipv4/netfilter/ip_queue.c
77789--- linux-2.6.32.48/net/ipv4/netfilter/ip_queue.c 2011-11-08 19:02:43.000000000 -0500
77790+++ linux-2.6.32.48/net/ipv4/netfilter/ip_queue.c 2011-11-15 19:59:43.000000000 -0500
77791@@ -286,6 +286,9 @@ ipq_mangle_ipv4(ipq_verdict_msg_t *v, st
77792
77793 if (v->data_len < sizeof(*user_iph))
77794 return 0;
77795+ if (v->data_len > 65535)
77796+ return -EMSGSIZE;
77797+
77798 diff = v->data_len - e->skb->len;
77799 if (diff < 0) {
77800 if (pskb_trim(e->skb, v->data_len))
77801@@ -409,7 +412,8 @@ ipq_dev_drop(int ifindex)
77802 static inline void
77803 __ipq_rcv_skb(struct sk_buff *skb)
77804 {
77805- int status, type, pid, flags, nlmsglen, skblen;
77806+ int status, type, pid, flags;
77807+ unsigned int nlmsglen, skblen;
77808 struct nlmsghdr *nlh;
77809
77810 skblen = skb->len;
77811diff -urNp linux-2.6.32.48/net/ipv4/netfilter/ip_tables.c linux-2.6.32.48/net/ipv4/netfilter/ip_tables.c
77812--- linux-2.6.32.48/net/ipv4/netfilter/ip_tables.c 2011-11-08 19:02:43.000000000 -0500
77813+++ linux-2.6.32.48/net/ipv4/netfilter/ip_tables.c 2011-11-15 19:59:43.000000000 -0500
77814@@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
77815 private = &tmp;
77816 }
77817 #endif
77818+ memset(&info, 0, sizeof(info));
77819 info.valid_hooks = t->valid_hooks;
77820 memcpy(info.hook_entry, private->hook_entry,
77821 sizeof(info.hook_entry));
77822diff -urNp linux-2.6.32.48/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.48/net/ipv4/netfilter/nf_nat_snmp_basic.c
77823--- linux-2.6.32.48/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-08 19:02:43.000000000 -0500
77824+++ linux-2.6.32.48/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-11-15 19:59:43.000000000 -0500
77825@@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
77826
77827 *len = 0;
77828
77829- *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
77830+ *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
77831 if (*octets == NULL) {
77832 if (net_ratelimit())
77833 printk("OOM in bsalg (%d)\n", __LINE__);
77834diff -urNp linux-2.6.32.48/net/ipv4/raw.c linux-2.6.32.48/net/ipv4/raw.c
77835--- linux-2.6.32.48/net/ipv4/raw.c 2011-11-08 19:02:43.000000000 -0500
77836+++ linux-2.6.32.48/net/ipv4/raw.c 2011-11-15 19:59:43.000000000 -0500
77837@@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
77838 /* Charge it to the socket. */
77839
77840 if (sock_queue_rcv_skb(sk, skb) < 0) {
77841- atomic_inc(&sk->sk_drops);
77842+ atomic_inc_unchecked(&sk->sk_drops);
77843 kfree_skb(skb);
77844 return NET_RX_DROP;
77845 }
77846@@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
77847 int raw_rcv(struct sock *sk, struct sk_buff *skb)
77848 {
77849 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
77850- atomic_inc(&sk->sk_drops);
77851+ atomic_inc_unchecked(&sk->sk_drops);
77852 kfree_skb(skb);
77853 return NET_RX_DROP;
77854 }
77855@@ -724,16 +724,23 @@ static int raw_init(struct sock *sk)
77856
77857 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
77858 {
77859+ struct icmp_filter filter;
77860+
77861+ if (optlen < 0)
77862+ return -EINVAL;
77863 if (optlen > sizeof(struct icmp_filter))
77864 optlen = sizeof(struct icmp_filter);
77865- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
77866+ if (copy_from_user(&filter, optval, optlen))
77867 return -EFAULT;
77868+ raw_sk(sk)->filter = filter;
77869+
77870 return 0;
77871 }
77872
77873 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
77874 {
77875 int len, ret = -EFAULT;
77876+ struct icmp_filter filter;
77877
77878 if (get_user(len, optlen))
77879 goto out;
77880@@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
77881 if (len > sizeof(struct icmp_filter))
77882 len = sizeof(struct icmp_filter);
77883 ret = -EFAULT;
77884- if (put_user(len, optlen) ||
77885- copy_to_user(optval, &raw_sk(sk)->filter, len))
77886+ filter = raw_sk(sk)->filter;
77887+ if (put_user(len, optlen) || len > sizeof filter ||
77888+ copy_to_user(optval, &filter, len))
77889 goto out;
77890 ret = 0;
77891 out: return ret;
77892@@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
77893 sk_wmem_alloc_get(sp),
77894 sk_rmem_alloc_get(sp),
77895 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
77896- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
77897+ atomic_read(&sp->sk_refcnt),
77898+#ifdef CONFIG_GRKERNSEC_HIDESYM
77899+ NULL,
77900+#else
77901+ sp,
77902+#endif
77903+ atomic_read_unchecked(&sp->sk_drops));
77904 }
77905
77906 static int raw_seq_show(struct seq_file *seq, void *v)
77907diff -urNp linux-2.6.32.48/net/ipv4/route.c linux-2.6.32.48/net/ipv4/route.c
77908--- linux-2.6.32.48/net/ipv4/route.c 2011-11-08 19:02:43.000000000 -0500
77909+++ linux-2.6.32.48/net/ipv4/route.c 2011-11-15 19:59:43.000000000 -0500
77910@@ -269,7 +269,7 @@ static inline unsigned int rt_hash(__be3
77911
77912 static inline int rt_genid(struct net *net)
77913 {
77914- return atomic_read(&net->ipv4.rt_genid);
77915+ return atomic_read_unchecked(&net->ipv4.rt_genid);
77916 }
77917
77918 #ifdef CONFIG_PROC_FS
77919@@ -889,7 +889,7 @@ static void rt_cache_invalidate(struct n
77920 unsigned char shuffle;
77921
77922 get_random_bytes(&shuffle, sizeof(shuffle));
77923- atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
77924+ atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
77925 }
77926
77927 /*
77928@@ -3357,7 +3357,7 @@ static __net_initdata struct pernet_oper
77929
77930 static __net_init int rt_secret_timer_init(struct net *net)
77931 {
77932- atomic_set(&net->ipv4.rt_genid,
77933+ atomic_set_unchecked(&net->ipv4.rt_genid,
77934 (int) ((num_physpages ^ (num_physpages>>8)) ^
77935 (jiffies ^ (jiffies >> 7))));
77936
77937diff -urNp linux-2.6.32.48/net/ipv4/tcp.c linux-2.6.32.48/net/ipv4/tcp.c
77938--- linux-2.6.32.48/net/ipv4/tcp.c 2011-11-08 19:02:43.000000000 -0500
77939+++ linux-2.6.32.48/net/ipv4/tcp.c 2011-11-15 19:59:43.000000000 -0500
77940@@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
77941 int val;
77942 int err = 0;
77943
77944+ pax_track_stack();
77945+
77946 /* This is a string value all the others are int's */
77947 if (optname == TCP_CONGESTION) {
77948 char name[TCP_CA_NAME_MAX];
77949@@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
77950 struct tcp_sock *tp = tcp_sk(sk);
77951 int val, len;
77952
77953+ pax_track_stack();
77954+
77955 if (get_user(len, optlen))
77956 return -EFAULT;
77957
77958diff -urNp linux-2.6.32.48/net/ipv4/tcp_ipv4.c linux-2.6.32.48/net/ipv4/tcp_ipv4.c
77959--- linux-2.6.32.48/net/ipv4/tcp_ipv4.c 2011-11-08 19:02:43.000000000 -0500
77960+++ linux-2.6.32.48/net/ipv4/tcp_ipv4.c 2011-11-15 19:59:43.000000000 -0500
77961@@ -85,6 +85,9 @@
77962 int sysctl_tcp_tw_reuse __read_mostly;
77963 int sysctl_tcp_low_latency __read_mostly;
77964
77965+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77966+extern int grsec_enable_blackhole;
77967+#endif
77968
77969 #ifdef CONFIG_TCP_MD5SIG
77970 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
77971@@ -1543,6 +1546,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
77972 return 0;
77973
77974 reset:
77975+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77976+ if (!grsec_enable_blackhole)
77977+#endif
77978 tcp_v4_send_reset(rsk, skb);
77979 discard:
77980 kfree_skb(skb);
77981@@ -1604,12 +1610,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
77982 TCP_SKB_CB(skb)->sacked = 0;
77983
77984 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
77985- if (!sk)
77986+ if (!sk) {
77987+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77988+ ret = 1;
77989+#endif
77990 goto no_tcp_socket;
77991+ }
77992
77993 process:
77994- if (sk->sk_state == TCP_TIME_WAIT)
77995+ if (sk->sk_state == TCP_TIME_WAIT) {
77996+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
77997+ ret = 2;
77998+#endif
77999 goto do_time_wait;
78000+ }
78001
78002 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
78003 goto discard_and_relse;
78004@@ -1651,6 +1665,10 @@ no_tcp_socket:
78005 bad_packet:
78006 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
78007 } else {
78008+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78009+ if (!grsec_enable_blackhole || (ret == 1 &&
78010+ (skb->dev->flags & IFF_LOOPBACK)))
78011+#endif
78012 tcp_v4_send_reset(NULL, skb);
78013 }
78014
78015@@ -2238,7 +2256,11 @@ static void get_openreq4(struct sock *sk
78016 0, /* non standard timer */
78017 0, /* open_requests have no inode */
78018 atomic_read(&sk->sk_refcnt),
78019+#ifdef CONFIG_GRKERNSEC_HIDESYM
78020+ NULL,
78021+#else
78022 req,
78023+#endif
78024 len);
78025 }
78026
78027@@ -2280,7 +2302,12 @@ static void get_tcp4_sock(struct sock *s
78028 sock_i_uid(sk),
78029 icsk->icsk_probes_out,
78030 sock_i_ino(sk),
78031- atomic_read(&sk->sk_refcnt), sk,
78032+ atomic_read(&sk->sk_refcnt),
78033+#ifdef CONFIG_GRKERNSEC_HIDESYM
78034+ NULL,
78035+#else
78036+ sk,
78037+#endif
78038 jiffies_to_clock_t(icsk->icsk_rto),
78039 jiffies_to_clock_t(icsk->icsk_ack.ato),
78040 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
78041@@ -2308,7 +2335,13 @@ static void get_timewait4_sock(struct in
78042 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
78043 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
78044 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
78045- atomic_read(&tw->tw_refcnt), tw, len);
78046+ atomic_read(&tw->tw_refcnt),
78047+#ifdef CONFIG_GRKERNSEC_HIDESYM
78048+ NULL,
78049+#else
78050+ tw,
78051+#endif
78052+ len);
78053 }
78054
78055 #define TMPSZ 150
78056diff -urNp linux-2.6.32.48/net/ipv4/tcp_minisocks.c linux-2.6.32.48/net/ipv4/tcp_minisocks.c
78057--- linux-2.6.32.48/net/ipv4/tcp_minisocks.c 2011-11-08 19:02:43.000000000 -0500
78058+++ linux-2.6.32.48/net/ipv4/tcp_minisocks.c 2011-11-15 19:59:43.000000000 -0500
78059@@ -26,6 +26,10 @@
78060 #include <net/inet_common.h>
78061 #include <net/xfrm.h>
78062
78063+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78064+extern int grsec_enable_blackhole;
78065+#endif
78066+
78067 #ifdef CONFIG_SYSCTL
78068 #define SYNC_INIT 0 /* let the user enable it */
78069 #else
78070@@ -672,6 +676,10 @@ listen_overflow:
78071
78072 embryonic_reset:
78073 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
78074+
78075+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78076+ if (!grsec_enable_blackhole)
78077+#endif
78078 if (!(flg & TCP_FLAG_RST))
78079 req->rsk_ops->send_reset(sk, skb);
78080
78081diff -urNp linux-2.6.32.48/net/ipv4/tcp_output.c linux-2.6.32.48/net/ipv4/tcp_output.c
78082--- linux-2.6.32.48/net/ipv4/tcp_output.c 2011-11-08 19:02:43.000000000 -0500
78083+++ linux-2.6.32.48/net/ipv4/tcp_output.c 2011-11-15 19:59:43.000000000 -0500
78084@@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
78085 __u8 *md5_hash_location;
78086 int mss;
78087
78088+ pax_track_stack();
78089+
78090 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
78091 if (skb == NULL)
78092 return NULL;
78093diff -urNp linux-2.6.32.48/net/ipv4/tcp_probe.c linux-2.6.32.48/net/ipv4/tcp_probe.c
78094--- linux-2.6.32.48/net/ipv4/tcp_probe.c 2011-11-08 19:02:43.000000000 -0500
78095+++ linux-2.6.32.48/net/ipv4/tcp_probe.c 2011-11-15 19:59:43.000000000 -0500
78096@@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
78097 if (cnt + width >= len)
78098 break;
78099
78100- if (copy_to_user(buf + cnt, tbuf, width))
78101+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
78102 return -EFAULT;
78103 cnt += width;
78104 }
78105diff -urNp linux-2.6.32.48/net/ipv4/tcp_timer.c linux-2.6.32.48/net/ipv4/tcp_timer.c
78106--- linux-2.6.32.48/net/ipv4/tcp_timer.c 2011-11-08 19:02:43.000000000 -0500
78107+++ linux-2.6.32.48/net/ipv4/tcp_timer.c 2011-11-15 19:59:43.000000000 -0500
78108@@ -21,6 +21,10 @@
78109 #include <linux/module.h>
78110 #include <net/tcp.h>
78111
78112+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78113+extern int grsec_lastack_retries;
78114+#endif
78115+
78116 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
78117 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
78118 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
78119@@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
78120 }
78121 }
78122
78123+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78124+ if ((sk->sk_state == TCP_LAST_ACK) &&
78125+ (grsec_lastack_retries > 0) &&
78126+ (grsec_lastack_retries < retry_until))
78127+ retry_until = grsec_lastack_retries;
78128+#endif
78129+
78130 if (retransmits_timed_out(sk, retry_until)) {
78131 /* Has it gone just too far? */
78132 tcp_write_err(sk);
78133diff -urNp linux-2.6.32.48/net/ipv4/udp.c linux-2.6.32.48/net/ipv4/udp.c
78134--- linux-2.6.32.48/net/ipv4/udp.c 2011-11-08 19:02:43.000000000 -0500
78135+++ linux-2.6.32.48/net/ipv4/udp.c 2011-11-15 19:59:43.000000000 -0500
78136@@ -86,6 +86,7 @@
78137 #include <linux/types.h>
78138 #include <linux/fcntl.h>
78139 #include <linux/module.h>
78140+#include <linux/security.h>
78141 #include <linux/socket.h>
78142 #include <linux/sockios.h>
78143 #include <linux/igmp.h>
78144@@ -106,6 +107,10 @@
78145 #include <net/xfrm.h>
78146 #include "udp_impl.h"
78147
78148+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78149+extern int grsec_enable_blackhole;
78150+#endif
78151+
78152 struct udp_table udp_table;
78153 EXPORT_SYMBOL(udp_table);
78154
78155@@ -371,6 +376,9 @@ found:
78156 return s;
78157 }
78158
78159+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
78160+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
78161+
78162 /*
78163 * This routine is called by the ICMP module when it gets some
78164 * sort of error condition. If err < 0 then the socket should
78165@@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
78166 dport = usin->sin_port;
78167 if (dport == 0)
78168 return -EINVAL;
78169+
78170+ err = gr_search_udp_sendmsg(sk, usin);
78171+ if (err)
78172+ return err;
78173 } else {
78174 if (sk->sk_state != TCP_ESTABLISHED)
78175 return -EDESTADDRREQ;
78176+
78177+ err = gr_search_udp_sendmsg(sk, NULL);
78178+ if (err)
78179+ return err;
78180+
78181 daddr = inet->daddr;
78182 dport = inet->dport;
78183 /* Open fast path for connected socket.
78184@@ -945,6 +962,10 @@ try_again:
78185 if (!skb)
78186 goto out;
78187
78188+ err = gr_search_udp_recvmsg(sk, skb);
78189+ if (err)
78190+ goto out_free;
78191+
78192 ulen = skb->len - sizeof(struct udphdr);
78193 copied = len;
78194 if (copied > ulen)
78195@@ -1068,7 +1089,7 @@ static int __udp_queue_rcv_skb(struct so
78196 if (rc == -ENOMEM) {
78197 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
78198 is_udplite);
78199- atomic_inc(&sk->sk_drops);
78200+ atomic_inc_unchecked(&sk->sk_drops);
78201 }
78202 goto drop;
78203 }
78204@@ -1338,6 +1359,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
78205 goto csum_error;
78206
78207 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
78208+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78209+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
78210+#endif
78211 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
78212
78213 /*
78214@@ -1758,8 +1782,13 @@ static void udp4_format_sock(struct sock
78215 sk_wmem_alloc_get(sp),
78216 sk_rmem_alloc_get(sp),
78217 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
78218- atomic_read(&sp->sk_refcnt), sp,
78219- atomic_read(&sp->sk_drops), len);
78220+ atomic_read(&sp->sk_refcnt),
78221+#ifdef CONFIG_GRKERNSEC_HIDESYM
78222+ NULL,
78223+#else
78224+ sp,
78225+#endif
78226+ atomic_read_unchecked(&sp->sk_drops), len);
78227 }
78228
78229 int udp4_seq_show(struct seq_file *seq, void *v)
78230diff -urNp linux-2.6.32.48/net/ipv6/addrconf.c linux-2.6.32.48/net/ipv6/addrconf.c
78231--- linux-2.6.32.48/net/ipv6/addrconf.c 2011-11-08 19:02:43.000000000 -0500
78232+++ linux-2.6.32.48/net/ipv6/addrconf.c 2011-11-15 19:59:43.000000000 -0500
78233@@ -2053,7 +2053,7 @@ int addrconf_set_dstaddr(struct net *net
78234 p.iph.ihl = 5;
78235 p.iph.protocol = IPPROTO_IPV6;
78236 p.iph.ttl = 64;
78237- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
78238+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
78239
78240 if (ops->ndo_do_ioctl) {
78241 mm_segment_t oldfs = get_fs();
78242diff -urNp linux-2.6.32.48/net/ipv6/inet6_connection_sock.c linux-2.6.32.48/net/ipv6/inet6_connection_sock.c
78243--- linux-2.6.32.48/net/ipv6/inet6_connection_sock.c 2011-11-08 19:02:43.000000000 -0500
78244+++ linux-2.6.32.48/net/ipv6/inet6_connection_sock.c 2011-11-15 19:59:43.000000000 -0500
78245@@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
78246 #ifdef CONFIG_XFRM
78247 {
78248 struct rt6_info *rt = (struct rt6_info *)dst;
78249- rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
78250+ rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
78251 }
78252 #endif
78253 }
78254@@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
78255 #ifdef CONFIG_XFRM
78256 if (dst) {
78257 struct rt6_info *rt = (struct rt6_info *)dst;
78258- if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
78259+ if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
78260 sk->sk_dst_cache = NULL;
78261 dst_release(dst);
78262 dst = NULL;
78263diff -urNp linux-2.6.32.48/net/ipv6/inet6_hashtables.c linux-2.6.32.48/net/ipv6/inet6_hashtables.c
78264--- linux-2.6.32.48/net/ipv6/inet6_hashtables.c 2011-11-08 19:02:43.000000000 -0500
78265+++ linux-2.6.32.48/net/ipv6/inet6_hashtables.c 2011-11-15 19:59:43.000000000 -0500
78266@@ -119,7 +119,7 @@ out:
78267 }
78268 EXPORT_SYMBOL(__inet6_lookup_established);
78269
78270-static int inline compute_score(struct sock *sk, struct net *net,
78271+static inline int compute_score(struct sock *sk, struct net *net,
78272 const unsigned short hnum,
78273 const struct in6_addr *daddr,
78274 const int dif)
78275diff -urNp linux-2.6.32.48/net/ipv6/ipv6_sockglue.c linux-2.6.32.48/net/ipv6/ipv6_sockglue.c
78276--- linux-2.6.32.48/net/ipv6/ipv6_sockglue.c 2011-11-08 19:02:43.000000000 -0500
78277+++ linux-2.6.32.48/net/ipv6/ipv6_sockglue.c 2011-11-15 19:59:43.000000000 -0500
78278@@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
78279 int val, valbool;
78280 int retv = -ENOPROTOOPT;
78281
78282+ pax_track_stack();
78283+
78284 if (optval == NULL)
78285 val=0;
78286 else {
78287@@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
78288 int len;
78289 int val;
78290
78291+ pax_track_stack();
78292+
78293 if (ip6_mroute_opt(optname))
78294 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
78295
78296@@ -922,7 +926,7 @@ static int do_ipv6_getsockopt(struct soc
78297 if (sk->sk_type != SOCK_STREAM)
78298 return -ENOPROTOOPT;
78299
78300- msg.msg_control = optval;
78301+ msg.msg_control = (void __force_kernel *)optval;
78302 msg.msg_controllen = len;
78303 msg.msg_flags = 0;
78304
78305diff -urNp linux-2.6.32.48/net/ipv6/netfilter/ip6_queue.c linux-2.6.32.48/net/ipv6/netfilter/ip6_queue.c
78306--- linux-2.6.32.48/net/ipv6/netfilter/ip6_queue.c 2011-11-08 19:02:43.000000000 -0500
78307+++ linux-2.6.32.48/net/ipv6/netfilter/ip6_queue.c 2011-11-15 19:59:43.000000000 -0500
78308@@ -287,6 +287,9 @@ ipq_mangle_ipv6(ipq_verdict_msg_t *v, st
78309
78310 if (v->data_len < sizeof(*user_iph))
78311 return 0;
78312+ if (v->data_len > 65535)
78313+ return -EMSGSIZE;
78314+
78315 diff = v->data_len - e->skb->len;
78316 if (diff < 0) {
78317 if (pskb_trim(e->skb, v->data_len))
78318@@ -411,7 +414,8 @@ ipq_dev_drop(int ifindex)
78319 static inline void
78320 __ipq_rcv_skb(struct sk_buff *skb)
78321 {
78322- int status, type, pid, flags, nlmsglen, skblen;
78323+ int status, type, pid, flags;
78324+ unsigned int nlmsglen, skblen;
78325 struct nlmsghdr *nlh;
78326
78327 skblen = skb->len;
78328diff -urNp linux-2.6.32.48/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.48/net/ipv6/netfilter/ip6_tables.c
78329--- linux-2.6.32.48/net/ipv6/netfilter/ip6_tables.c 2011-11-08 19:02:43.000000000 -0500
78330+++ linux-2.6.32.48/net/ipv6/netfilter/ip6_tables.c 2011-11-15 19:59:43.000000000 -0500
78331@@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
78332 private = &tmp;
78333 }
78334 #endif
78335+ memset(&info, 0, sizeof(info));
78336 info.valid_hooks = t->valid_hooks;
78337 memcpy(info.hook_entry, private->hook_entry,
78338 sizeof(info.hook_entry));
78339diff -urNp linux-2.6.32.48/net/ipv6/raw.c linux-2.6.32.48/net/ipv6/raw.c
78340--- linux-2.6.32.48/net/ipv6/raw.c 2011-11-08 19:02:43.000000000 -0500
78341+++ linux-2.6.32.48/net/ipv6/raw.c 2011-11-15 19:59:43.000000000 -0500
78342@@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
78343 {
78344 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
78345 skb_checksum_complete(skb)) {
78346- atomic_inc(&sk->sk_drops);
78347+ atomic_inc_unchecked(&sk->sk_drops);
78348 kfree_skb(skb);
78349 return NET_RX_DROP;
78350 }
78351
78352 /* Charge it to the socket. */
78353 if (sock_queue_rcv_skb(sk,skb)<0) {
78354- atomic_inc(&sk->sk_drops);
78355+ atomic_inc_unchecked(&sk->sk_drops);
78356 kfree_skb(skb);
78357 return NET_RX_DROP;
78358 }
78359@@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
78360 struct raw6_sock *rp = raw6_sk(sk);
78361
78362 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
78363- atomic_inc(&sk->sk_drops);
78364+ atomic_inc_unchecked(&sk->sk_drops);
78365 kfree_skb(skb);
78366 return NET_RX_DROP;
78367 }
78368@@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
78369
78370 if (inet->hdrincl) {
78371 if (skb_checksum_complete(skb)) {
78372- atomic_inc(&sk->sk_drops);
78373+ atomic_inc_unchecked(&sk->sk_drops);
78374 kfree_skb(skb);
78375 return NET_RX_DROP;
78376 }
78377@@ -518,7 +518,7 @@ csum_copy_err:
78378 as some normal condition.
78379 */
78380 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
78381- atomic_inc(&sk->sk_drops);
78382+ atomic_inc_unchecked(&sk->sk_drops);
78383 goto out;
78384 }
78385
78386@@ -600,7 +600,7 @@ out:
78387 return err;
78388 }
78389
78390-static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
78391+static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
78392 struct flowi *fl, struct rt6_info *rt,
78393 unsigned int flags)
78394 {
78395@@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
78396 u16 proto;
78397 int err;
78398
78399+ pax_track_stack();
78400+
78401 /* Rough check on arithmetic overflow,
78402 better check is made in ip6_append_data().
78403 */
78404@@ -916,12 +918,17 @@ do_confirm:
78405 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
78406 char __user *optval, int optlen)
78407 {
78408+ struct icmp6_filter filter;
78409+
78410 switch (optname) {
78411 case ICMPV6_FILTER:
78412+ if (optlen < 0)
78413+ return -EINVAL;
78414 if (optlen > sizeof(struct icmp6_filter))
78415 optlen = sizeof(struct icmp6_filter);
78416- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
78417+ if (copy_from_user(&filter, optval, optlen))
78418 return -EFAULT;
78419+ raw6_sk(sk)->filter = filter;
78420 return 0;
78421 default:
78422 return -ENOPROTOOPT;
78423@@ -934,6 +941,7 @@ static int rawv6_geticmpfilter(struct so
78424 char __user *optval, int __user *optlen)
78425 {
78426 int len;
78427+ struct icmp6_filter filter;
78428
78429 switch (optname) {
78430 case ICMPV6_FILTER:
78431@@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
78432 len = sizeof(struct icmp6_filter);
78433 if (put_user(len, optlen))
78434 return -EFAULT;
78435- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
78436+ filter = raw6_sk(sk)->filter;
78437+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
78438 return -EFAULT;
78439 return 0;
78440 default:
78441@@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
78442 0, 0L, 0,
78443 sock_i_uid(sp), 0,
78444 sock_i_ino(sp),
78445- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
78446+ atomic_read(&sp->sk_refcnt),
78447+#ifdef CONFIG_GRKERNSEC_HIDESYM
78448+ NULL,
78449+#else
78450+ sp,
78451+#endif
78452+ atomic_read_unchecked(&sp->sk_drops));
78453 }
78454
78455 static int raw6_seq_show(struct seq_file *seq, void *v)
78456diff -urNp linux-2.6.32.48/net/ipv6/tcp_ipv6.c linux-2.6.32.48/net/ipv6/tcp_ipv6.c
78457--- linux-2.6.32.48/net/ipv6/tcp_ipv6.c 2011-11-08 19:02:43.000000000 -0500
78458+++ linux-2.6.32.48/net/ipv6/tcp_ipv6.c 2011-11-15 19:59:43.000000000 -0500
78459@@ -89,6 +89,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
78460 }
78461 #endif
78462
78463+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78464+extern int grsec_enable_blackhole;
78465+#endif
78466+
78467 static void tcp_v6_hash(struct sock *sk)
78468 {
78469 if (sk->sk_state != TCP_CLOSE) {
78470@@ -1579,6 +1583,9 @@ static int tcp_v6_do_rcv(struct sock *sk
78471 return 0;
78472
78473 reset:
78474+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78475+ if (!grsec_enable_blackhole)
78476+#endif
78477 tcp_v6_send_reset(sk, skb);
78478 discard:
78479 if (opt_skb)
78480@@ -1656,12 +1663,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
78481 TCP_SKB_CB(skb)->sacked = 0;
78482
78483 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
78484- if (!sk)
78485+ if (!sk) {
78486+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78487+ ret = 1;
78488+#endif
78489 goto no_tcp_socket;
78490+ }
78491
78492 process:
78493- if (sk->sk_state == TCP_TIME_WAIT)
78494+ if (sk->sk_state == TCP_TIME_WAIT) {
78495+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78496+ ret = 2;
78497+#endif
78498 goto do_time_wait;
78499+ }
78500
78501 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
78502 goto discard_and_relse;
78503@@ -1701,6 +1716,10 @@ no_tcp_socket:
78504 bad_packet:
78505 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
78506 } else {
78507+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78508+ if (!grsec_enable_blackhole || (ret == 1 &&
78509+ (skb->dev->flags & IFF_LOOPBACK)))
78510+#endif
78511 tcp_v6_send_reset(NULL, skb);
78512 }
78513
78514@@ -1916,7 +1935,13 @@ static void get_openreq6(struct seq_file
78515 uid,
78516 0, /* non standard timer */
78517 0, /* open_requests have no inode */
78518- 0, req);
78519+ 0,
78520+#ifdef CONFIG_GRKERNSEC_HIDESYM
78521+ NULL
78522+#else
78523+ req
78524+#endif
78525+ );
78526 }
78527
78528 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
78529@@ -1966,7 +1991,12 @@ static void get_tcp6_sock(struct seq_fil
78530 sock_i_uid(sp),
78531 icsk->icsk_probes_out,
78532 sock_i_ino(sp),
78533- atomic_read(&sp->sk_refcnt), sp,
78534+ atomic_read(&sp->sk_refcnt),
78535+#ifdef CONFIG_GRKERNSEC_HIDESYM
78536+ NULL,
78537+#else
78538+ sp,
78539+#endif
78540 jiffies_to_clock_t(icsk->icsk_rto),
78541 jiffies_to_clock_t(icsk->icsk_ack.ato),
78542 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
78543@@ -2001,7 +2031,13 @@ static void get_timewait6_sock(struct se
78544 dest->s6_addr32[2], dest->s6_addr32[3], destp,
78545 tw->tw_substate, 0, 0,
78546 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
78547- atomic_read(&tw->tw_refcnt), tw);
78548+ atomic_read(&tw->tw_refcnt),
78549+#ifdef CONFIG_GRKERNSEC_HIDESYM
78550+ NULL
78551+#else
78552+ tw
78553+#endif
78554+ );
78555 }
78556
78557 static int tcp6_seq_show(struct seq_file *seq, void *v)
78558diff -urNp linux-2.6.32.48/net/ipv6/udp.c linux-2.6.32.48/net/ipv6/udp.c
78559--- linux-2.6.32.48/net/ipv6/udp.c 2011-11-08 19:02:43.000000000 -0500
78560+++ linux-2.6.32.48/net/ipv6/udp.c 2011-11-15 19:59:43.000000000 -0500
78561@@ -49,6 +49,10 @@
78562 #include <linux/seq_file.h>
78563 #include "udp_impl.h"
78564
78565+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78566+extern int grsec_enable_blackhole;
78567+#endif
78568+
78569 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
78570 {
78571 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
78572@@ -391,7 +395,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
78573 if (rc == -ENOMEM) {
78574 UDP6_INC_STATS_BH(sock_net(sk),
78575 UDP_MIB_RCVBUFERRORS, is_udplite);
78576- atomic_inc(&sk->sk_drops);
78577+ atomic_inc_unchecked(&sk->sk_drops);
78578 }
78579 goto drop;
78580 }
78581@@ -590,6 +594,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
78582 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
78583 proto == IPPROTO_UDPLITE);
78584
78585+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
78586+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
78587+#endif
78588 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
78589
78590 kfree_skb(skb);
78591@@ -1209,8 +1216,13 @@ static void udp6_sock_seq_show(struct se
78592 0, 0L, 0,
78593 sock_i_uid(sp), 0,
78594 sock_i_ino(sp),
78595- atomic_read(&sp->sk_refcnt), sp,
78596- atomic_read(&sp->sk_drops));
78597+ atomic_read(&sp->sk_refcnt),
78598+#ifdef CONFIG_GRKERNSEC_HIDESYM
78599+ NULL,
78600+#else
78601+ sp,
78602+#endif
78603+ atomic_read_unchecked(&sp->sk_drops));
78604 }
78605
78606 int udp6_seq_show(struct seq_file *seq, void *v)
78607diff -urNp linux-2.6.32.48/net/irda/ircomm/ircomm_tty.c linux-2.6.32.48/net/irda/ircomm/ircomm_tty.c
78608--- linux-2.6.32.48/net/irda/ircomm/ircomm_tty.c 2011-11-08 19:02:43.000000000 -0500
78609+++ linux-2.6.32.48/net/irda/ircomm/ircomm_tty.c 2011-11-15 19:59:43.000000000 -0500
78610@@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
78611 add_wait_queue(&self->open_wait, &wait);
78612
78613 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
78614- __FILE__,__LINE__, tty->driver->name, self->open_count );
78615+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
78616
78617 /* As far as I can see, we protect open_count - Jean II */
78618 spin_lock_irqsave(&self->spinlock, flags);
78619 if (!tty_hung_up_p(filp)) {
78620 extra_count = 1;
78621- self->open_count--;
78622+ local_dec(&self->open_count);
78623 }
78624 spin_unlock_irqrestore(&self->spinlock, flags);
78625- self->blocked_open++;
78626+ local_inc(&self->blocked_open);
78627
78628 while (1) {
78629 if (tty->termios->c_cflag & CBAUD) {
78630@@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
78631 }
78632
78633 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
78634- __FILE__,__LINE__, tty->driver->name, self->open_count );
78635+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
78636
78637 schedule();
78638 }
78639@@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
78640 if (extra_count) {
78641 /* ++ is not atomic, so this should be protected - Jean II */
78642 spin_lock_irqsave(&self->spinlock, flags);
78643- self->open_count++;
78644+ local_inc(&self->open_count);
78645 spin_unlock_irqrestore(&self->spinlock, flags);
78646 }
78647- self->blocked_open--;
78648+ local_dec(&self->blocked_open);
78649
78650 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
78651- __FILE__,__LINE__, tty->driver->name, self->open_count);
78652+ __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
78653
78654 if (!retval)
78655 self->flags |= ASYNC_NORMAL_ACTIVE;
78656@@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
78657 }
78658 /* ++ is not atomic, so this should be protected - Jean II */
78659 spin_lock_irqsave(&self->spinlock, flags);
78660- self->open_count++;
78661+ local_inc(&self->open_count);
78662
78663 tty->driver_data = self;
78664 self->tty = tty;
78665 spin_unlock_irqrestore(&self->spinlock, flags);
78666
78667 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
78668- self->line, self->open_count);
78669+ self->line, local_read(&self->open_count));
78670
78671 /* Not really used by us, but lets do it anyway */
78672 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
78673@@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
78674 return;
78675 }
78676
78677- if ((tty->count == 1) && (self->open_count != 1)) {
78678+ if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
78679 /*
78680 * Uh, oh. tty->count is 1, which means that the tty
78681 * structure will be freed. state->count should always
78682@@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
78683 */
78684 IRDA_DEBUG(0, "%s(), bad serial port count; "
78685 "tty->count is 1, state->count is %d\n", __func__ ,
78686- self->open_count);
78687- self->open_count = 1;
78688+ local_read(&self->open_count));
78689+ local_set(&self->open_count, 1);
78690 }
78691
78692- if (--self->open_count < 0) {
78693+ if (local_dec_return(&self->open_count) < 0) {
78694 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
78695- __func__, self->line, self->open_count);
78696- self->open_count = 0;
78697+ __func__, self->line, local_read(&self->open_count));
78698+ local_set(&self->open_count, 0);
78699 }
78700- if (self->open_count) {
78701+ if (local_read(&self->open_count)) {
78702 spin_unlock_irqrestore(&self->spinlock, flags);
78703
78704 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
78705@@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
78706 tty->closing = 0;
78707 self->tty = NULL;
78708
78709- if (self->blocked_open) {
78710+ if (local_read(&self->blocked_open)) {
78711 if (self->close_delay)
78712 schedule_timeout_interruptible(self->close_delay);
78713 wake_up_interruptible(&self->open_wait);
78714@@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
78715 spin_lock_irqsave(&self->spinlock, flags);
78716 self->flags &= ~ASYNC_NORMAL_ACTIVE;
78717 self->tty = NULL;
78718- self->open_count = 0;
78719+ local_set(&self->open_count, 0);
78720 spin_unlock_irqrestore(&self->spinlock, flags);
78721
78722 wake_up_interruptible(&self->open_wait);
78723@@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
78724 seq_putc(m, '\n');
78725
78726 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
78727- seq_printf(m, "Open count: %d\n", self->open_count);
78728+ seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
78729 seq_printf(m, "Max data size: %d\n", self->max_data_size);
78730 seq_printf(m, "Max header size: %d\n", self->max_header_size);
78731
78732diff -urNp linux-2.6.32.48/net/iucv/af_iucv.c linux-2.6.32.48/net/iucv/af_iucv.c
78733--- linux-2.6.32.48/net/iucv/af_iucv.c 2011-11-08 19:02:43.000000000 -0500
78734+++ linux-2.6.32.48/net/iucv/af_iucv.c 2011-11-15 19:59:43.000000000 -0500
78735@@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
78736
78737 write_lock_bh(&iucv_sk_list.lock);
78738
78739- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
78740+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
78741 while (__iucv_get_sock_by_name(name)) {
78742 sprintf(name, "%08x",
78743- atomic_inc_return(&iucv_sk_list.autobind_name));
78744+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
78745 }
78746
78747 write_unlock_bh(&iucv_sk_list.lock);
78748diff -urNp linux-2.6.32.48/net/key/af_key.c linux-2.6.32.48/net/key/af_key.c
78749--- linux-2.6.32.48/net/key/af_key.c 2011-11-08 19:02:43.000000000 -0500
78750+++ linux-2.6.32.48/net/key/af_key.c 2011-11-15 19:59:43.000000000 -0500
78751@@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
78752 struct xfrm_migrate m[XFRM_MAX_DEPTH];
78753 struct xfrm_kmaddress k;
78754
78755+ pax_track_stack();
78756+
78757 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
78758 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
78759 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
78760@@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
78761 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
78762 else
78763 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
78764+#ifdef CONFIG_GRKERNSEC_HIDESYM
78765+ NULL,
78766+#else
78767 s,
78768+#endif
78769 atomic_read(&s->sk_refcnt),
78770 sk_rmem_alloc_get(s),
78771 sk_wmem_alloc_get(s),
78772diff -urNp linux-2.6.32.48/net/lapb/lapb_iface.c linux-2.6.32.48/net/lapb/lapb_iface.c
78773--- linux-2.6.32.48/net/lapb/lapb_iface.c 2011-11-08 19:02:43.000000000 -0500
78774+++ linux-2.6.32.48/net/lapb/lapb_iface.c 2011-11-15 19:59:43.000000000 -0500
78775@@ -157,7 +157,7 @@ int lapb_register(struct net_device *dev
78776 goto out;
78777
78778 lapb->dev = dev;
78779- lapb->callbacks = *callbacks;
78780+ lapb->callbacks = callbacks;
78781
78782 __lapb_insert_cb(lapb);
78783
78784@@ -379,32 +379,32 @@ int lapb_data_received(struct net_device
78785
78786 void lapb_connect_confirmation(struct lapb_cb *lapb, int reason)
78787 {
78788- if (lapb->callbacks.connect_confirmation)
78789- lapb->callbacks.connect_confirmation(lapb->dev, reason);
78790+ if (lapb->callbacks->connect_confirmation)
78791+ lapb->callbacks->connect_confirmation(lapb->dev, reason);
78792 }
78793
78794 void lapb_connect_indication(struct lapb_cb *lapb, int reason)
78795 {
78796- if (lapb->callbacks.connect_indication)
78797- lapb->callbacks.connect_indication(lapb->dev, reason);
78798+ if (lapb->callbacks->connect_indication)
78799+ lapb->callbacks->connect_indication(lapb->dev, reason);
78800 }
78801
78802 void lapb_disconnect_confirmation(struct lapb_cb *lapb, int reason)
78803 {
78804- if (lapb->callbacks.disconnect_confirmation)
78805- lapb->callbacks.disconnect_confirmation(lapb->dev, reason);
78806+ if (lapb->callbacks->disconnect_confirmation)
78807+ lapb->callbacks->disconnect_confirmation(lapb->dev, reason);
78808 }
78809
78810 void lapb_disconnect_indication(struct lapb_cb *lapb, int reason)
78811 {
78812- if (lapb->callbacks.disconnect_indication)
78813- lapb->callbacks.disconnect_indication(lapb->dev, reason);
78814+ if (lapb->callbacks->disconnect_indication)
78815+ lapb->callbacks->disconnect_indication(lapb->dev, reason);
78816 }
78817
78818 int lapb_data_indication(struct lapb_cb *lapb, struct sk_buff *skb)
78819 {
78820- if (lapb->callbacks.data_indication)
78821- return lapb->callbacks.data_indication(lapb->dev, skb);
78822+ if (lapb->callbacks->data_indication)
78823+ return lapb->callbacks->data_indication(lapb->dev, skb);
78824
78825 kfree_skb(skb);
78826 return NET_RX_SUCCESS; /* For now; must be != NET_RX_DROP */
78827@@ -414,8 +414,8 @@ int lapb_data_transmit(struct lapb_cb *l
78828 {
78829 int used = 0;
78830
78831- if (lapb->callbacks.data_transmit) {
78832- lapb->callbacks.data_transmit(lapb->dev, skb);
78833+ if (lapb->callbacks->data_transmit) {
78834+ lapb->callbacks->data_transmit(lapb->dev, skb);
78835 used = 1;
78836 }
78837
78838diff -urNp linux-2.6.32.48/net/mac80211/cfg.c linux-2.6.32.48/net/mac80211/cfg.c
78839--- linux-2.6.32.48/net/mac80211/cfg.c 2011-11-08 19:02:43.000000000 -0500
78840+++ linux-2.6.32.48/net/mac80211/cfg.c 2011-11-15 19:59:43.000000000 -0500
78841@@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
78842 return err;
78843 }
78844
78845-struct cfg80211_ops mac80211_config_ops = {
78846+const struct cfg80211_ops mac80211_config_ops = {
78847 .add_virtual_intf = ieee80211_add_iface,
78848 .del_virtual_intf = ieee80211_del_iface,
78849 .change_virtual_intf = ieee80211_change_iface,
78850diff -urNp linux-2.6.32.48/net/mac80211/cfg.h linux-2.6.32.48/net/mac80211/cfg.h
78851--- linux-2.6.32.48/net/mac80211/cfg.h 2011-11-08 19:02:43.000000000 -0500
78852+++ linux-2.6.32.48/net/mac80211/cfg.h 2011-11-15 19:59:43.000000000 -0500
78853@@ -4,6 +4,6 @@
78854 #ifndef __CFG_H
78855 #define __CFG_H
78856
78857-extern struct cfg80211_ops mac80211_config_ops;
78858+extern const struct cfg80211_ops mac80211_config_ops;
78859
78860 #endif /* __CFG_H */
78861diff -urNp linux-2.6.32.48/net/mac80211/debugfs_key.c linux-2.6.32.48/net/mac80211/debugfs_key.c
78862--- linux-2.6.32.48/net/mac80211/debugfs_key.c 2011-11-08 19:02:43.000000000 -0500
78863+++ linux-2.6.32.48/net/mac80211/debugfs_key.c 2011-11-15 19:59:43.000000000 -0500
78864@@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
78865 size_t count, loff_t *ppos)
78866 {
78867 struct ieee80211_key *key = file->private_data;
78868- int i, res, bufsize = 2 * key->conf.keylen + 2;
78869+ int i, bufsize = 2 * key->conf.keylen + 2;
78870 char *buf = kmalloc(bufsize, GFP_KERNEL);
78871 char *p = buf;
78872+ ssize_t res;
78873+
78874+ if (buf == NULL)
78875+ return -ENOMEM;
78876
78877 for (i = 0; i < key->conf.keylen; i++)
78878 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
78879diff -urNp linux-2.6.32.48/net/mac80211/debugfs_sta.c linux-2.6.32.48/net/mac80211/debugfs_sta.c
78880--- linux-2.6.32.48/net/mac80211/debugfs_sta.c 2011-11-08 19:02:43.000000000 -0500
78881+++ linux-2.6.32.48/net/mac80211/debugfs_sta.c 2011-11-15 19:59:43.000000000 -0500
78882@@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
78883 int i;
78884 struct sta_info *sta = file->private_data;
78885
78886+ pax_track_stack();
78887+
78888 spin_lock_bh(&sta->lock);
78889 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
78890 sta->ampdu_mlme.dialog_token_allocator + 1);
78891diff -urNp linux-2.6.32.48/net/mac80211/ieee80211_i.h linux-2.6.32.48/net/mac80211/ieee80211_i.h
78892--- linux-2.6.32.48/net/mac80211/ieee80211_i.h 2011-11-08 19:02:43.000000000 -0500
78893+++ linux-2.6.32.48/net/mac80211/ieee80211_i.h 2011-11-15 19:59:43.000000000 -0500
78894@@ -25,6 +25,7 @@
78895 #include <linux/etherdevice.h>
78896 #include <net/cfg80211.h>
78897 #include <net/mac80211.h>
78898+#include <asm/local.h>
78899 #include "key.h"
78900 #include "sta_info.h"
78901
78902@@ -635,7 +636,7 @@ struct ieee80211_local {
78903 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
78904 spinlock_t queue_stop_reason_lock;
78905
78906- int open_count;
78907+ local_t open_count;
78908 int monitors, cooked_mntrs;
78909 /* number of interfaces with corresponding FIF_ flags */
78910 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
78911diff -urNp linux-2.6.32.48/net/mac80211/iface.c linux-2.6.32.48/net/mac80211/iface.c
78912--- linux-2.6.32.48/net/mac80211/iface.c 2011-11-08 19:02:43.000000000 -0500
78913+++ linux-2.6.32.48/net/mac80211/iface.c 2011-11-15 19:59:43.000000000 -0500
78914@@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
78915 break;
78916 }
78917
78918- if (local->open_count == 0) {
78919+ if (local_read(&local->open_count) == 0) {
78920 res = drv_start(local);
78921 if (res)
78922 goto err_del_bss;
78923@@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
78924 * Validate the MAC address for this device.
78925 */
78926 if (!is_valid_ether_addr(dev->dev_addr)) {
78927- if (!local->open_count)
78928+ if (!local_read(&local->open_count))
78929 drv_stop(local);
78930 return -EADDRNOTAVAIL;
78931 }
78932@@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
78933
78934 hw_reconf_flags |= __ieee80211_recalc_idle(local);
78935
78936- local->open_count++;
78937+ local_inc(&local->open_count);
78938 if (hw_reconf_flags) {
78939 ieee80211_hw_config(local, hw_reconf_flags);
78940 /*
78941@@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
78942 err_del_interface:
78943 drv_remove_interface(local, &conf);
78944 err_stop:
78945- if (!local->open_count)
78946+ if (!local_read(&local->open_count))
78947 drv_stop(local);
78948 err_del_bss:
78949 sdata->bss = NULL;
78950@@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
78951 WARN_ON(!list_empty(&sdata->u.ap.vlans));
78952 }
78953
78954- local->open_count--;
78955+ local_dec(&local->open_count);
78956
78957 switch (sdata->vif.type) {
78958 case NL80211_IFTYPE_AP_VLAN:
78959@@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
78960
78961 ieee80211_recalc_ps(local, -1);
78962
78963- if (local->open_count == 0) {
78964+ if (local_read(&local->open_count) == 0) {
78965 ieee80211_clear_tx_pending(local);
78966 ieee80211_stop_device(local);
78967
78968diff -urNp linux-2.6.32.48/net/mac80211/main.c linux-2.6.32.48/net/mac80211/main.c
78969--- linux-2.6.32.48/net/mac80211/main.c 2011-11-08 19:02:43.000000000 -0500
78970+++ linux-2.6.32.48/net/mac80211/main.c 2011-11-15 19:59:43.000000000 -0500
78971@@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
78972 local->hw.conf.power_level = power;
78973 }
78974
78975- if (changed && local->open_count) {
78976+ if (changed && local_read(&local->open_count)) {
78977 ret = drv_config(local, changed);
78978 /*
78979 * Goal:
78980diff -urNp linux-2.6.32.48/net/mac80211/mlme.c linux-2.6.32.48/net/mac80211/mlme.c
78981--- linux-2.6.32.48/net/mac80211/mlme.c 2011-11-08 19:02:43.000000000 -0500
78982+++ linux-2.6.32.48/net/mac80211/mlme.c 2011-11-15 19:59:43.000000000 -0500
78983@@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
78984 bool have_higher_than_11mbit = false, newsta = false;
78985 u16 ap_ht_cap_flags;
78986
78987+ pax_track_stack();
78988+
78989 /*
78990 * AssocResp and ReassocResp have identical structure, so process both
78991 * of them in this function.
78992diff -urNp linux-2.6.32.48/net/mac80211/pm.c linux-2.6.32.48/net/mac80211/pm.c
78993--- linux-2.6.32.48/net/mac80211/pm.c 2011-11-08 19:02:43.000000000 -0500
78994+++ linux-2.6.32.48/net/mac80211/pm.c 2011-11-15 19:59:43.000000000 -0500
78995@@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
78996 }
78997
78998 /* stop hardware - this must stop RX */
78999- if (local->open_count)
79000+ if (local_read(&local->open_count))
79001 ieee80211_stop_device(local);
79002
79003 local->suspended = true;
79004diff -urNp linux-2.6.32.48/net/mac80211/rate.c linux-2.6.32.48/net/mac80211/rate.c
79005--- linux-2.6.32.48/net/mac80211/rate.c 2011-11-08 19:02:43.000000000 -0500
79006+++ linux-2.6.32.48/net/mac80211/rate.c 2011-11-15 19:59:43.000000000 -0500
79007@@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
79008 struct rate_control_ref *ref, *old;
79009
79010 ASSERT_RTNL();
79011- if (local->open_count)
79012+ if (local_read(&local->open_count))
79013 return -EBUSY;
79014
79015 ref = rate_control_alloc(name, local);
79016diff -urNp linux-2.6.32.48/net/mac80211/tx.c linux-2.6.32.48/net/mac80211/tx.c
79017--- linux-2.6.32.48/net/mac80211/tx.c 2011-11-08 19:02:43.000000000 -0500
79018+++ linux-2.6.32.48/net/mac80211/tx.c 2011-11-15 19:59:43.000000000 -0500
79019@@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
79020 return cpu_to_le16(dur);
79021 }
79022
79023-static int inline is_ieee80211_device(struct ieee80211_local *local,
79024+static inline int is_ieee80211_device(struct ieee80211_local *local,
79025 struct net_device *dev)
79026 {
79027 return local == wdev_priv(dev->ieee80211_ptr);
79028diff -urNp linux-2.6.32.48/net/mac80211/util.c linux-2.6.32.48/net/mac80211/util.c
79029--- linux-2.6.32.48/net/mac80211/util.c 2011-11-08 19:02:43.000000000 -0500
79030+++ linux-2.6.32.48/net/mac80211/util.c 2011-11-15 19:59:43.000000000 -0500
79031@@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
79032 local->resuming = true;
79033
79034 /* restart hardware */
79035- if (local->open_count) {
79036+ if (local_read(&local->open_count)) {
79037 /*
79038 * Upon resume hardware can sometimes be goofy due to
79039 * various platform / driver / bus issues, so restarting
79040diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_app.c
79041--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_app.c 2011-11-08 19:02:43.000000000 -0500
79042+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_app.c 2011-11-15 19:59:43.000000000 -0500
79043@@ -564,7 +564,7 @@ static const struct file_operations ip_v
79044 .open = ip_vs_app_open,
79045 .read = seq_read,
79046 .llseek = seq_lseek,
79047- .release = seq_release,
79048+ .release = seq_release_net,
79049 };
79050 #endif
79051
79052diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_conn.c
79053--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_conn.c 2011-11-08 19:02:43.000000000 -0500
79054+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_conn.c 2011-11-15 19:59:43.000000000 -0500
79055@@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
79056 /* if the connection is not template and is created
79057 * by sync, preserve the activity flag.
79058 */
79059- cp->flags |= atomic_read(&dest->conn_flags) &
79060+ cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
79061 (~IP_VS_CONN_F_INACTIVE);
79062 else
79063- cp->flags |= atomic_read(&dest->conn_flags);
79064+ cp->flags |= atomic_read_unchecked(&dest->conn_flags);
79065 cp->dest = dest;
79066
79067 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
79068@@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
79069 atomic_set(&cp->refcnt, 1);
79070
79071 atomic_set(&cp->n_control, 0);
79072- atomic_set(&cp->in_pkts, 0);
79073+ atomic_set_unchecked(&cp->in_pkts, 0);
79074
79075 atomic_inc(&ip_vs_conn_count);
79076 if (flags & IP_VS_CONN_F_NO_CPORT)
79077@@ -871,7 +871,7 @@ static const struct file_operations ip_v
79078 .open = ip_vs_conn_open,
79079 .read = seq_read,
79080 .llseek = seq_lseek,
79081- .release = seq_release,
79082+ .release = seq_release_net,
79083 };
79084
79085 static const char *ip_vs_origin_name(unsigned flags)
79086@@ -934,7 +934,7 @@ static const struct file_operations ip_v
79087 .open = ip_vs_conn_sync_open,
79088 .read = seq_read,
79089 .llseek = seq_lseek,
79090- .release = seq_release,
79091+ .release = seq_release_net,
79092 };
79093
79094 #endif
79095@@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
79096
79097 /* Don't drop the entry if its number of incoming packets is not
79098 located in [0, 8] */
79099- i = atomic_read(&cp->in_pkts);
79100+ i = atomic_read_unchecked(&cp->in_pkts);
79101 if (i > 8 || i < 0) return 0;
79102
79103 if (!todrop_rate[i]) return 0;
79104diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_core.c
79105--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_core.c 2011-11-08 19:02:43.000000000 -0500
79106+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_core.c 2011-11-15 19:59:43.000000000 -0500
79107@@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
79108 ret = cp->packet_xmit(skb, cp, pp);
79109 /* do not touch skb anymore */
79110
79111- atomic_inc(&cp->in_pkts);
79112+ atomic_inc_unchecked(&cp->in_pkts);
79113 ip_vs_conn_put(cp);
79114 return ret;
79115 }
79116@@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
79117 * Sync connection if it is about to close to
79118 * encorage the standby servers to update the connections timeout
79119 */
79120- pkts = atomic_add_return(1, &cp->in_pkts);
79121+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
79122 if (af == AF_INET &&
79123 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
79124 (((cp->protocol != IPPROTO_TCP ||
79125diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_ctl.c
79126--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-08 19:02:43.000000000 -0500
79127+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_ctl.c 2011-11-15 19:59:43.000000000 -0500
79128@@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
79129 ip_vs_rs_hash(dest);
79130 write_unlock_bh(&__ip_vs_rs_lock);
79131 }
79132- atomic_set(&dest->conn_flags, conn_flags);
79133+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
79134
79135 /* bind the service */
79136 if (!dest->svc) {
79137@@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
79138 " %-7s %-6d %-10d %-10d\n",
79139 &dest->addr.in6,
79140 ntohs(dest->port),
79141- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
79142+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
79143 atomic_read(&dest->weight),
79144 atomic_read(&dest->activeconns),
79145 atomic_read(&dest->inactconns));
79146@@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
79147 "%-7s %-6d %-10d %-10d\n",
79148 ntohl(dest->addr.ip),
79149 ntohs(dest->port),
79150- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
79151+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
79152 atomic_read(&dest->weight),
79153 atomic_read(&dest->activeconns),
79154 atomic_read(&dest->inactconns));
79155@@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
79156 .open = ip_vs_info_open,
79157 .read = seq_read,
79158 .llseek = seq_lseek,
79159- .release = seq_release_private,
79160+ .release = seq_release_net,
79161 };
79162
79163 #endif
79164@@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
79165 .open = ip_vs_stats_seq_open,
79166 .read = seq_read,
79167 .llseek = seq_lseek,
79168- .release = single_release,
79169+ .release = single_release_net,
79170 };
79171
79172 #endif
79173@@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
79174
79175 entry.addr = dest->addr.ip;
79176 entry.port = dest->port;
79177- entry.conn_flags = atomic_read(&dest->conn_flags);
79178+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
79179 entry.weight = atomic_read(&dest->weight);
79180 entry.u_threshold = dest->u_threshold;
79181 entry.l_threshold = dest->l_threshold;
79182@@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
79183 unsigned char arg[128];
79184 int ret = 0;
79185
79186+ pax_track_stack();
79187+
79188 if (!capable(CAP_NET_ADMIN))
79189 return -EPERM;
79190
79191@@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
79192 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
79193
79194 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
79195- atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
79196+ atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
79197 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
79198 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
79199 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
79200diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_sync.c
79201--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_sync.c 2011-11-08 19:02:43.000000000 -0500
79202+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_sync.c 2011-11-15 19:59:43.000000000 -0500
79203@@ -438,7 +438,7 @@ static void ip_vs_process_message(const
79204
79205 if (opt)
79206 memcpy(&cp->in_seq, opt, sizeof(*opt));
79207- atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
79208+ atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
79209 cp->state = state;
79210 cp->old_state = cp->state;
79211 /*
79212diff -urNp linux-2.6.32.48/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.48/net/netfilter/ipvs/ip_vs_xmit.c
79213--- linux-2.6.32.48/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-08 19:02:43.000000000 -0500
79214+++ linux-2.6.32.48/net/netfilter/ipvs/ip_vs_xmit.c 2011-11-15 19:59:43.000000000 -0500
79215@@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
79216 else
79217 rc = NF_ACCEPT;
79218 /* do not touch skb anymore */
79219- atomic_inc(&cp->in_pkts);
79220+ atomic_inc_unchecked(&cp->in_pkts);
79221 goto out;
79222 }
79223
79224@@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
79225 else
79226 rc = NF_ACCEPT;
79227 /* do not touch skb anymore */
79228- atomic_inc(&cp->in_pkts);
79229+ atomic_inc_unchecked(&cp->in_pkts);
79230 goto out;
79231 }
79232
79233diff -urNp linux-2.6.32.48/net/netfilter/Kconfig linux-2.6.32.48/net/netfilter/Kconfig
79234--- linux-2.6.32.48/net/netfilter/Kconfig 2011-11-08 19:02:43.000000000 -0500
79235+++ linux-2.6.32.48/net/netfilter/Kconfig 2011-11-15 19:59:43.000000000 -0500
79236@@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
79237
79238 To compile it as a module, choose M here. If unsure, say N.
79239
79240+config NETFILTER_XT_MATCH_GRADM
79241+ tristate '"gradm" match support'
79242+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
79243+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
79244+ ---help---
79245+ The gradm match allows to match on grsecurity RBAC being enabled.
79246+ It is useful when iptables rules are applied early on bootup to
79247+ prevent connections to the machine (except from a trusted host)
79248+ while the RBAC system is disabled.
79249+
79250 config NETFILTER_XT_MATCH_HASHLIMIT
79251 tristate '"hashlimit" match support'
79252 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
79253diff -urNp linux-2.6.32.48/net/netfilter/Makefile linux-2.6.32.48/net/netfilter/Makefile
79254--- linux-2.6.32.48/net/netfilter/Makefile 2011-11-08 19:02:43.000000000 -0500
79255+++ linux-2.6.32.48/net/netfilter/Makefile 2011-11-15 19:59:43.000000000 -0500
79256@@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
79257 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
79258 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
79259 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
79260+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
79261 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
79262 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
79263 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
79264diff -urNp linux-2.6.32.48/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.48/net/netfilter/nf_conntrack_netlink.c
79265--- linux-2.6.32.48/net/netfilter/nf_conntrack_netlink.c 2011-11-08 19:02:43.000000000 -0500
79266+++ linux-2.6.32.48/net/netfilter/nf_conntrack_netlink.c 2011-11-15 19:59:43.000000000 -0500
79267@@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
79268 static int
79269 ctnetlink_parse_tuple(const struct nlattr * const cda[],
79270 struct nf_conntrack_tuple *tuple,
79271- enum ctattr_tuple type, u_int8_t l3num)
79272+ enum ctattr_type type, u_int8_t l3num)
79273 {
79274 struct nlattr *tb[CTA_TUPLE_MAX+1];
79275 int err;
79276diff -urNp linux-2.6.32.48/net/netfilter/nfnetlink_log.c linux-2.6.32.48/net/netfilter/nfnetlink_log.c
79277--- linux-2.6.32.48/net/netfilter/nfnetlink_log.c 2011-11-08 19:02:43.000000000 -0500
79278+++ linux-2.6.32.48/net/netfilter/nfnetlink_log.c 2011-11-15 19:59:43.000000000 -0500
79279@@ -68,7 +68,7 @@ struct nfulnl_instance {
79280 };
79281
79282 static DEFINE_RWLOCK(instances_lock);
79283-static atomic_t global_seq;
79284+static atomic_unchecked_t global_seq;
79285
79286 #define INSTANCE_BUCKETS 16
79287 static struct hlist_head instance_table[INSTANCE_BUCKETS];
79288@@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
79289 /* global sequence number */
79290 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
79291 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
79292- htonl(atomic_inc_return(&global_seq)));
79293+ htonl(atomic_inc_return_unchecked(&global_seq)));
79294
79295 if (data_len) {
79296 struct nlattr *nla;
79297diff -urNp linux-2.6.32.48/net/netfilter/xt_gradm.c linux-2.6.32.48/net/netfilter/xt_gradm.c
79298--- linux-2.6.32.48/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
79299+++ linux-2.6.32.48/net/netfilter/xt_gradm.c 2011-11-15 19:59:43.000000000 -0500
79300@@ -0,0 +1,51 @@
79301+/*
79302+ * gradm match for netfilter
79303